September 2017 Code Aurora Security Bulletin

By September 27, 2017Security Bulletin

September 2017 Security Bulletin

Version 1.0

Published: 9/27/2017

This document describes security vulnerabilities that were addressed through software changes until September 2017. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of our ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

In the past, security advisories were released for individual issues. Going forward, a security bulletin that includes a collection of addressed security issues will be released on a monthly cadence.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-8280 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2016-10289, CVE-2016-10290, CVE-2017-0583, CVE-2017-7370, CVE-2017-8242, CVE-2017-8243, CVE-2017-8260, CVE-2017-8261, CVE-2017-8262, CVE-2017-8263, CVE-2017-8265, CVE-2017-8266, CVE-2017-8267, CVE-2017-8268, CVE-2017-8270, CVE-2017-8272, CVE-2017-9678, CVE-2017-9680, CVE-2017-9682, CVE-2017-9684 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.
CVE-2017-9676 Aravind Machiry (UCSB).
CVE-2017-8250 Scott Bauer.
CVE-2017-8247, CVE-2017-8277, CVE-2017-9677 Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2017-8251, CVE-2017-8281 Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd.

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-0583 Medium Kernel 12/21/2016
CVE-2017-8263 Medium Kernel 1/3/2017
CVE-2017-8265 Medium Video 1/10/2017
CVE-2016-10290 Medium Storage 1/10/2017
CVE-2017-8266 Medium Display 1/12/2017
CVE-2016-10289 Medium Crypto driver 1/26/2017
CVE-2017-8267 Medium Kernel 2/1/2017
CVE-2017-8243 Medium Kernel 2/2/2017
CVE-2017-8268 Medium Camera 2/3/2017
CVE-2017-7370 Medium Display 2/13/2017
CVE-2017-8260 Medium Camera 2/17/2017
CVE-2017-8242 Medium Trusted Execution Environment Communication Driver 2/20/2017
CVE-2017-8261 High Camera 3/1/2017
CVE-2017-8270 Medium WLAN HOST 3/17/2017
CVE-2017-8272 Medium Display 4/4/2017
CVE-2017-8262 High Graphics_Linux 4/5/2017
CVE-2017-8250 Medium GPU 2/8/2017
CVE-2017-8251 Medium Camera 2/13/2017
CVE-2017-8277 Medium Display 2/20/2017
CVE-2017-8280 Medium WLAN HOST 3/7/2017
CVE-2017-8281 Medium Services 3/7/2017
CVE-2017-9676 Medium Core 3/8/2017
CVE-2017-9677 Medium Audio 3/22/2017
CVE-2017-8247 Medium Camera 3/23/2017
CVE-2017-9678 Medium Display 4/3/2017
CVE-2017-9680 Medium Biometrics 4/6/2017
CVE-2017-9682 High Graphics_Linux 4/7/2017
CVE-2017-9684 Medium WiredConnectivity 4/24/2017

Vulnerability details

CVE-2017-0583

Title: Configuration in Kernel
Description A userspace application could improperly obtain control over system control registers.
Technology Area Kernel
Vulnerability Type CWE-16 Configuration
Access Vector Local
Security Rating Medium
Date Reported 12/21/2016
Customer Notified Date 6/5/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b8f70068650a6e6bef0a41de2e30c17087d3a84d

CVE-2017-8263

Title: Improper Input Validation in Kernel
Description A kernel fault can occur when doing certain operations on a read-only virtual address in userspace.
Technology Area Kernel
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 1/3/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2a2f0b7463f4de9ca225769204ff62c71760709c

CVE-2017-8265

Title: Time-of-check Time-of-use Race Condition in Video
Description A race condition exists in a video driver which can lead to a double free.
Technology Area Video
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 1/10/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=193813a21453ccc7fb6b04bedf881a6feaaa015f

CVE-2016-10290

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Core
Description When multiple threads read a debugfs file, a Use After Free condition can potentially occur.
Technology Area Storage
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 1/10/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a5e46d8635a2e28463b365aacdeab6750abd0d49

CVE-2017-8266

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Video
Description A race condition exists in a video driver potentially leading to a use-after-free condition.
Technology Area Display
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 1/12/2017
Customer Notified Date 7/3/2017
Patch ·https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=64e4e29356928bea60ae4be5b387eb7d8d7a7f45

CVE-2016-10289

Title: Buffer Copy without Checking Size of Input in Core
Description In a kernel driver, a buffer overflow can potentially occur.
Technology Area Crypto driver
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 1/26/2017
Customer Notified Date 5/9/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=08a969c0e4c399df047c8055ac11a19e124500ed

CVE-2017-8267

Title: Integer Overflow to Buffer Overflow in Kernel
Description A race condition exists in an IOCTL handler potentially leading to an integer overflow and then an out-of-bounds write.
Technology Area Kernel
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 2/1/2017
Customer Notified Date 7/3/2017
Patch ·https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.10.git;a=commit;h=2a2f0b7463f4de9ca225769204ff62c71760709c

CVE-2017-8243

Title: Buffer Copy without Checking Size of Input in Kernel
Description A buffer overflow can occur when processing a firmware image file.
Technology Area Kernel
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 2/2/2017
Customer Notified Date 5/9/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=cae0d5a6f32e52e06c0841bb7142452062dc2ac8

CVE-2017-8268

Title: Buffer Over-read in Camera
Description The camera application can possibly request frame/command buffer processing with invalid values leading to the driver performing a heap buffer over-read.
Technology Area Camera
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 2/3/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=fab64410d005a7dee8ed02557a0ca26e4c5242ff

CVE-2017-7370

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Video
Description A race condition exists in a video driver potentially leading to a use-after-free condition.
Technology Area Display
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 2/13/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=970edf007fbe64b094437541a42477d653802d85

CVE-2017-8260

Title: Improper Input Validation in Camera
Description Due to a type downcast, a value may improperly pass validation and cause an out of bounds write later.
Technology Area Camera
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 2/17/2017
Customer Notified Date 5/9/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=7b7534d96813ffe502271b0b3fae0d0d12e3e05b

CVE-2017-8242

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in QTEE
Description A race condition exists in a QTEE driver potentially leading to an arbitrary memory write.
Technology Area Trusted Execution Environment Communication Driver
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 2/20/2017
Customer Notified Date 7/3/2017
Patch ·https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=364643660e49ec22f657d3e624bee2c7b9738d98

CVE-2017-8261

Title: Untrusted Pointer Dereference in Camera
Description In a camera driver ioctl, a kernel overwrite can potentially occur.
Technology Area Camera
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating High
Date Reported 3/1/2017
Customer Notified Date 5/9/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=312a8a67ba8898b7e19c4d1bdb98d792970b983b

CVE-2017-8270

Title: Use After Free in WLAN
Description A race condition exists in a driver potentially leading to a use-after-free condition.
Technology Area WLAN HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 3/17/2017
Customer Notified Date 7/3/2017
Patch ·https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ff96565f1dbabfeb7fb2c1604f40af768579d9df

CVE-2017-8272

Title: Improper Validation of Array Index in Display
Description In a driver function, a value from userspace is not properly validated potentially leading to an out of bounds heap write.
Technology Area Display
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 4/4/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=a8cb976e7c8f25191728b655e0b38328a6d7d81f

CVE-2017-8262

Title: Use After Free in Graphics
Description In some memory allocation and free functions, a race condition can potentially occur leading to a Use After Free condition.
Technology Area Graphics_Linux
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 4/5/2017
Customer Notified Date 5/9/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=20c8f1c393ec2726ac46642ae8883643f2427c4f

CVE-2017-8250

Title: Integer Overflow to Buffer Overflow in Graphics
Description User controlled variables “nr_cmds” and “nr_bos” number are passed across functions without any check. Integer overflow to buffer overflow (with a smaller buffer allocated) may occur when they are too large or negative.
Technology Area GPU
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 2/8/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9be5b16de622c2426408425e3df29e945cd21d37

CVE-2017-8251

Title: Improper Validation of Array Index in Camera
Description In functions msm_isp_check_stream_cfg_cmd & msm_isp_stats_update_cgc_override, ‘stream_cfg_cmd->num_streams’ is not checked, and could overflow array stream_cfg_cmd->stream_handle.
Technology Area Camera
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 2/13/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=771254edea3486535453dbb76d090cd6bcf92af9

CVE-2017-8277

Title: Use After Free in Display
Description In the function msm_dba_register_client, if the client registers failed, it would be freed. However the client was not removed from list. Use-after-free would occur when traversing the list next time.
Technology Area Display
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 2/20/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=c9a6f09f1030cec591df837622cb54bbb2d24ddc

CVE-2017-8280

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in WLAN
Description During the wlan calibration data store and retrieve operation, there are some potential race conditions which lead to memory leak and buffer overflow during the context switch.
Technology Area WLAN HOST
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 3/7/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=49b9a02eaaeb0b70608c6fbcadff7d83833b9614

CVE-2017-8281

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Core
Description A race condition can allow access to already freed memory while querying event status via DCI.
Technology Area Services
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 3/7/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=9b209c4552779edb86221787fb8681dd212e3a0c

CVE-2017-9676

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Core
Description Potential Use after free scenarios and race conditions when accessing global static variables without using a lock.
Technology Area Core
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 3/8/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c1f749639030305a3b02185c180240a8195fb715

CVE-2017-9677

Title: Improper Validation of Array Index in Audio
Description In function msm_compr_ioctl_shared, variable “ddp->params_length” could be accessed and modified by multiple threads, while it is not protected with locks. If one thread is running, while another thread is setting data, race conditions will happen. If “ddp->params_length” is set to a big number, array overflow will occur.
Technology Area Audio
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 3/22/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=dc333eb1c31b5bdd2b6375d7cb890086d8f27d8b

CVE-2017-8247

Title: Integer Overflow or Wraparound in Camera
Description If there is more than one thread doing the device open operation, the device may be opened more than once. This would lead to get_pid being called more than once, however put_pid being called only once in function “msm_close”.
Technology Area Camera
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating Medium
Date Reported 3/23/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=84f8c42e5d848b1d04f49d253f98296e8c2280b9

CVE-2017-9678

Title: Buffer Copy without Checking Size of Input in TrustZone
Description A buffer overflow vulnerability exists in a QTEE service.
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 4/3/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=ad8e758d30164290a71d9c59fbf7854029556a3e

CVE-2017-9680

Title: Use of Uninitialized Variable in Kernel
Description If a pointer argument coming from userspace is invalid, a driver may use an uninitialized structure to log an error message.
Technology Area Biometrics
Vulnerability Type CWE-457 Use of Uninitialized Variable
Access Vector Local
Security Rating Medium
Date Reported 4/6/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=dcd0a696c33dd3ab824151833d787f3ff90abbba

CVE-2017-9682

Title: Use After Free in Graphics
Description A race condition in two KGSL driver functions can lead to a Use After Free condition.
Technology Area Graphics_Linux
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 4/7/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=1c4ddc4c7a4fcdf9371048ce01a6b0e5d2a2bae9

CVE-2017-9684

Title: Use After Free in USB
Description A race condition in a USB driver can lead to a Use After Free condition.
Technology Area WiredConnectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 4/24/2017
Customer Notified Date 6/5/2017
Patch ·https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c0b8e888819217b861fd55a7b86fc683a72caf10

Industry Co-ordination

Security ratings of issues included in Android security bulletins and Qualcomm Innovation Center, Inc. bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

·Consideration of security protections such as SELinux not enforced on some platforms

·Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 September 27th, 2017 Bulletin Published