Stack-based buffer overflow in acdb audio driver (CVE-2013-2597)

Release Date:

June 21, 2013

Affected Projects:

Android for MSM Firefox OS for MSM QRD Android

Advisory ID:

QCIR-2013-00002-1

CVE ID(s):

CVE-2013-2597

Summary:

The following security vulnerability has been identified in the acdb audio driver. CVE-2013-2597: The acdb audio driver provides an ioctl system call interface to user space clients for communication. When processing arguments passed to the ioctl handler, a user space supplied size is used to copy as many bytes from user space to a local stack buffer without proper bounds checking. An application with access to the /dev/msm_acdb device file (audio or system group) can use this flaw to, e.g., elevate privileges.

Access Vector: Local

Security Risk: Medium

Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel from the following heads: msm-3.*, jb*, ics*, gingerbread*

Patch:

We advise customers to apply the following patch:

releases that use sound/soc/msm/qdsp6v2/audio_acdb.c
https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=abd0d7da5cab6057dba752486e347b9d568e5f58
releases that use arch/arm/mach-msm/qdsp6v2/audio_acdb.c
https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=76fb3e419e2b149292c3adf1e9171e2b542831bf

Acknowledgement:

This issue has been first disclosed by @fi01_IS01 in a public exploit. Qualcomm Innovation Center, Inc. (QuIC) additionally thanks Xuxian Jiang for reporting the issue and working with QuIC to help improve Android device security. He independently discovered this vulnerability.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com