October 2017 Security Bulletin
Version 1.2
Published: 10/20/2017
This document describes security vulnerabilities that were addressed through software changes until September 2017. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link. Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2017-8257 | Gengjia Chen (@chengjia4574) and pjf of IceSword Lab, Qihoo 360 Technology Co. Ltd |
| CVE-2016-10291, CVE-2017-0439, CVE-2017-0453, CVE-2017-0454, CVE-2017-0456, CVE-2017-0457, CVE-2017-0459, CVE-2017-0460, CVE-2017-0461, CVE-2017-0462, CVE-2017-0516, CVE-2017-0576, CVE-2017-0747, CVE-2017-10997, CVE-2017-11002, CVE-2017-6424, CVE-2017-7368, CVE-2017-8236, CVE-2017-8259, CVE-2017-9693, CVE-2017-9694, CVE-2017-9720 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information. |
| CVE-2016-10285, CVE-2016-5864 | Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360. |
| CVE-2016-5863, CVE-2017-6421 | Gengjia Chen (chengjia4574) |
| CVE-2016-5854, CVE-2016-5855, CVE-2016-5857, CVE-2016-5861 | Scott Bauer and scientific service hausarbeit schreiben lassen |
| CVE-2016-5347, CVE-2016-5853, CVE-2016-5858, CVE-2016-5859, CVE-2016-5860, CVE-2016-5862, CVE-2016-5867 | Seven Shen from Trend Micro Mobile Threat Research Team |
| CVE-2016-5868 | Yonggang Guo, Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
| CVE-2017-8258 | Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2016-10291 | Medium | Buses | 3/8/2016 |
| CVE-2017-0457 | Medium | DSP_Services | 11/4/2016 |
| CVE-2017-0518 | High | Biometrics | 11/7/2016 |
| CVE-2017-0519 | High | Biometrics | 11/7/2016 |
| CVE-2017-0531 | High | Audio | 11/8/2016 |
| CVE-2017-0459 | Medium | Data Network Stack & Connectivity | 11/18/2016 |
| CVE-2017-0439 | Medium | WLAN HOST | 11/18/2016 |
| CVE-2016-5854 | Medium | Trusted Execution Environment | 11/21/2016 |
| CVE-2016-10276 | Critical | Boot | 11/24/2016 |
| CVE-2016-5857 | Medium | Trusted Execution Environment | 11/24/2016 |
| CVE-2016-5855 | Medium | Trusted Execution Environment | 11/24/2016 |
| CVE-2017-8273 | High | Boot | 11/25/2016 |
| CVE-2016-5867 | Medium | Audio | 12/1/2016 |
| CVE-2017-0516 | Medium | Touch | 12/1/2016 |
| CVE-2016-5859 | Medium | Audio | 12/2/2016 |
| CVE-2016-5858 | Medium | Audio | 12/2/2016 |
| CVE-2017-0523 | High | WIGIG HOST | 12/2/2016 |
| CVE-2017-0521 | High | Camera | 12/6/2016 |
| CVE-2017-0525 | Medium | Data Network Stack & Connectivity | 12/6/2016 |
| CVE-2017-0608 | Medium | Audio | 12/7/2016 |
| CVE-2017-0622 | High | Touch | 12/7/2016 |
| CVE-2017-0460 | Medium | Data Network Stack & Connectivity | 12/8/2016 |
| CVE-2017-0456 | Medium | Data Network Stack & Connectivity | 12/9/2016 |
| CVE-2016-5862 | Medium | Audio | 12/9/2016 |
| CVE-2017-0461 | Medium | WLAN HOST | 12/12/2016 |
| CVE-2016-5860 | Medium | Audio | 12/13/2016 |
| CVE-2016-5347 | Medium | Audio | 12/13/2016 |
| CVE-2017-0463 | High | MProc | 12/15/2016 |
| CVE-2016-10293 | Medium | Display | 12/15/2016 |
| CVE-2017-0462 | Medium | Qualcomm SnapDragon Smart Protect | 12/16/2016 |
| CVE-2016-10236 | Medium | WiredConnectivity | 12/16/2016 |
| CVE-2017-6424 | Medium | WLAN HOST | 12/18/2016 |
| CVE-2016-5863 | Medium | WiredConnectivity | 12/19/2016 |
| CVE-2016-5853 | Medium | Audio | 12/19/2016 |
| CVE-2017-10997 | Medium | HWEngines | 12/19/2016 |
| CVE-2017-7368 | Medium | Audio | 12/19/2016 |
| CVE-2017-0576 | Medium | EcoSystem | 12/19/2016 |
| CVE-2017-0575 | Medium | WLAN HOST | 12/19/2016 |
| CVE-2017-6423 | Medium | Kernel | 12/20/2016 |
| CVE-2016-5861 | Medium | Display | 12/20/2016 |
| CVE-2017-6425 | Medium | Display | 12/20/2016 |
| CVE-2017-0454 | Medium | Audio | 12/21/2016 |
| CVE-2016-5868 | Medium | Data Network Stack & Connectivity | 12/22/2016 |
| CVE-2016-10285 | Medium | Display | 12/23/2016 |
| CVE-2017-0453 | Medium | WLAN HOST | 12/23/2016 |
| CVE-2016-5864 | Medium | Audio | 12/27/2016 |
| CVE-2017-6426 | Medium | PMIC | 1/3/2017 |
| CVE-2016-10295 | Medium | PMIC | 1/10/2017 |
| CVE-2016-10288 | Medium | PMIC | 1/10/2017 |
| CVE-2017-7372 | Medium | Automotive Multimedia | 1/11/2017 |
| CVE-2017-8237 | Medium | Data Network Stack & Connectivity | 1/12/2017 |
| CVE-2017-6421 | Medium | Touch | 1/12/2017 |
| CVE-2017-0465 | Medium | DSP_Services | 1/12/2017 |
| CVE-2016-10287 | Medium | Audio | 1/18/2017 |
| CVE-2017-7364 | Medium | Display | 1/20/2017 |
| CVE-2017-0606 | Medium | Audio | 1/25/2017 |
| CVE-2016-10283 | Medium | WLAN HOST | 2/3/2017 |
| CVE-2017-8257 | Medium | Display | 2/7/2017 |
| CVE-2017-8233 | Medium | Camera | 2/8/2017 |
| CVE-2017-8258 | Medium | Camera | 2/13/2017 |
| CVE-2017-0624 | Medium | WLAN HOST | 2/13/2017 |
| CVE-2017-8259 | Medium | Kernel | 2/20/2017 |
| CVE-2017-7369 | Medium | Audio | 2/20/2017 |
| CVE-2017-8236 | Medium | Data Network Stack & Connectivity | 2/21/2017 |
| CVE-2017-9720 | Medium | Camera | 5/1/2017 |
| CVE-2017-9693 | Medium | WLAN HOST | 5/9/2017 |
| CVE-2017-0747 | Medium | EcoSystem | 5/10/2017 |
| CVE-2017-9694 | Medium | WLAN HOST | 5/10/2017 |
| CVE-2017-11002 | Medium | WLAN HOST | 6/8/2017 |
CVE-2016-10291
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Core |
| Description | After extensive runs of audio playback, a Time-of-check Time-of-use (TOCTOU) Race Condition may occur leading to a system fault. |
| Technology Area | Buses |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/8/2016 |
| Customer Notified Date | 8/7/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=c2b026dcd498c93a789b6b84dbe9a73c4a9d8135 |
CVE-2017-0457
| Title: | Integer Overflow to Buffer Overflow in Multimedia |
| Description | In an IOCTL handler, a buffer overflow may potentially occur. |
| Technology Area | DSP_Services |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/4/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=6f1a57c91f15ed0ce19bbc1776b0953c63f7bd7b |
CVE-2017-0518
| Title: | Untrusted Pointer Dereference in Core |
| Description | In a biometric driver, userspace can manipulate a handle structure to cause the driver to write to arbitrary memory. Note that the patch addresses CVE-2017-0519 as well. |
| Technology Area | Biometrics |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/7/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=f032ee5a85944f93ccc6dfcc09dbd950ef5b8947 |
CVE-2017-0519
| Title: | Untrusted Pointer Dereference in Core |
| Description | In a biometric driver, userspace can manipulate a handle structure to cause the driver to write to arbitrary memory. Note that the patch addresses CVE-2017-0519 as well. |
| Technology Area | Biometrics |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/7/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=f032ee5a85944f93ccc6dfcc09dbd950ef5b8947 |
CVE-2017-0531
| Title: | Untrusted Pointer Dereference in Audio |
| Description | In several ioctl handlers in an audio driver, an untrusted pointer dereference may potentially occur. |
| Technology Area | Audio |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/8/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=d342da7d820af9c7c0b0b8049adb53beb713e0f0 |
CVE-2017-0459
| Title: | Improper Input Validation in Data |
| Description | In an IPA IOCTL handler, an index value coming from userspace may not be properly validated. |
| Technology Area | Data HLOS – LNX |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/18/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=ffacf6e2dc41b6063c3564791ed7a2f903e7e3b7 |
CVE-2017-0439
| Title: | Out-of-bounds write in wifi driver function hdd_extscan_passpoint_fill_network_list |
| Description | Currently when processing a passpoint vendor command the “num networks” attribute is limit checked and if it exceeds a MAX value then the command is rejected. Otherwise this value is used to calculate the size of the buffer allocated to hold the internal representation of the request. However later when the network attributes are parsed there is no check to make sure the number of networks processed does not exceed the “num networks” used to allocate memory, and as a result a buffer overflow can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/18/2016 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=platform/vendor/qcom-opensource/wlan/qcacld-3.0.git;a=commit;h=ff866a1e9a0f653252b5d5b7eb087374c5bad65d |
CVE-2016-5854
| Title: | Information Exposure in Secure Processor |
| Description | In a driver, kernel heap memory can be exposed to userspace. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/21/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=28d23d4d7999f683b27b6e0c489635265b67a4c9 |
CVE-2016-10276
| Title: | Improper Authentication in Boot |
| Description | A boot.img without proper signature can be booted. |
| Technology Area | Boot |
| Vulnerability Type | CWE-287 Improper Authentication |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | 11/24/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/lk.git;a=commit;h=5dac431748027e8b50a5c4079967def4ea53ad64 |
CVE-2016-5857
| Title: | Integer Overflow to Buffer Overflow in Core |
| Description | In one SPCOM command handler, the lack of a size check can potentially lead to an out of bounds access. In another handler, a buffer size calculation is potentially vulnerable to an integer overflow leading to an arbitrary write. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/24/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=d9d2c405d46ca27b25ed55a8dbd02bd1e633e2d5 |
CVE-2016-5855
| Title: | Buffer Over-read in Secure Processor |
| Description | In a driver, a user-supplied buffer is casted to a structure without checking if the source buffer is large enough. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/24/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=a5edb54e93ba85719091fe2bc426d75fa7059834 |
CVE-2017-8273
| Title: | Buffer overflow in Bootloader |
| Description | While processing fastboot boot command when verified boot feature is disabled, with length greater than boot image buffer, a buffer overflow can occur. |
| Technology Area | Boot |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/25/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/lk.git;a=commit;h=dfe6691ba301c769179cabab12d74d4e952462b9 |
CVE-2016-5867
| Title: | Buffer Copy without Checking Size of Input in Audio |
| Description | In a sound driver, some variables are from userspace and values can be chosen that could result in stack overflow. |
| Technology Area | Audio |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/1/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=065360da7147003aed8f59782b7652d565f56be5 |
CVE-2017-0516
| Title: | Improper Validation of Array Index in Multimedia |
| Description | In an ioctl command handler, a write to kernel memory is possible. |
| Technology Area | Touch |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/1/2016 |
| Customer Notified Date | 8/7/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0dba52cf7955306c71fb76d16437d848c953e462 |
CVE-2016-5859
| Title: | Integer Overflow to Buffer Overflow in Audio |
| Description | In a sound driver, if a function is called with a very large length, an integer overflow could occur followed by a buffer overflow. |
| Technology Area | Audio |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/2/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=97fdb441a9fb330a76245e473bc1a2155c809ebe |
CVE-2016-5858
| Title: | Improper Validation of Array Index in Audio |
| Description | In an ioctl handler, If a user supplies a value too large, then an out-of-bounds read occurs. |
| Technology Area | Audio |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/2/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=3154eb1d263b9c3eab2c9fa8ebe498390bf5d711 |
CVE-2017-0523
| Title: | Improper Input Validation in WIGIG |
| Description | Wi-Gig driver exposes an ioctl that contains an arbitrary memory kernel read/write primitive, which can be used to leak or corrupt kernel memory from user space. |
| Technology Area | WIGIG HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 12/2/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=2c7b4349b858398caf0ae146e87554c3502d20a5 |
CVE-2017-0521
| Title: | Integer Overflow to Buffer Overflow in Camera |
| Description | Due to integer overflow vulnerability, the bound check in a camera IOCTL handler may pass resulting in out of bounds memory access. |
| Technology Area | Camera |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 12/6/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=77c4aba67d89ba4055b7c9bd417f49593cba497b |
CVE-2017-0525
| Title: | Use after free vulnerability during IPA routing commit logic |
| Description | While processing IOCTL for IPA routing, there is no protection against multiple IPA header deletions from user application. If user application deletes header multiple times and that header is being used by a routing rule, a use after free occurs. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/6/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=a6a6e4993aca80b7cddab8752f7d8636eb45a8c5 |
CVE-2017-0608
| Title: | Improper Validation of Array Index in Audio |
| Description | Due to several global variables being able to be set by userspace arbitrarily, a buffer overflow could potentially occur. |
| Technology Area | Audio |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/7/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=167a094eac4383809dd703d96fb88c406dd8786b |
CVE-2017-0622
| Title: | Buffer Copy without Checking Size of Input in Multimedia |
| Description | When Goodix tool read callback is called after a failed write call, a global structure is not cleared. |
| Technology Area | Touch |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 12/7/2016 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=2881d2bbc26ff321fd9e717ad6f968aebd277d22 |
CVE-2017-0460
| Title: | Out of memory and out of bounds vulnerability while handling netlink messages |
| Description | While receiving netlink messages from userspace, an out of memory situation could occur if the incoming netlink message has its pid field set to 0. Similarly, while receiving netlink messages from userspace an out of bounds vulnerability could occur since boundaries on incoming data were not properly checked. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/8/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.10.git;a=commit;h=93dd37c412dbadff9d5b1b6f7b317713192cab2b |
CVE-2017-0456
| Title: | Buffer Copy without Checking Size of Input in Data |
| Description | While IPA driver processes IOCTL from user space applications to add routing or filtering rules, a buffer overflow may potentially occur. |
| Technology Area | Data HLOS – LNX |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/9/2016 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=dfb170e243a3082a668f77ec0190af2c2bed9161 |
CVE-2016-5862
| Title: | Untrusted Pointer Dereference in Audio |
| Description | When a control related to codec is issued from userspace, the type casting is done to the container structure instead of the codec’s individual structure, resulting in a device restart after kernel crash occurs. |
| Technology Area | Audio |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/9/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=4199451e83729a3add781eeafaee32994ff65b04 |
CVE-2017-0461
| Title: | Buffer Over-read in WLAN |
| Description | In WLAN, an array out-of-bounds and integer underflow may potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/12/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=platform/vendor/qcom-opensource/wlan/qcacld-2.0.git;a=commit;h=948b0ce846c7ef643b0dc6702b80547aafe1a409 |
CVE-2016-5860
| Title: | Integer Overflow to Buffer Overflow in Audio |
| Description | In an audio driver, if a function is called with a very large length, an integer overflow could occur followed by a heap buffer overflow. |
| Technology Area | Audio |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/13/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=9f91ae0d7203714fc39ae78e1f1c4fd71ed40498 |
CVE-2016-5347
| Title: | Information Exposure in Audio |
| Description | Kernel stack data can be leaked to userspace by an audio driver. |
| Technology Area | Audio |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/13/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=f14390f13e62460fc6b05fc0acde0e825374fdb6 |
CVE-2017-0463
| Title: | Use After Free in Core |
| Description | While performing an ioctl operation from user-space repeatedly, a race condition exists potentially leading to privilege escalation. |
| Technology Area | MProc |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 12/15/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=32c229060ca33b816c50eedc136ea2800f9974df |
CVE-2016-10293
| Title: | Use of Uninitialized Variable in Display |
| Description | When a sscanf failure occurs in a display function, the use of an uninitialized variable may potentially lead to a kernel information leak. |
| Technology Area | Display |
| Vulnerability Type | CWE-457 Use of Uninitialized Variable |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/15/2016 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2469d5374745a2228f774adbca6fb95a79b9047f |
CVE-2017-0462
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Core |
| Description | In the Seemp Log driver, a TOCTOU race condition exists while processing data in a memory buffer that’s modified by user space. |
| Technology Area | Qualcomm SnapDragon Smart Protect |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/16/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=9a71e9a686942ae3c491061ab275a3678ee2819a |
CVE-2016-10236
| Title: | Information Exposure in Core |
| Description | A race condition may lead to an uninitialized variable being copied to userspace. |
| Technology Area | WiredConnectivity |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/16/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=b8199c2b852f1e23c988e10b8fbb8d34c98b4a1c |
CVE-2017-6424
| Title: | Buffer Copy without Checking Size of Input in WLAN |
| Description | In WLAN, a length parameter is user-controllable and never validated potentially leading to a buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/18/2016 |
| Customer Notified Date | 8/7/2017 |
| Patch | · https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=d8a61c5c499bdc45b13c48dba9f76fa55043a9ef |
CVE-2016-5863
| Title: | Improper Validation of Array Index in USB |
| Description | In an ioctl handler, several sanity checks are missing which can lead to out-of-bounds accesses. |
| Technology Area | WiredConnectivity |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/19/2016 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=daf0acd54a6a80de227baef9a06285e4aa5f8c93 |
CVE-2016-5853
| Title: | Detection of Error Condition Without Action in Audio |
| Description | In an audio driver, when a sanity check encounters a length value not in the correct range, an error message is printed, but code execution continues in the same way as for a correct length value. |
| Technology Area | Audio |
| Vulnerability Type | CWE-390 Detection of Error Condition Without Action |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/19/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=a8f3b894de319718aecfc2ce9c691514696805be |
CVE-2017-10997
| Title: | Improper Input Validation in Core |
| Description | Using a debugfs node, a write to a PCIe register can cause corruption of kernel memory. |
| Technology Area | HWEngines |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/19/2016 |
| Customer Notified Date | 8/7/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=a395a070880acc679e3832b21d96504edbbe4af2 |
CVE-2017-7368
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Audio |
| Description | A race condition potentially exists in the ioctl handler of a sound driver. |
| Technology Area | Audio |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/19/2016 |
| Customer Notified Date | 8/7/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=06935e0fffc0527ff4c0babfddf18b9dd95d2ccd |
CVE-2017-0576
| Title: | Improper Input Validation in Core |
| Description | In Core, an improper input validation may potentially occur. |
| Technology Area | EcoSystem |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/19/2016 |
| Customer Notified Date | 8/7/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=d911373c689355afea07a480b57fbb17eaa8cb9c |
CVE-2017-0575
| Title: | Integer Overflow to Buffer Overflow in WLAN |
| Description | In WLAN, a user-controlled parameter controls the size of a buffer allocated and is potentially vulnerable to integer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/19/2016 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=a4f790c140d9813c3af66a9b367b4568e053278a |
CVE-2017-6423
| Title: | Buffer Copy without Checking Size of Input in Data |
| Description | In Data, a heap buffer overflow may potentially occur. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/20/2016 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=0f264f812b61884390b432fdad081a3e995ba768 |
CVE-2016-5861
| Title: | Buffer Copy without Checking Size of Input in Display |
| Description | In a display driver, a variable controlled by userspace is used to calculate offsets and sizes for copy operations, which could result in heap overflow. |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/20/2016 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=cf3c97b8b6165f13810e530068fbf94b07f1f77d |
CVE-2017-6425
| Title: | Information Exposure in Display |
| Description | In an IOCTL handler, a stack variable is not zero-initialized before it is copied to user space. |
| Technology Area | Display |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/20/2016 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=ef86560a21fe1f256f6ba772a195201ff202c657 |
CVE-2017-0454
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Audio |
| Description | In two audio IOCTL handlers, a race condition exists that can potentially lead to a buffer overflow. |
| Technology Area | Audio |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/21/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=263bb8242e005803529cb7cd785354de817db88a |
CVE-2016-5868
| Title: | Buffer Copy without Checking Size of Input in Data |
| Description | If a user space application conducts two or more writes to a debugfs file after single open, a heap overflow may potentially occur. |
| Technology Area | Data HLOS – LNX |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/22/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=fbb765a3f813f5cc85ddab21487fd65f24bf6a8c |
CVE-2016-10285
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Display |
| Description | In a video driver, a race condition may lead to use after free condition. |
| Technology Area | Display |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/23/2016 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=67dfd3a65336e0b3f55ee83d6312321dc5f2a6f9 |
CVE-2017-0453
| Title: | Buffer Copy without Checking Size of Input in WLAN |
| Description | In WLAN, a stack overflow vulnerability may potentially occur while processing a configuration request. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/23/2016 |
| Customer Notified Date | 2/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=platform/vendor/qcom-opensource/wlan/qcacld-3.0.git;a=commit;h=a2959858f428acfca3ca4c61d3c10b446bfe9b60 |
CVE-2016-5864
| Title: | Integer Overflow to Buffer Overflow in Audio |
| Description | In an audio driver function, some parameters are from userspace, and if they are set to a large value, integer overflow is possible followed by buffer overflow. In another function, a missing check for a lower bound may result in an out of bounds memory access. |
| Technology Area | Audio |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/27/2016 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=cbc21ceb69cb7bca0643423a7ca982abce3ce50a |
CVE-2017-6426
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Core |
| Description | There is a possible race condition when debugfs files are concurrently accessed by multiple threads. |
| Technology Area | PMIC |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/3/2017 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=80decd6365deec08c35ecb902a58f9210599b39a |
CVE-2016-10295
| Title: | Possible kernel information leak in QPNP Flash LED driver debugfs function |
| Description | There is a possible race condition when debugfs files are concurrently accessed by multiple threads and shared file pointer may lead to improper data retrieval and hence possible kernel data leak. |
| Technology Area | PMIC |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/10/2017 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=f11ae3df500bc2a093ddffee6ea40da859de0fa9 |
CVE-2016-10288
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Core |
| Description | There is a race condition that may result in use-after-free, where two threads can open and close the same file. A second open will cause the private data for the first file to be overwritten. When the first file is closed and the private data is freed, this makes the now-shared private data OOB for the second thread. When it tries to free this, it gets an OOB write. |
| Technology Area | PMIC |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/10/2017 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=db2cdc95204bc404f03613d5dd7002251fb33660 |
CVE-2017-7372
| Title: | Time-of-check Time-of-use (TOCTOU) Race Condition in Video |
| Description | A race condition exists in a video driver potentially leading to buffer overflow or write to arbitrary pointer location. |
| Technology Area | Automotive Multimedia |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/11/2017 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=1806be003731d6d4be55e5b940d14ab772839e13 |
CVE-2017-8237
| Title: | Buffer Copy without Checking Size of Input in IPA |
| Description | A buffer overflow vulnerability exists while loading a firmware image. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/12/2017 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=342d16ac6fb01e304ec75344c693257e00628ecf |
CVE-2017-6421
| Title: | Buffer Copy without Checking Size of Input in Touch |
| Description | In the touch controller function, a variable may be controlled by the user and can lead to a buffer overflow. |
| Technology Area | Touch |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/12/2017 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=be42c7ff1f0396484882451fd18f47144c8f1b6b |
CVE-2017-0465
| Title: | Integer Overflow or Wraparound in Multimedia |
| Description | In an IOCTL handler, if a large buffer size is passed that is greater in size than 32 bits, an integer overflow may potentially occur. |
| Technology Area | DSP_Services |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/12/2017 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=3823f0f8d0bbbbd675a42a54691f4051b3c7e544 |
CVE-2016-10287
| Title: | Use After Free in Audio |
| Description | During the creation process, the calibration block being created gets added to a list of current calibration blocks. If the creation process fails after this, the calibration block is never removed from the list but the memory for it is freed. Later when the list is used and the calibration blocks within the list are iterated over there will be a use after free. |
| Technology Area | Audio |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/18/2017 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=937bc9e644180e258c68662095861803f7ba4ded |
CVE-2017-7364
| Title: | Use After Free in Video |
| Description | In function __mdss_fb_copy_destscaler_data(), variable ds_data[i].scale may still point to a user-provided address (which could point to arbitrary kernel address), so on an error condition, this user-provided address will be freed (arbitrary free), and continued operation could result in use after free condition. |
| Technology Area | Display |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/20/2017 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=3ce6c47d2142fcd2c4c1181afe08630aaae5a267 |
CVE-2017-0606
| Title: | Double Free in Audio |
| Description | In an audio function, there is a race condition that can lead to a double free. |
| Technology Area | Audio |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/25/2017 |
| Customer Notified Date | 3/14/2017 |
| Patch | · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=d3237316314c3d6f75a58192971f66e3822cd250 |
CVE-2016-10283
| Title: | Stack overflow in wifi driver function __wlan_hdd_change_station |
| Description | User can give number of operation classes more than 32 through HDD change station command. This will result in stack overflow during memcopy as the max number of supported channels is 32. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/3/2017 |
| Customer Notified Date | 4/11/2017 |
| Patch | · https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=d60a5839ba987e2c9d365fef950cae0c9ad11010 |
CVE-2017-8257
| Title: | Use After Free in Display |
| Description | When accessing the sde_rotator debug interface for register reading with multiple processes, one process can free the debug buffer while another process still has the debug buffer in use. |
| Technology Area | Display |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/7/2017 |
| Customer Notified Date | 4/11/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=0f19fbd00c6679bbc524f7a6d0fc3d54cfd1c9ae |
CVE-2017-8233
| Title: | Improper Validation of Array Index in Camera |
| Description | In a camera driver function, a bounds check is missing when writing into an array potentially leading to an out-of-bounds heap write. |
| Technology Area | Camera |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/8/2017 |
| Customer Notified Date | 4/11/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=8b0cb658b568e4b160a5b57fb3cef0063aff56d9 |
CVE-2017-8258
| Title: | Buffer overflow in Camera |
| Description | An array out-of-bounds access can potentially occur in a camera driver. |
| Technology Area | Camera |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/13/2017 |
| Customer Notified Date | 4/11/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=31e2a2f0f2f3615cefd4400c707709bbc3e26170 |
CVE-2017-0624
| Title: | Use After Free in WLAN |
| Description | In WLAN, a variable is shared between threads without locks, so one thread may free it when it is still being referenced by another thread. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/13/2017 |
| Customer Notified Date | 4/11/2017 |
| Patch | · https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=0ac5f6f2f221efb93fc0ddb1fec6487c76d95acd |
CVE-2017-8259
| Title: | Buffer overflow vulnerability in kernel service locator module |
| Description | In service locator, buffer overflow can occur as the variable set for determining the size of the buffer is not used to indicate the size of the buffer. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/20/2017 |
| Customer Notified Date | 4/11/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=68020103af00280393da10039b968c95d68e526c |
CVE-2017-7369
| Title: | Improper Validation of Array Index in ALSA |
| Description | An array index in an ALSA routine is not properly validating potentially leading to kernel stack corruption. |
| Technology Area | Audio |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/20/2017 |
| Customer Notified Date | 4/11/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=05f4374845738d2146075e77d9139e60a558de18 |
CVE-2017-8236
| Title: | Buffer Copy without Checking Size of Input in IPA |
| Description | A buffer overflow vulnerability exists in an IPA driver. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/21/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=15bb605fac8167ffaf86453f71a987d79218ed6d |
CVE-2017-9720
| Title: | Improper Input Validation in Camera |
| Description | Due to an off-by-one error in a camera driver, an out-of-bounds read/write can occur. |
| Technology Area | Camera |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/1/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=737f415a5c637802786ec6d36288220cb4d3ae4d |
CVE-2017-9693
| Title: | Buffer Copy without Checking Size of Input in WLAN |
| Description | In a WLAN command, the length of an attribute value is not properly validated potentially leading to a buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/9/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch | · https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=05a5abb21e4d97001f77d344444a3ec2f9c275f9 |
CVE-2017-0747
| Title: | Buffer Copy without Checking Size of Input in Core |
| Description | While performing SHA operations with a digest buffer length out of range, buffer overflow occurs. |
| Technology Area | EcoSystem |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/10/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch | · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c0021edb9ee6b2a37322cd6cf6ebdf160d09b8d7 |
CVE-2017-9694
| Title: | Improper Input Validation in WLAN |
| Description | While parsing Netlink attributes, a buffer overread could occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/10/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch | · https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1e47d44de7bab5500d27f17ae5c4ebebc7d2b4ef |
CVE-2017-11002
| Title: | Buffer Over-read in WLAN |
| Description | While processing a vendor sub-command, a buffer over-read can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/8/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch | · https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=64c0865bb0c5a642ba420967b23e0f66e035b300 |
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
· Consideration of security protections such as SELinux not enforced on some platforms
· Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | October 13th, 2017 | Bulletin Published |
| 1.1 | March 28th, 2018 | Removed duplicated CVE and clarified comments for CVE-2017-0457 |
| 1.2 | April 1st, 2019 | Updated Title and Description for CVE-2017-8259 |