Multiple Vulnerabilities In MSM QDSP6 Audio Driver Allow Kernel Memory Corruption (CVE-2016-2064, CVE-2016-2065, CVE-2016-2066)

Release Date:

June 6, 2016

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2016-00010-3

CVE ID(s):

CVE-2016-2064CVE-2016-2065CVE-2016-2066

Summary:

CVE-2016-2064 The 'values' array is read in a loop using 'num_commands' as max bound. However, 'num_commands' is fully controlled by user-space and not checked against the actual size of the 'values' array. This could lead to buffer over-read. Vulnerability: CWE-129 (Improper Validation of Array Index) --- CVE-2016-2065 The 'updt_params' pointer is incremented in a loop and used for memory writes. However, there is no max bound check on the 'updt_params' pointer. So this could lead to kernel memory corruption. Vulnerability: CWE-129 (Improper Validation of Array Index) --- CVE-2016-2066 The unsigned 'idx' variable is cast to signed value before a check on the max bound. This allows a large value to pass this check and could lead to memory overflow. Vulnerability: CWE-192 (Integer Coercion Error)

Access Vector: Local
Security Risk: High
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.

Patch:

We advise customers to apply the following patches:

Individual Patches

 

 

Acknowledgement:

This issue has been reported to Google by an external researcher. We thank Google for bringing this issue to our attention. We also thank Seven Shen from Trend Micro Mobile Threat Research Team who discovered the issue independently.

Revisions:

Initial revision Revision 1.2 - The description field has been updated so each CVE has {Access Vector, Security Risk, Vulnerability, Affected Versions} fields. Revision 1.3 – Update acknowledgement section.

Contact:

security-advisory@quicinc.com