February 2018 Code Aurora Security Bulletin

Version 1.0

Published: 02/15/2018

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2016-10284, CVE-2017-0579, CVE-2017-11046, CVE-2017-11048, CVE-2017-11050, CVE-2017-11055, CVE-2017-11056, CVE-2017-11057, CVE-2017-11059, CVE-2017-11067, CVE-2017-11087, CVE-2017-11091, CVE-2017-14903, CVE-2017-8269, CVE-2017-9686, CVE-2017-9706, CVE-2017-9715, CVE-2017-9717 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.
CVE-2017-9723 Gengjia Chen
CVE-2017-9687 Yonggang Guo (gyghit)
CVE-2017-11049, CVE-2017-14892, CVE-2017-9692, CVE-2017-9697 Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2017-14875 Scott Bauer
CVE-2017-14876 derrek (https://twitter.com/derrekr6)
CVE-2017-11047, CVE-2017-15826 Peter Pi of Tencent Security Platform Department
CVE-2017-14877, CVE-2017-14881 Yonggang Guo
CVE-2017-14891 heiheidada
CVE-2017-15823 Gengjia Chen (@chengjia4574) and pjf(http://weibo.com/jfpan) of IceSword Lab, Qihoo 360Technology Co. Ltd

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-9686 Medium HWEngines 1/11/2017
CVE-2017-0579 Medium Display 1/24/2017
CVE-2016-10284 Medium Display 1/11/2017
CVE-2017-9723 Medium Touch 2/15/2017
CVE-2017-8269 Medium Data Network Stack & Connectivity 2/1/2017
CVE-2017-9687 Medium Data Network Stack & Connectivity 3/1/2017
CVE-2017-9692 Medium Display 3/3/2017
CVE-2017-9706 Medium Display 3/30/2017
CVE-2017-9697 Medium Services 3/15/2017
CVE-2017-11049 Medium Display 3/21/2017
CVE-2017-14875 Medium Camera 4/10/2017
CVE-2017-9717 Medium WLAN HOST 4/24/2017
CVE-2017-11048 Medium Display 4/24/2017
CVE-2017-11087 Medium Video 4/21/2017
CVE-2017-14876 Medium Camera 4/28/2017
CVE-2017-9715 Medium WLAN HOST 5/1/2017
CVE-2017-11047 Medium Display 4/30/2017
CVE-2017-11059 Medium Trusted Execution Environment 5/8/2017
CVE-2017-14877 Medium Data Network Stack & Connectivity 5/3/2017
CVE-2017-11046 Medium Audio 5/8/2017
CVE-2017-11057 Medium Camera 5/8/2017
CVE-2017-11056 Medium Trusted Execution Environment 5/8/2017
CVE-2017-11055 Medium WLAN HOST 5/31/2017
CVE-2017-11067 Medium WLAN HOST 6/1/2017
CVE-2017-11091 Medium Display 6/2/2017
CVE-2017-11050 Medium WLAN HOST 6/1/2017
CVE-2017-14881 Medium Data Network Stack & Connectivity 8/2/2017
CVE-2017-14903 Medium WLAN HOST 7/18/2017
CVE-2017-14891 Medium Graphics_Linux 8/10/2017
CVE-2017-14892 Medium Audio 8/15/2017
CVE-2017-15826 Medium Display 8/17/2017
CVE-2017-15823 High WLAN HOST 9/19/2017

CVE-2017-9686

CVE ID CVE-2017-9686
Title Use After Free in Core
Description There is a possible double free/use after free in SPS driver when debugfs logging is used.
Technology Area HWEngines
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 1/11/2017
Customer Notified Date 7/3/2017
Patch

CVE-2017-0579

CVE ID CVE-2017-0579
Title Buffer Copy without Checking Size of Input in Display
Description A buffer overflow can occur when a cursor manipulation framebuffer ioctl is called.
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 1/24/2017
Customer Notified Date 11/6/2017
Patch

CVE-2016-10284

CVE ID CVE-2016-10284
Title Time-of-check Time-of-use (TOCTOU) Race Condition in Display
Description Due to a race condition in the MDSS fb driver, a Use After Free condition can potentially occur.
Technology Area Display
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 1/11/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-9723

CVE ID CVE-2017-9723
Title Stack-based Buffer Overflow in Touch
Description In the touchscreen driver synaptics_dsx, the size of a stack-allocated buffer can be set to a value which exceeds the size of the stack.
Technology Area Touch
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 2/15/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-8269

CVE ID CVE-2017-8269
Title Information exposure in IPA driver
Description Userspace-controlled non null terminated parameter for IPA WAN ioctl can lead to exposure of kernel memory.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 2/1/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-9687

CVE ID CVE-2017-9687
Title Double Free in Data
Description Two concurrent threads/processes can write the value of “0” to the debugfs file that controls ipa ipc log which will lead to the double-free in ipc_log_context_destroy(). Another issue is the Use-After-Free which can happen due to the race condition when the ipc log is deallocated via the debugfs call during a log print.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 3/1/2017
Customer Notified Date 7/3/2017
Patch

CVE-2017-9692

CVE ID CVE-2017-9692
Title NULL Pointer Dereference in Display
Description When an atomic commit is issued on a writeback panel with a NULL output_layer parameter, a NULL pointer dereference may potentially occur.
Technology Area Display
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Local
Security Rating Medium
Date Reported 3/3/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-9706

CVE ID CVE-2017-9706
Title Buffer Copy without Checking Size of Input in Display
Description An array out-of-bounds access can potentially occur in a display driver.
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 3/30/2017
Customer Notified Date 7/3/2017
Patch

CVE-2017-9697

CVE ID CVE-2017-9697
Title Use After Free in Core
Description A race condition can allow access to already freed memory while reading command registration table entries in diag_dbgfs_read_table.
Technology Area Services
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 3/15/2017
Customer Notified Date 7/3/2017
Patch

CVE-2017-11049

CVE ID CVE-2017-11049
Title Improper Input Validation in Display
Description In a video driver, a race condition exists which can potentially lead to a buffer overflow.
Technology Area Display
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 3/21/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-14875

CVE ID CVE-2017-14875
Title Improper Validation of Array Index in Camera
Description In the handler for the ioctl command VIDIOC_MSM_ISP_DUAL_HW_LPM_MODE, a heap overread vulnerability exists.
Technology Area Camera
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 4/10/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-9717

CVE ID CVE-2017-9717
Title Buffer Over-read in WLAN
Description While parsing Netlink attributes, a buffer overread can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 4/24/2017
Customer Notified Date 8/7/2017
Patch

CVE-2017-11048

CVE ID CVE-2017-11048
Title Use After Free in Display
Description In a display driver function, a Use After Free condition can occur.
Technology Area Display
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 4/24/2017
Customer Notified Date 9/1/2017
Patch

CVE-2017-11087

CVE ID CVE-2017-11087
Title Buffer Over-read in Video
Description libOmxVenc copies the output buffer to an application with the “filled length”, which is larger than the output buffer’s actual size, leading to an information disclosure problem in the context of mediaserver.
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 4/21/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-14876

CVE ID CVE-2017-14876
Title Improper Validation of Array Index in Camera
Description In msm_ispif_config_stereo(), the parameter params->entries[i].vfe_intf comes from userspace without any bounds check which could potentially result in a kernel out-of-bounds write.
Technology Area Camera
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 4/28/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-9715

CVE ID CVE-2017-9715
Title Buffer Over-read in WLAN
Description While processing a vendor command, a buffer over-read can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 5/1/2017
Customer Notified Date 7/3/2017
Patch

CVE-2017-11047

CVE ID CVE-2017-11047
Title Improper Input Validation in Display
Description In a graphics driver ioctl handler, the lack of copy_from_user() function calls may result in writes to kernel memory.
Technology Area Display
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 4/30/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-11059

CVE ID CVE-2017-11059
Title Use After Free in Core
Description Setting the HMAC key by different threads during SHA operations may potentially lead to a buffer overflow.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 5/8/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-14877

CVE ID CVE-2017-14877
Title Use After Free in Data
Description While IPA driver is processing IOCTL commands there is no mutex lock of allocated memory. If one thread sends an ioctl cmd IPA_IOC_QUERY_RT_TBL_INDEX while another sends an ioctl cmd IPA_IOC_DEL_RT_RULE, a use-after-free condition may occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 5/3/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-11046

CVE ID CVE-2017-11046
Title Improper Restriction of Operations within the Bounds of a Memory Buffer in Audio
Description When an audio driver ioctl handler is called, a kernel out-of-bounds write can potentially occur.
Technology Area Audio
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating Medium
Date Reported 5/8/2017
Customer Notified Date 9/1/2017
Patch

CVE-2017-11057

CVE ID CVE-2017-11057
Title Untrusted Pointer Dereference in Camera
Description In compat mode, flash_data from 64-bit userspace may cause disclosure of kernel memory or a fault due to using a userspace-provided address.
Technology Area Camera
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating Medium
Date Reported 5/8/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-11056

CVE ID CVE-2017-11056
Title Untrusted Pointer Dereference in Core
Description While doing sha and cipher operations, a userspace buffer is directly accessed in kernel space potentially leading to a page fault.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating Medium
Date Reported 5/8/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-11055

CVE ID CVE-2017-11055
Title Incorrect Calculation of Buffer Size in WLAN
Description While processing a specially crafted QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION cfg80211 vendor command, a buffer over-read can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Local
Security Rating Medium
Date Reported 5/31/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-11067

CVE ID CVE-2017-11067
Title Use of Out-of-range Pointer Offset in WLAN
Description The Athdiag procfs entry does not have a proper address sanity check which may potentially lead to the use of an out-of-range pointer offset.
Technology Area WLAN HOST
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating Medium
Date Reported 6/1/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-11091

CVE ID CVE-2017-11091
Title Use After Free in Display
Description In the function mdss_rotator_ioctl in the driver /dev/mdss_rotator, a Use-After-Free condition can potentially occur due to a fence being installed too early.
Technology Area Display
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 6/2/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-11050

CVE ID CVE-2017-11050
Title Buffer Copy without Checking Size of Input in WLAN
Description When the pktlogconf tool gives a pktlog buffer of size less than the minimal possible source data size in the host driver, a buffer overflow can potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 6/1/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-14881

CVE ID CVE-2017-14881
Title Use After Free in Data
Description While calling the IPA IOCTL handler for IPA_IOC_ADD_HDR_PROC_CTX, a use-after-free condition may potentially occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 8/2/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-14903

CVE ID CVE-2017-14903
Title Potential buffer over-read when processing SENDACTIONFRAME IOCTL
Description While processing the SENDACTIONFRAME IOCTL, a buffer over-read can occur if the payload length is less than 7.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 7/18/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-14891

CVE ID CVE-2017-14891
Title Information Exposure in Graphics
Description In the KGSL driver function _gpuobj_map_useraddr(), the contents of the stack can get leaked due to an uninitialized variable.
Technology Area Graphics_Linux
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 8/10/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-14892

CVE ID CVE-2017-14892
Title Use After Free in Audio
Description In the function msm_pcm_hw_params(), the return value of q6asm_open_shared_io() is not checked properly potentially leading to a possible dangling pointer access.
Technology Area Audio
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 8/15/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-15826

CVE ID CVE-2017-15826
Title Double free in mdss_rotator_release_from_work_distribution()
Description Due to a race condition in MDSS rotator, a double free vulnerability may potentially exist when two threads free the same perf structures.
Technology Area Display
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 8/17/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-15823

CVE ID CVE-2017-15823
Title Improper Input Validation in WLAN
Description In spectral_create_samp_msg(), some values from firmware are not properly validated potentially leading to a buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported 9/19/2017
Customer Notified Date 11/6/2017
Patch

Industry Coordination

Security ratings of issues included in Android security
bulletins and these bulletins match in the most common scenarios but may
differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific
    scenarios that involves local denial of service or privilege escalation
    vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 February 15, 2018 Bulletin Published