Out of range pointer offset in __qseecom_send_modfd_resp (CVE-2016-3931)

Release Date:

October 3, 2016

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2016-00045-1

CVE ID(s):

CVE-2016-3931

Summary:

The following security vulnerabilities have been identified: CVE-2016-3931 The resp_len and resp_buf_ptr of qseecom_send_modfd_listener_resp are not checked, so if a userspace application sets resp_len to be larger than the buffer size, a write occurs outside the buffer.

Access Vector: Local
Security Risk: High
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.

Patch:

We advise customers to apply the following patches:

Individual Patches

    • CVE-2016-3931:

https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e80b88323f9ff0bb0e545f209eec08ec56fca816

 

Acknowledgement:

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention. We also thank Seven Shen from Trend Micro Mobile Threat Research Team who discovered the issue independently.

Revisions:

Initial

Contact:

security-advisory@quicinc.com