Out-of-bounds write in wifi driver function hdd_extscan_epno_fill_network_list (CVE-2016-8420)

Release Date:

February 14, 2017

Affected Projects:

Android for MSM Firefox OS for MSM QRD Android

Advisory ID:

QCIR-2017-00012-1

CVE ID(s):

CVE-2016-8420

Summary:

The following security vulnerabilities have been identified: CVE-2016-8420 Currently when processing an EPNO vendor command the "num networks" attribute is limit checked and if it exceeds a MAX value then it is reset to that MAX value. This value is then used to calculate the size of the buffer allocated to hold the internal representation of the request. However later when the network attributes are parsed there is no check to make sure the number of networks processed does not exceed the (possibly modified) "num networks" used to allocate memory, and as a result a buffer overflow can occur.

Access Vector: Local

Security Risk: Medium

Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.

Patch:

We advise customers to apply the following patches:

Individual Patches

CVE-2016-8420: https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=c6597e015a7ce5ee71d3725fc55e64fc50923f4e

Acknowledgement:

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions:

Initial

Contact:

security-advisory@quicinc.com