Security Bulletin

October 2017 Code Aurora Security Bulletin

By October 20, 2017 April 1st, 2019 No Comments

October 2017 Security Bulletin

Version 1.2

Published: 10/20/2017

This document describes security vulnerabilities that were addressed through software changes until September 2017. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link. Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-8257 Gengjia Chen (@chengjia4574) and pjf of IceSword Lab, Qihoo 360 Technology Co. Ltd
CVE-2016-10291, CVE-2017-0439, CVE-2017-0453, CVE-2017-0454, CVE-2017-0456, CVE-2017-0457, CVE-2017-0459, CVE-2017-0460, CVE-2017-0461, CVE-2017-0462, CVE-2017-0516, CVE-2017-0576, CVE-2017-0747, CVE-2017-10997, CVE-2017-11002, CVE-2017-6424, CVE-2017-7368, CVE-2017-8236, CVE-2017-8259, CVE-2017-9693, CVE-2017-9694, CVE-2017-9720 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.
CVE-2016-10285, CVE-2016-5864 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360.
CVE-2016-5863, CVE-2017-6421 Gengjia Chen (chengjia4574)
CVE-2016-5854, CVE-2016-5855, CVE-2016-5857, CVE-2016-5861 Scott Bauer
CVE-2016-5347, CVE-2016-5853, CVE-2016-5858, CVE-2016-5859, CVE-2016-5860, CVE-2016-5862, CVE-2016-5867 Seven Shen from Trend Micro Mobile Threat Research Team
CVE-2016-5868 Yonggang Guo, Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2017-8258 Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2016-10291 Medium Buses 3/8/2016
CVE-2017-0457 Medium DSP_Services 11/4/2016
CVE-2017-0518 High Biometrics 11/7/2016
CVE-2017-0519 High Biometrics 11/7/2016
CVE-2017-0531 High Audio 11/8/2016
CVE-2017-0459 Medium Data Network Stack & Connectivity 11/18/2016
CVE-2017-0439 Medium WLAN HOST 11/18/2016
CVE-2016-5854 Medium Trusted Execution Environment 11/21/2016
CVE-2016-10276 Critical Boot 11/24/2016
CVE-2016-5857 Medium Trusted Execution Environment 11/24/2016
CVE-2016-5855 Medium Trusted Execution Environment 11/24/2016
CVE-2017-8273 High Boot 11/25/2016
CVE-2016-5867 Medium Audio 12/1/2016
CVE-2017-0516 Medium Touch 12/1/2016
CVE-2016-5859 Medium Audio 12/2/2016
CVE-2016-5858 Medium Audio 12/2/2016
CVE-2017-0523 High WIGIG HOST 12/2/2016
CVE-2017-0521 High Camera 12/6/2016
CVE-2017-0525 Medium Data Network Stack & Connectivity 12/6/2016
CVE-2017-0608 Medium Audio 12/7/2016
CVE-2017-0622 High Touch 12/7/2016
CVE-2017-0460 Medium Data Network Stack & Connectivity 12/8/2016
CVE-2017-0456 Medium Data Network Stack & Connectivity 12/9/2016
CVE-2016-5862 Medium Audio 12/9/2016
CVE-2017-0461 Medium WLAN HOST 12/12/2016
CVE-2016-5860 Medium Audio 12/13/2016
CVE-2016-5347 Medium Audio 12/13/2016
CVE-2017-0463 High MProc 12/15/2016
CVE-2016-10293 Medium Display 12/15/2016
CVE-2017-0462 Medium Qualcomm SnapDragon Smart Protect 12/16/2016
CVE-2016-10236 Medium WiredConnectivity 12/16/2016
CVE-2017-6424 Medium WLAN HOST 12/18/2016
CVE-2016-5863 Medium WiredConnectivity 12/19/2016
CVE-2016-5853 Medium Audio 12/19/2016
CVE-2017-10997 Medium HWEngines 12/19/2016
CVE-2017-7368 Medium Audio 12/19/2016
CVE-2017-0576 Medium EcoSystem 12/19/2016
CVE-2017-0575 Medium WLAN HOST 12/19/2016
CVE-2017-6423 Medium Kernel 12/20/2016
CVE-2016-5861 Medium Display 12/20/2016
CVE-2017-6425 Medium Display 12/20/2016
CVE-2017-0454 Medium Audio 12/21/2016
CVE-2016-5868 Medium Data Network Stack & Connectivity 12/22/2016
CVE-2016-10285 Medium Display 12/23/2016
CVE-2017-0453 Medium WLAN HOST 12/23/2016
CVE-2016-5864 Medium Audio 12/27/2016
CVE-2017-6426 Medium PMIC 1/3/2017
CVE-2016-10295 Medium PMIC 1/10/2017
CVE-2016-10288 Medium PMIC 1/10/2017
CVE-2017-7372 Medium Automotive Multimedia 1/11/2017
CVE-2017-8237 Medium Data Network Stack & Connectivity 1/12/2017
CVE-2017-6421 Medium Touch 1/12/2017
CVE-2017-0465 Medium DSP_Services 1/12/2017
CVE-2016-10287 Medium Audio 1/18/2017
CVE-2017-7364 Medium Display 1/20/2017
CVE-2017-0606 Medium Audio 1/25/2017
CVE-2016-10283 Medium WLAN HOST 2/3/2017
CVE-2017-8257 Medium Display 2/7/2017
CVE-2017-8233 Medium Camera 2/8/2017
CVE-2017-8258 Medium Camera 2/13/2017
CVE-2017-0624 Medium WLAN HOST 2/13/2017
CVE-2017-8259 Medium Kernel 2/20/2017
CVE-2017-7369 Medium Audio 2/20/2017
CVE-2017-8236 Medium Data Network Stack & Connectivity 2/21/2017
CVE-2017-9720 Medium Camera 5/1/2017
CVE-2017-9693 Medium WLAN HOST 5/9/2017
CVE-2017-0747 Medium EcoSystem 5/10/2017
CVE-2017-9694 Medium WLAN HOST 5/10/2017
CVE-2017-11002 Medium WLAN HOST 6/8/2017

CVE-2016-10291

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Core
Description After extensive runs of audio playback, a Time-of-check Time-of-use (TOCTOU) Race Condition may occur leading to a system fault.
Technology Area Buses
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 3/8/2016
Customer Notified Date 8/7/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=c2b026dcd498c93a789b6b84dbe9a73c4a9d8135

CVE-2017-0457

Title: Integer Overflow to Buffer Overflow in Multimedia
Description In an IOCTL handler, a buffer overfl​ow may potentially occur.
Technology Area DSP_Services
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 11/4/2016
Customer Notified Date 2/14/2017
Patch · https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=6f1a57c91f15ed0ce19bbc1776b0953c63f7bd7b

CVE-2017-0518

Title: Untrusted Pointer Dereference in Core
Description In a biometric driver, userspace can manipulate a handle structure to cause the driver to write to arbitrary memory. Note that the patch addresses CVE-2017-0519 as well.
Technology Area Biometrics
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating High
Date Reported 11/7/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=f032ee5a85944f93ccc6dfcc09dbd950ef5b8947

CVE-2017-0519

Title: Untrusted Pointer Dereference in Core
Description In a biometric driver, userspace can manipulate a handle structure to cause the driver to write to arbitrary memory. Note that the patch addresses CVE-2017-0519 as well.
Technology Area Biometrics
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating High
Date Reported 11/7/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=f032ee5a85944f93ccc6dfcc09dbd950ef5b8947

CVE-2017-0531

Title: Untrusted Pointer Dereference in Audio
Description In several ioctl handlers in an audio driver, an untrusted pointer dereference may potentially occur.
Technology Area Audio
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating High
Date Reported 11/8/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=d342da7d820af9c7c0b0b8049adb53beb713e0f0

CVE-2017-0459

Title: Improper Input Validation in Data
Description In an IPA IOCTL handler, an index value coming from userspace may not be properly validated.
Technology Area Data HLOS – LNX
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 11/18/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=ffacf6e2dc41b6063c3564791ed7a2f903e7e3b7

CVE-2017-0439

Title: Out-of-bounds write in wifi driver function hdd_extscan_passpoint_fill_network_list
Description Currently when processing a passpoint vendor command the “num networks” attribute is limit checked and if it exceeds a MAX value then the command is rejected. Otherwise this value is used to calculate the size of the buffer allocated to hold the internal representation of the request. However later when the network attributes are parsed there is no check to make sure the number of networks processed does not exceed the “num networks” used to allocate memory, and as a result a buffer overflow can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 11/18/2016
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=platform/vendor/qcom-opensource/wlan/qcacld-3.0.git;a=commit;h=ff866a1e9a0f653252b5d5b7eb087374c5bad65d

CVE-2016-5854

Title: Information Exposure in Secure Processor
Description In a driver, kernel heap memory can be exposed to userspace.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 11/21/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=28d23d4d7999f683b27b6e0c489635265b67a4c9

CVE-2016-10276

Title: Improper Authentication in Boot
Description A boot.img without proper signature can be booted.
Technology Area Boot
Vulnerability Type CWE-287 Improper Authentication
Access Vector Local
Security Rating Critical
Date Reported 11/24/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/lk.git;a=commit;h=5dac431748027e8b50a5c4079967def4ea53ad64

CVE-2016-5857

Title: Integer Overflow to Buffer Overflow in Core
Description In one SPCOM command handler, the lack of a size check can potentially lead to an out of bounds access. In another handler, a buffer size calculation is potentially vulnerable to an integer overflow leading to an arbitrary write.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 11/24/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=d9d2c405d46ca27b25ed55a8dbd02bd1e633e2d5

CVE-2016-5855

Title: Buffer Over-read in Secure Processor
Description In a driver, a user-supplied buffer is casted to a structure without checking if the source buffer is large enough.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 11/24/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=a5edb54e93ba85719091fe2bc426d75fa7059834

CVE-2017-8273

Title: Buffer overflow in Bootloader
Description While processing fastboot boot command when verified boot feature is disabled, with length greater than boot image buffer, a buffer overflow can occur.
Technology Area Boot
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 11/25/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/lk.git;a=commit;h=dfe6691ba301c769179cabab12d74d4e952462b9

· https://www.codeaurora.org/gitweb/quic/la/?p=kernel/lk.git;a=commit;h=30d94c33dec0ffedc875d7853635a9773921320a

CVE-2016-5867

Title: Buffer Copy without Checking Size of Input in Audio
Description In a sound driver, some variables are from userspace and values can be chosen that could result in stack overflow.
Technology Area Audio
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/1/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=065360da7147003aed8f59782b7652d565f56be5

CVE-2017-0516

Title: Improper Validation of Array Index in Multimedia
Description In an ioctl command handler, a write to kernel memory is possible.
Technology Area Touch
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 12/1/2016
Customer Notified Date 8/7/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0dba52cf7955306c71fb76d16437d848c953e462

CVE-2016-5859

Title: Integer Overflow to Buffer Overflow in Audio
Description In a sound driver, if a function is called with a very large length, an integer overflow could occur followed by a buffer overflow.
Technology Area Audio
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 12/2/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=97fdb441a9fb330a76245e473bc1a2155c809ebe

CVE-2016-5858

Title: Improper Validation of Array Index in Audio
Description In an ioctl handler, If a user supplies a value too large, then an out-of-bounds read occurs.
Technology Area Audio
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 12/2/2016
Customer Notified Date 2/14/2017
Patch · https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=3154eb1d263b9c3eab2c9fa8ebe498390bf5d711

· https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=3bfe5a89916f7d29492e9f6d941d108b688cb804

· https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=afc5bea71bc8f251dad1104568383019f4923af6

CVE-2017-0523

Title: Improper Input Validation in WIGIG
Description Wi-Gig driver exposes an ioctl that contains an arbitrary memory kernel read/write primitive, which can be used to leak or corrupt kernel memory from user space.
Technology Area WIGIG HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported 12/2/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=2c7b4349b858398caf0ae146e87554c3502d20a5

CVE-2017-0521

Title: Integer Overflow to Buffer Overflow in Camera
Description Due to integer overflow vulnerability, the bound check in a camera IOCTL handler may pass resulting in out of bounds memory access.
Technology Area Camera
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 12/6/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=77c4aba67d89ba4055b7c9bd417f49593cba497b

CVE-2017-0525

Title: Use after free vulnerability during IPA routing commit logic
Description While processing IOCTL for IPA routing, there is no protection against multiple IPA header deletions from user application. If user application deletes header multiple times and that header is being used by a routing rule, a use after free occurs.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 12/6/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=a6a6e4993aca80b7cddab8752f7d8636eb45a8c5

CVE-2017-0608

Title: Improper Validation of Array Index in Audio
Description Due to several global variables being able to be set by userspace arbitrarily, a buffer overflow could potentially occur.
Technology Area Audio
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 12/7/2016
Customer Notified Date 2/14/2017
Patch · https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=167a094eac4383809dd703d96fb88c406dd8786b

· https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=b66f442dd97c781e873e8f7b248e197f86fd2980

CVE-2017-0622

Title: Buffer Copy without Checking Size of Input in Multimedia
Description When Goodix tool read callback is called after a failed write call, a global structure is not cleared.
Technology Area Touch
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 12/7/2016
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=2881d2bbc26ff321fd9e717ad6f968aebd277d22

CVE-2017-0460

Title: Out of memory and out of bounds vulnerability while handling netlink messages
Description While receiving netlink messages from userspace, an out of memory situation could occur if the incoming netlink message has its pid field set to 0. Similarly, while receiving netlink messages from userspace an out of bounds vulnerability could occur since boundaries on incoming data were not properly checked.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 12/8/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.10.git;a=commit;h=93dd37c412dbadff9d5b1b6f7b317713192cab2b

CVE-2017-0456

Title: Buffer Copy without Checking Size of Input in Data
Description While IPA driver processes IOCTL from user space applications to add routing or filtering rules, a buffer overflow may potentially occur.
Technology Area Data HLOS – LNX
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/9/2016
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=dfb170e243a3082a668f77ec0190af2c2bed9161

CVE-2016-5862

Title: Untrusted Pointer Dereference in Audio
Description When a control related to codec is issued from userspace, the type casting is done to the container structure instead of the codec’s individual structure, resulting in a device restart after kernel crash occurs.
Technology Area Audio
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating Medium
Date Reported 12/9/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=4199451e83729a3add781eeafaee32994ff65b04

CVE-2017-0461

Title: Buffer Over-read in WLAN
Description In WLAN, an array out-of-bounds and integer underflow may potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 12/12/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=platform/vendor/qcom-opensource/wlan/qcacld-2.0.git;a=commit;h=948b0ce846c7ef643b0dc6702b80547aafe1a409

CVE-2016-5860

Title: Integer Overflow to Buffer Overflow in Audio
Description In an audio driver, if a function is called with a very large length, an integer overflow could occur followed by a heap buffer overflow.
Technology Area Audio
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 12/13/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=9f91ae0d7203714fc39ae78e1f1c4fd71ed40498

CVE-2016-5347

Title: Information Exposure in Audio
Description Kernel stack data can be leaked to userspace by an audio driver.
Technology Area Audio
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 12/13/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=f14390f13e62460fc6b05fc0acde0e825374fdb6

CVE-2017-0463

Title: Use After Free in Core
Description While performing an ioctl operation from user-space repeatedly, a race condition exists potentially leading to privilege escalation.
Technology Area MProc
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 12/15/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=32c229060ca33b816c50eedc136ea2800f9974df

CVE-2016-10293

Title: Use of Uninitialized Variable in Display
Description When a sscanf failure occurs in a display function, the use of an uninitialized variable may potentially lead to a kernel information leak.
Technology Area Display
Vulnerability Type CWE-457 Use of Uninitialized Variable
Access Vector Local
Security Rating Medium
Date Reported 12/15/2016
Customer Notified Date 3/14/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2469d5374745a2228f774adbca6fb95a79b9047f

CVE-2017-0462

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Core
Description In the Seemp Log driver, a TOCTOU race condition exists while processing data in a memory buffer that’s modified by user space.
Technology Area Qualcomm SnapDragon Smart Protect
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 12/16/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=9a71e9a686942ae3c491061ab275a3678ee2819a

CVE-2016-10236

Title: Information Exposure in Core
Description A race condition may lead to an uninitialized variable being copied to userspace.
Technology Area WiredConnectivity
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 12/16/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=b8199c2b852f1e23c988e10b8fbb8d34c98b4a1c

CVE-2017-6424

Title: Buffer Copy without Checking Size of Input in WLAN
Description In WLAN, a length parameter is user-controllable and never validated potentially leading to a buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/18/2016
Customer Notified Date 8/7/2017
Patch · https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=d8a61c5c499bdc45b13c48dba9f76fa55043a9ef

· https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=4e44b25b26a594aa818

CVE-2016-5863

Title: Improper Validation of Array Index in USB
Description In an ioctl handler, several sanity checks are missing which can lead to out-of-bounds accesses.
Technology Area WiredConnectivity
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 12/19/2016
Customer Notified Date 3/14/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=daf0acd54a6a80de227baef9a06285e4aa5f8c93

CVE-2016-5853

Title: Detection of Error Condition Without Action in Audio
Description In an audio driver, when a sanity check encounters a length value not in the correct range, an error message is printed, but code execution continues in the same way as for a correct length value.
Technology Area Audio
Vulnerability Type CWE-390 Detection of Error Condition Without Action
Access Vector Local
Security Rating Medium
Date Reported 12/19/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=a8f3b894de319718aecfc2ce9c691514696805be

CVE-2017-10997

Title: Improper Input Validation in Core
Description Using a debugfs node, a write to a PCIe register can cause corruption of kernel memory.
Technology Area HWEngines
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 12/19/2016
Customer Notified Date 8/7/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=a395a070880acc679e3832b21d96504edbbe4af2

CVE-2017-7368

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Audio
Description A race condition potentially exists in the ioctl handler of a sound driver.
Technology Area Audio
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 12/19/2016
Customer Notified Date 8/7/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=06935e0fffc0527ff4c0babfddf18b9dd95d2ccd

CVE-2017-0576

Title: Improper Input Validation in Core
Description In Core, an improper input validation may potentially occur.
Technology Area EcoSystem
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 12/19/2016
Customer Notified Date 8/7/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=d911373c689355afea07a480b57fbb17eaa8cb9c

CVE-2017-0575

Title: Integer Overflow to Buffer Overflow in WLAN
Description In WLAN, a user-controlled parameter controls the size of a buffer allocated and is potentially vulnerable to integer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 12/19/2016
Customer Notified Date 3/14/2017
Patch · https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=a4f790c140d9813c3af66a9b367b4568e053278a

CVE-2017-6423

Title: Buffer Copy without Checking Size of Input in Data
Description In Data, a heap buffer overflow may potentially occur.
Technology Area Kernel
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Medium
Date Reported 12/20/2016
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=0f264f812b61884390b432fdad081a3e995ba768

CVE-2016-5861

Title: Buffer Copy without Checking Size of Input in Display
Description In a display driver, a variable controlled by userspace is used to calculate offsets and sizes for copy operations, which could result in heap overflow.
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/20/2016
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=cf3c97b8b6165f13810e530068fbf94b07f1f77d

CVE-2017-6425

Title: Information Exposure in Display
Description In an IOCTL handler, a stack variable is not zero-initialized before it is copied to user space.
Technology Area Display
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 12/20/2016
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=ef86560a21fe1f256f6ba772a195201ff202c657

CVE-2017-0454

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Audio
Description In two audio IOCTL handlers, a race condition exists that can potentially lead to a buffer overflow.
Technology Area Audio
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 12/21/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=263bb8242e005803529cb7cd785354de817db88a

CVE-2016-5868

Title: Buffer Copy without Checking Size of Input in Data
Description If a user space application conducts two or more writes to a debugfs file after single open, a heap overflow may potentially occur.
Technology Area Data HLOS – LNX
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/22/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=fbb765a3f813f5cc85ddab21487fd65f24bf6a8c

CVE-2016-10285

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Display
Description In a video driver, a race condition may lead to use after free condition.
Technology Area Display
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 12/23/2016
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=67dfd3a65336e0b3f55ee83d6312321dc5f2a6f9

CVE-2017-0453

Title: Buffer Copy without Checking Size of Input in WLAN
Description In WLAN, a stack overflow vulnerability may potentially occur while processing a configuration request.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/23/2016
Customer Notified Date 2/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=platform/vendor/qcom-opensource/wlan/qcacld-3.0.git;a=commit;h=a2959858f428acfca3ca4c61d3c10b446bfe9b60

CVE-2016-5864

Title: Integer Overflow to Buffer Overflow in Audio
Description In an audio driver function, some parameters are from userspace, and if they are set to a large value, integer overflow is possible followed by buffer overflow. In another function, a missing check for a lower bound may result in an out of bounds memory access.
Technology Area Audio
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 12/27/2016
Customer Notified Date 3/14/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=cbc21ceb69cb7bca0643423a7ca982abce3ce50a

CVE-2017-6426

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Core
Description There is a possible race condition when debugfs files are concurrently accessed by multiple threads.
Technology Area PMIC
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 1/3/2017
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=80decd6365deec08c35ecb902a58f9210599b39a

CVE-2016-10295

Title: Possible kernel information leak in QPNP Flash LED driver debugfs function
Description There is a possible race condition when debugfs files are concurrently accessed by multiple threads and shared file pointer may lead to improper data retrieval and hence possible kernel data leak.
Technology Area PMIC
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 1/10/2017
Customer Notified Date 3/14/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=f11ae3df500bc2a093ddffee6ea40da859de0fa9

CVE-2016-10288

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Core
Description There is a race condition that may result in use-after-free, where two threads can open and close the same file. A second open will cause the private data for the first file to be overwritten. When the first file is closed and the private data is freed, this makes the now-shared private data OOB for the second thread. When it tries to free this, it gets an OOB write.
Technology Area PMIC
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 1/10/2017
Customer Notified Date 3/14/2017
Patch · https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=db2cdc95204bc404f03613d5dd7002251fb33660

CVE-2017-7372

Title: Time-of-check Time-of-use (TOCTOU) Race Condition in Video
Description A race condition exists in a video driver potentially leading to buffer overflow or write to arbitrary pointer location.
Technology Area Automotive Multimedia
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 1/11/2017
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=1806be003731d6d4be55e5b940d14ab772839e13

CVE-2017-8237

Title: Buffer Copy without Checking Size of Input in IPA
Description A buffer overflow vulnerability exists while loading a firmware image.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 1/12/2017
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=342d16ac6fb01e304ec75344c693257e00628ecf

CVE-2017-6421

Title: Buffer Copy without Checking Size of Input in Touch
Description In the touch controller function, a variable may be controlled by the user and can lead to a buffer overflow.
Technology Area Touch
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 1/12/2017
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=be42c7ff1f0396484882451fd18f47144c8f1b6b

CVE-2017-0465

Title: Integer Overflow or Wraparound in Multimedia
Description In an IOCTL handler, if a large buffer size is passed that is greater in size than 32 bits, an integer overflow may potentially occur.
Technology Area DSP_Services
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating Medium
Date Reported 1/12/2017
Customer Notified Date 3/14/2017
Patch · https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=3823f0f8d0bbbbd675a42a54691f4051b3c7e544

CVE-2016-10287

Title: Use After Free in Audio
Description During the creation process, the calibration block being created gets added to a list of current calibration blocks. If the creation process fails after this, the calibration block is never removed from the list but the memory for it is freed. Later when the list is used and the calibration blocks within the list are iterated over there will be a use after free.
Technology Area Audio
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 1/18/2017
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=937bc9e644180e258c68662095861803f7ba4ded

CVE-2017-7364

Title: Use After Free in Video
Description In function __mdss_fb_copy_destscaler_data(), variable ds_data[i].scale may still point to a user-provided address (which could point to arbitrary kernel address), so on an error condition, this user-provided address will be freed (arbitrary free), and continued operation could result in use after free condition.
Technology Area Display
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 1/20/2017
Customer Notified Date 3/14/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=3ce6c47d2142fcd2c4c1181afe08630aaae5a267

CVE-2017-0606

Title: Double Free in Audio
Description In an audio function, there is a race condition that can lead to a double free.
Technology Area Audio
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 1/25/2017
Customer Notified Date 3/14/2017
Patch · https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=d3237316314c3d6f75a58192971f66e3822cd250

CVE-2016-10283

Title: Stack overflow in wifi driver function __wlan_hdd_change_station
Description User can give number of operation classes more than 32 through HDD change station command. This will result in stack overflow during memcopy as the max number of supported channels is 32.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 2/3/2017
Customer Notified Date 4/11/2017
Patch · https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=d60a5839ba987e2c9d365fef950cae0c9ad11010

CVE-2017-8257

Title: Use After Free in Display
Description When accessing the sde_rotator debug interface for register reading with multiple processes, one process can free the debug buffer while another process still has the debug buffer in use.
Technology Area Display
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 2/7/2017
Customer Notified Date 4/11/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=0f19fbd00c6679bbc524f7a6d0fc3d54cfd1c9ae

CVE-2017-8233

Title: Improper Validation of Array Index in Camera
Description In a camera driver function, a bounds check is missing when writing into an array potentially leading to an out-of-bounds heap write.
Technology Area Camera
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 2/8/2017
Customer Notified Date 4/11/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=8b0cb658b568e4b160a5b57fb3cef0063aff56d9

CVE-2017-8258

Title: Buffer overflow in Camera
Description An array out-of-bounds access can potentially occur in a camera driver.
Technology Area Camera
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 2/13/2017
Customer Notified Date 4/11/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=31e2a2f0f2f3615cefd4400c707709bbc3e26170

CVE-2017-0624

Title: Use After Free in WLAN
Description In WLAN, a variable is shared between threads without locks, so one thread may free it when it is still being referenced by another thread.
Technology Area WLAN HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 2/13/2017
Customer Notified Date 4/11/2017
Patch · https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=0ac5f6f2f221efb93fc0ddb1fec6487c76d95acd

CVE-2017-8259

Title: Buffer overflow vulnerability in kernel service locator module
Description In service locator, buffer overflow can occur as the variable set for determining the size of the buffer is not used to indicate the size of the buffer.
Technology Area Kernel
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 2/20/2017
Customer Notified Date 4/11/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=68020103af00280393da10039b968c95d68e526c

CVE-2017-7369

Title: Improper Validation of Array Index in ALSA
Description An array index in an ALSA routine is not properly validating potentially leading to kernel stack corruption.
Technology Area Audio
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 2/20/2017
Customer Notified Date 4/11/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=05f4374845738d2146075e77d9139e60a558de18

CVE-2017-8236

Title: Buffer Copy without Checking Size of Input in IPA
Description A buffer overflow vulnerability exists in an IPA driver.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 2/21/2017
Customer Notified Date 8/7/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=15bb605fac8167ffaf86453f71a987d79218ed6d

· https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=8a079632f447be9fd86f92b8e02b1940a26c8a2a

CVE-2017-9720

Title: Improper Input Validation in Camera
Description Due to an off-by-one error in a camera driver, an out-of-bounds read/write can occur.
Technology Area Camera
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 5/1/2017
Customer Notified Date 8/7/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=737f415a5c637802786ec6d36288220cb4d3ae4d

· https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=2c5616295a5411812188f515d6ecf1984b9c1798

CVE-2017-9693

Title: Buffer Copy without Checking Size of Input in WLAN
Description In a WLAN command, the length of an attribute value is not properly validated potentially leading to a buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 5/9/2017
Customer Notified Date 8/7/2017
Patch · https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=05a5abb21e4d97001f77d344444a3ec2f9c275f9

CVE-2017-0747

Title: Buffer Copy without Checking Size of Input in Core
Description While performing SHA operations with a digest buffer length out of range, buffer overflow occurs.
Technology Area EcoSystem
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 5/10/2017
Customer Notified Date 8/7/2017
Patch · https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c0021edb9ee6b2a37322cd6cf6ebdf160d09b8d7

CVE-2017-9694

Title: Improper Input Validation in WLAN
Description While parsing Netlink attributes, a buffer overread could occur.
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 5/10/2017
Customer Notified Date 8/7/2017
Patch · https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1e47d44de7bab5500d27f17ae5c4ebebc7d2b4ef

CVE-2017-11002

Title: Buffer Over-read in WLAN
Description While processing a vendor sub-command, a buffer over-read can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 6/8/2017
Customer Notified Date 8/7/2017
Patch · https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=64c0865bb0c5a642ba420967b23e0f66e035b300

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

· Consideration of security protections such as SELinux not enforced on some platforms

· Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 October 13th, 2017 Bulletin Published
1.1 March 28th, 2018 Removed duplicated CVE and clarified comments for CVE-2017-0457
1.2 April 1st, 2019 Updated Title and Description for CVE-2017-8259