Out-of-bounds write in wlan driver at function __wlan_hdd_cfg80211_set_ext_roam_params (CVE-2017-0443)

Release Date:

May 1, 2017

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2017-00027-1

CVE ID(s):

CVE-2017-0443

Summary:

The following security vulnerabilities have been identified: CVE-2017-0443 When processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor command, for the following roam commands there are input validation issues: QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID Both of these commands have a "number of BSSIDs" attribute as well as a list of BSSIDs. However there is no validation that the number of BSSIDs provided won't overflow the destination buffer. In addition there is no validation that the number of BSSIDs actually provided matches the number of BSSIDs expected.

Access Vector: Local

Security Risk: High

Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel

Patch:

We advise customers to apply the following patches:

Individual Patches

CVE-2017-0443:

• https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=f1081e78eff75ca665c662493736b17cb792b46d
• https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=a4c5eefd5dd761445784963f3b6605d24d2bc3af

Acknowledgement:

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com