September 2017 Security Bulletin
Version 1.0
Published: 9/27/2017
This document describes security vulnerabilities that were addressed through software changes until September 2017. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of our ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
In the past, security advisories were released for individual issues. Going forward, a security bulletin that includes a collection of addressed security issues will be released on a monthly cadence.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2017-8280 | Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
| CVE-2016-10289, CVE-2016-10290, CVE-2017-0583, CVE-2017-7370, CVE-2017-8242, CVE-2017-8243, CVE-2017-8260, CVE-2017-8261, CVE-2017-8262, CVE-2017-8263, CVE-2017-8265, CVE-2017-8266, CVE-2017-8267, CVE-2017-8268, CVE-2017-8270, CVE-2017-8272, CVE-2017-9678, CVE-2017-9680, CVE-2017-9682, CVE-2017-9684 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information. |
| CVE-2017-9676 | Aravind Machiry (UCSB). |
| CVE-2017-8250 | Scott Bauer. |
| CVE-2017-8247, CVE-2017-8277, CVE-2017-9677 | Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
| CVE-2017-8251, CVE-2017-8281 | Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2017-0583 | Medium | Kernel | 12/21/2016 |
| CVE-2017-8263 | Medium | Kernel | 1/3/2017 |
| CVE-2017-8265 | Medium | Video | 1/10/2017 |
| CVE-2016-10290 | Medium | Storage | 1/10/2017 |
| CVE-2017-8266 | Medium | Display | 1/12/2017 |
| CVE-2016-10289 | Medium | Crypto driver | 1/26/2017 |
| CVE-2017-8267 | Medium | Kernel | 2/1/2017 |
| CVE-2017-8243 | Medium | Kernel | 2/2/2017 |
| CVE-2017-8268 | Medium | Camera | 2/3/2017 |
| CVE-2017-7370 | Medium | Display | 2/13/2017 |
| CVE-2017-8260 | Medium | Camera | 2/17/2017 |
| CVE-2017-8242 | Medium | Trusted Execution Environment Communication Driver | 2/20/2017 |
| CVE-2017-8261 | High | Camera | 3/1/2017 |
| CVE-2017-8270 | Medium | WLAN HOST | 3/17/2017 |
| CVE-2017-8272 | Medium | Display | 4/4/2017 |
| CVE-2017-8262 | High | Graphics_Linux | 4/5/2017 |
| CVE-2017-8250 | Medium | GPU | 2/8/2017 |
| CVE-2017-8251 | Medium | Camera | 2/13/2017 |
| CVE-2017-8277 | Medium | Display | 2/20/2017 |
| CVE-2017-8280 | Medium | WLAN HOST | 3/7/2017 |
| CVE-2017-8281 | Medium | Services | 3/7/2017 |
| CVE-2017-9676 | Medium | Core | 3/8/2017 |
| CVE-2017-9677 | Medium | Audio | 3/22/2017 |
| CVE-2017-8247 | Medium | Camera | 3/23/2017 |
| CVE-2017-9678 | Medium | Display | 4/3/2017 |
| CVE-2017-9680 | Medium | Biometrics | 4/6/2017 |
| CVE-2017-9682 | High | Graphics_Linux | 4/7/2017 |
| CVE-2017-9684 | Medium | WiredConnectivity | 4/24/2017 |
Vulnerability details
CVE-2017-0583
| Title: | Configuration in Kernel |
| Description | A userspace application could improperly obtain control over system control registers. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-16 Configuration |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/21/2016 |
| Customer Notified Date | 6/5/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b8f70068650a6e6bef0a41de2e30c17087d3a84d |
CVE-2017-8263
| Title: | Improper Input Validation in Kernel |
| Description | A kernel fault can occur when doing certain operations on a read-only virtual address in userspace. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/3/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2a2f0b7463f4de9ca225769204ff62c71760709c |
CVE-2017-8265
| Title: | Time-of-check Time-of-use Race Condition in Video |
| Description | A race condition exists in a video driver which can lead to a double free. |
| Technology Area | Video |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/10/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=193813a21453ccc7fb6b04bedf881a6feaaa015f |
CVE-2016-10290
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Core |
| Description | When multiple threads read a debugfs file, a Use After Free condition can potentially occur. |
| Technology Area | Storage |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/10/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a5e46d8635a2e28463b365aacdeab6750abd0d49 |
CVE-2017-8266
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Video |
| Description | A race condition exists in a video driver potentially leading to a use-after-free condition. |
| Technology Area | Display |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/12/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch | ·https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=64e4e29356928bea60ae4be5b387eb7d8d7a7f45 |
CVE-2016-10289
| Title: | Buffer Copy without Checking Size of Input in Core |
| Description | In a kernel driver, a buffer overflow can potentially occur. |
| Technology Area | Crypto driver |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/26/2017 |
| Customer Notified Date | 5/9/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=08a969c0e4c399df047c8055ac11a19e124500ed |
CVE-2017-8267
| Title: | Integer Overflow to Buffer Overflow in Kernel |
| Description | A race condition exists in an IOCTL handler potentially leading to an integer overflow and then an out-of-bounds write. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/1/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch | ·https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.10.git;a=commit;h=2a2f0b7463f4de9ca225769204ff62c71760709c |
CVE-2017-8243
| Title: | Buffer Copy without Checking Size of Input in Kernel |
| Description | A buffer overflow can occur when processing a firmware image file. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/2/2017 |
| Customer Notified Date | 5/9/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=cae0d5a6f32e52e06c0841bb7142452062dc2ac8 |
CVE-2017-8268
| Title: | Buffer Over-read in Camera |
| Description | The camera application can possibly request frame/command buffer processing with invalid values leading to the driver performing a heap buffer over-read. |
| Technology Area | Camera |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/3/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=fab64410d005a7dee8ed02557a0ca26e4c5242ff |
CVE-2017-7370
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Video |
| Description | A race condition exists in a video driver potentially leading to a use-after-free condition. |
| Technology Area | Display |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/13/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=970edf007fbe64b094437541a42477d653802d85 |
CVE-2017-8260
| Title: | Improper Input Validation in Camera |
| Description | Due to a type downcast, a value may improperly pass validation and cause an out of bounds write later. |
| Technology Area | Camera |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/17/2017 |
| Customer Notified Date | 5/9/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=7b7534d96813ffe502271b0b3fae0d0d12e3e05b |
CVE-2017-8242
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in QTEE |
| Description | A race condition exists in a QTEE driver potentially leading to an arbitrary memory write. |
| Technology Area | Trusted Execution Environment Communication Driver |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/20/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch | ·https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=364643660e49ec22f657d3e624bee2c7b9738d98 |
CVE-2017-8261
| Title: | Untrusted Pointer Dereference in Camera |
| Description | In a camera driver ioctl, a kernel overwrite can potentially occur. |
| Technology Area | Camera |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 3/1/2017 |
| Customer Notified Date | 5/9/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=312a8a67ba8898b7e19c4d1bdb98d792970b983b |
CVE-2017-8270
| Title: | Use After Free in WLAN |
| Description | A race condition exists in a driver potentially leading to a use-after-free condition. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/17/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ff96565f1dbabfeb7fb2c1604f40af768579d9df |
CVE-2017-8272
| Title: | Improper Validation of Array Index in Display |
| Description | In a driver function, a value from userspace is not properly validated potentially leading to an out of bounds heap write. |
| Technology Area | Display |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/4/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=a8cb976e7c8f25191728b655e0b38328a6d7d81f |
CVE-2017-8262
| Title: | Use After Free in Graphics |
| Description | In some memory allocation and free functions, a race condition can potentially occur leading to a Use After Free condition. |
| Technology Area | Graphics_Linux |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 4/5/2017 |
| Customer Notified Date | 5/9/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=20c8f1c393ec2726ac46642ae8883643f2427c4f |
CVE-2017-8250
| Title: | Integer Overflow to Buffer Overflow in Graphics |
| Description | User controlled variables “nr_cmds” and “nr_bos” number are passed across functions without any check. Integer overflow to buffer overflow (with a smaller buffer allocated) may occur when they are too large or negative. |
| Technology Area | GPU |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/8/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9be5b16de622c2426408425e3df29e945cd21d37 |
CVE-2017-8251
| Title: | Improper Validation of Array Index in Camera |
| Description | In functions msm_isp_check_stream_cfg_cmd & msm_isp_stats_update_cgc_override, ‘stream_cfg_cmd->num_streams’ is not checked, and could overflow array stream_cfg_cmd->stream_handle. |
| Technology Area | Camera |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/13/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=771254edea3486535453dbb76d090cd6bcf92af9 |
CVE-2017-8277
| Title: | Use After Free in Display |
| Description | In the function msm_dba_register_client, if the client registers failed, it would be freed. However the client was not removed from list. Use-after-free would occur when traversing the list next time. |
| Technology Area | Display |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/20/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=c9a6f09f1030cec591df837622cb54bbb2d24ddc |
CVE-2017-8280
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in WLAN |
| Description | During the wlan calibration data store and retrieve operation, there are some potential race conditions which lead to memory leak and buffer overflow during the context switch. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/7/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=49b9a02eaaeb0b70608c6fbcadff7d83833b9614 |
CVE-2017-8281
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Core |
| Description | A race condition can allow access to already freed memory while querying event status via DCI. |
| Technology Area | Services |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/7/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=9b209c4552779edb86221787fb8681dd212e3a0c |
CVE-2017-9676
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Core |
| Description | Potential Use after free scenarios and race conditions when accessing global static variables without using a lock. |
| Technology Area | Core |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/8/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c1f749639030305a3b02185c180240a8195fb715 |
CVE-2017-9677
| Title: | Improper Validation of Array Index in Audio |
| Description | In function msm_compr_ioctl_shared, variable “ddp->params_length” could be accessed and modified by multiple threads, while it is not protected with locks. If one thread is running, while another thread is setting data, race conditions will happen. If “ddp->params_length” is set to a big number, array overflow will occur. |
| Technology Area | Audio |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/22/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=dc333eb1c31b5bdd2b6375d7cb890086d8f27d8b |
CVE-2017-8247
| Title: | Integer Overflow or Wraparound in Camera |
| Description | If there is more than one thread doing the device open operation, the device may be opened more than once. This would lead to get_pid being called more than once, however put_pid being called only once in function “msm_close”. |
| Technology Area | Camera |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/23/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=84f8c42e5d848b1d04f49d253f98296e8c2280b9 |
CVE-2017-9678
| Title: | Buffer Copy without Checking Size of Input in TrustZone |
| Description | A buffer overflow vulnerability exists in a QTEE service. |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/3/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=ad8e758d30164290a71d9c59fbf7854029556a3e |
CVE-2017-9680
| Title: | Use of Uninitialized Variable in Kernel |
| Description | If a pointer argument coming from userspace is invalid, a driver may use an uninitialized structure to log an error message. |
| Technology Area | Biometrics |
| Vulnerability Type | CWE-457 Use of Uninitialized Variable |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/6/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=dcd0a696c33dd3ab824151833d787f3ff90abbba |
CVE-2017-9682
| Title: | Use After Free in Graphics |
| Description | A race condition in two KGSL driver functions can lead to a Use After Free condition. |
| Technology Area | Graphics_Linux |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 4/7/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=1c4ddc4c7a4fcdf9371048ce01a6b0e5d2a2bae9 |
CVE-2017-9684
| Title: | Use After Free in USB |
| Description | A race condition in a USB driver can lead to a Use After Free condition. |
| Technology Area | WiredConnectivity |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/24/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch | ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c0b8e888819217b861fd55a7b86fc683a72caf10 |
Industry Co-ordination
Security ratings of issues included in Android security bulletins and Qualcomm Innovation Center, Inc. bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
·Consideration of security protections such as SELinux not enforced on some platforms
·Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | September 27th, 2017 | Bulletin Published |