Use after Free due to Race Conditions in KGSL Module (CVE-2016-2504, CVE-2016-2503)

Release Date:

July 6, 2016

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2016-00018-1

CVE ID(s):

CVE-2016-2504CVE-2016-2503

Summary:

The following security vulnerabilities have been identified in QuIC-authored KGSL Linux Graphics Module. CVE-2016-2504 Because of allocation patterns it is possible to guess the ID or GPU address of an allocated memory buffer before it is returned to the user by a memory allocation operation. The user could use the guessed ID to “free” the buffer before the setup function was finished setting it up. --- CVE-2016-2503 If the ioctl syncsource_destroy is accessed by parallel threads, where the spinlock is acquired by threads after getting syncsource, then the simultaneous processes try to remove the already destroyed refcount of the syncsource, by the first thread that acquires this spinlock. This leads to race condition while removing syncsource.

Access Vector: Local
Security Risk: High
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.

Patch:

We advise customers to apply the following patches:

Individual Patches

CVE-2016-2504:
for msm 3.4, 3.10: https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=f7c8dfd7060867d71fc370527e2e2278ffc3ba5e
for msm 3.18, 4.4: https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=75adbb8cebfe17ace640e6bd89582c1d72196378
CVE-2016-2503:
https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=9ae71bc3a542f68ea93c4eff01a41201ee6d9402

NOTE:

 

 

 

Acknowledgement:

Qualcomm Innovation Center, Inc. (QuIC) thanks Adam Donenfeld et al. (Check Point Software Technologies Ltd.) for reporting these issues and working with QuIC to help improve the security of QuIC products.

Revisions:

Updated on 2016-07-13

Contact:

security-advisory@quicinc.com