Out-of-bounds write in wlan driver at function __wlan_hdd_cfg80211_set_ext_roam_params (CVE-2017-0443)
Release Date:
May 1, 2017
Affected Projects:
Android for MSMFirefox OS for MSMQRD Android
Advisory ID:
QCIR-2017-00027-1
CVE ID(s):
Summary:
The following security vulnerabilities have been identified: CVE-2017-0443 When processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor command, for the following roam commands there are input validation issues: QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID Both of these commands have a "number of BSSIDs" attribute as well as a list of BSSIDs. However there is no validation that the number of BSSIDs provided won't overflow the destination buffer. In addition there is no validation that the number of BSSIDs actually provided matches the number of BSSIDs expected.
Access Vector: Local
Security Risk: High
Access Vector: Local
Affected Versions:
All Android releases from CAF using the Linux kernel
Patch:
We advise customers to apply the following patches:
Individual Patches
CVE-2017-0443:
- https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=f1081e78eff75ca665c662493736b17cb792b46d
- https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=a4c5eefd5dd761445784963f3b6605d24d2bc3af
Acknowledgement:
This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.
Revisions:
Initial revision
Contact:
security-advisory@quicinc.com