Use-after-free due to race condition when processing IOCTLs in qdsp6v2 (CVE-2016-6791 CVE-2016-8391 CVE-2016-8392)

Release Date:

December 6, 2016

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2016-00071-1

CVE ID(s):

CVE-2016-6791CVE-2016-8391CVE-2016-8392

Summary:

The following security vulnerabilities have been identified: CVE-2016-6791 When processing the ioctls AUDIO_REGISTER_ION / AUDIO_DEREGISTER_ION in parallel to the AUDIO_ASYNC_WRITE ioctl a use-after-free can occur. CVE-2016-8391 When processing the ioctls AUDIO_REGISTER_ION / AUDIO_DEREGISTER_ION in parallel to the AUDIO_ASYNC_READ ioctl a use-after-free can occur. CVE-2016-8392 When processing the ioctls AUDIO_REGISTER_ION / AUDIO_DEREGISTER_ION in parallel to the AUDIO_GET_EVENT ioctl a use-after-free can occur.

Access Vector: Local
Security Risk: Medium
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.

Patch:

We advise customers to apply the following patches:

Individual Patches

CVE-2016-6791:

https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=30a4f0783d2978e27a8b8856d8e358ccaf5ddab4

CVE-2016-8391:

https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=30a4f0783d2978e27a8b8856d8e358ccaf5ddab4

CVE-2016-8392:

https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=30a4f0783d2978e27a8b8856d8e358ccaf5ddab4

 

Acknowledgement:

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com