Out-of-bounds write in wifi driver function hdd_extscan_start_fill_bucket_channel_spec (CVE-2016-8421)

Release Date:

February 14, 2017

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2017-00011-1

CVE ID(s):

CVE-2016-8421

Summary:

Currently when processing an EXTSCAN vendor command the "num buckets" attribute is limit checked and if it exceeds a MAX value then a warning message is issued. But beyond that the "num buckets" attribute is not used. Instead when the buckets are actually parsed the number of buckets is calculated dynamically based upon the number of attributes present in the request. Unfortunately when the bucket attributes are parsed there is no check to make sure the number of buckets processed does not exceed the MAX value, and as a result a buffer overflow can occur.

Access Vector: Local

Security Risk: Medium

Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.

Patch:

We advise customers to apply the following patches:

Individual Patches

• CVE-2016-8421: https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=383394e25409d99fa55de6793ae2b32fddad3072

Acknowledgement:

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions:

Initial revision

Contact: