Version 1.1
This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2017-9699, CVE-2016-5869, CVE-2017-9695 | Jianqiang Zhao(@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
| CVE-2017-15858, CVE-2017-18149, CVE-2017-18151 | Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
| CVE-2017-11082, CVE-2017-14885, CVE-2017-14887, CVE-2017-14889, CVE-2017-15821, CVE-2017-15830, CVE-2017-15831, CVE-2017-18148, CVE-2017-18150 | Gengjia Chen (@chengjia4574) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd |
| CVE-2017-9707 | Yuan-Tsung Lo (computernik@gmail.com), and Xuxian Jiang of C0RE Team (http://c0reteam.org) |
| CVE-2017-11034 | Chengming Yang, Baozeng Ding, and Yang Song of Alibaba Mobile Security Group |
| CVE-2017-15833 | Yang Dai(huahuaisadog@gmail.com) and Yu Pan (panyu6325@gmail.com) of vulpecker Team, Qihoo 360 Technology Co. Ltd |
| CVE-2017-14878, CVE-2017-15815 | Scott Bauer < sbauer@plzdonthack.me > |
| CVE-2018-3575 | derrek (https://twitter.com/derrekr6) |
| CVE-2017-14886, CVE-2017-15820, CVE-2017-15829 | Peter Pi of Tencent Security Platform Department |
| CVE-2017-14882 | Hao Chen (@flankersky) and Guang Gong (@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd. |
| CVE-2018-3560 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information. |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2017-11021 | High | WLAN HOST | 3/8/2017 |
| CVE-2016-5869 | Medium | Data Network Stack & Connectivity | 1/17/2017 |
| CVE-2017-18148 | Medium | Display | 1/9/2017 |
| CVE-2017-8245 | Medium | Audio | 2/16/2017 |
| CVE-2017-18149 | Medium | Trusted Execution Environment | 2/21/2017 |
| CVE-2017-9695 | Medium | Audio | 2/20/2017 |
| CVE-2017-18150 | Medium | Touch | 2/16/2017 |
| CVE-2017-18151 | Medium | Trusted Execution Environment | 2/25/2017 |
| CVE-2017-9699 | Medium | Audio | 2/25/2017 |
| CVE-2017-15855 | High | WLAN HOST | 11/16/2017 |
| CVE-2017-15858 | Medium | Linux Kernel | 3/16/2017 |
| CVE-2017-9707 | Medium | Kernel | 3/23/2017 |
| CVE-2017-11074 | High | WLAN HOST | Internal |
| CVE-2017-18069 | Medium | WLAN HOST | Internal |
| CVE-2017-14879 | Medium | Data Network Stack & Connectivity | Internal |
| CVE-2017-11034 | Medium | Data Network Stack & Connectivity | 5/8/2017 |
| CVE-2017-15833 | Medium | Power | 5/11/2017 |
| CVE-2017-14878 | Medium | WLAN HOST | 6/17/2017 |
| CVE-2017-11082 | Medium | WLAN HOST | 4/24/2017 |
| CVE-2017-18068 | High | WLAN HOST | Internal |
| CVE-2017-18067 | High | WLAN HOST | Internal |
| CVE-2018-3575 | Medium | BTHOST | 7/20/2017 |
| CVE-2017-15820 | High | Graphics_Linux | 8/10/2017 |
| CVE-2017-15815 | Critical | WLAN HOST | 8/4/2017 |
| CVE-2017-15829 | High | Graphics_Linux | 8/10/2017 |
| CVE-2017-14882 | High | WLAN HOST | 8/18/2017 |
| CVE-2017-18066 | High | Power | Internal |
| CVE-2017-15821 | High | WLAN HOST | 9/13/2017 |
| CVE-2017-18065 | High | WLAN HOST | 9/13/2017 |
| CVE-2017-14885 | High | WLAN HOST | 9/13/2017 |
| CVE-2017-15831 | High | WLAN HOST | 9/14/2017 |
| CVE-2017-18064 | High | WLAN HOST | Internal |
| CVE-2017-18063 | High | WLAN HOST | 9/13/2017 |
| CVE-2017-18062 | High | WLAN HOST | 9/13/2017 |
| CVE-2017-14886 | High | Graphics_Linux | 8/10/2017 |
| CVE-2017-18061 | High | WIGIG HOST | Internal |
| CVE-2017-18060 | Medium | WLAN HOST | Internal |
| CVE-2017-18059 | Medium | WLAN HOST | 9/14/2017 |
| CVE-2017-18058 | High | WLAN HOST | Internal |
| CVE-2017-18057 | Medium | WLAN HOST | Internal |
| CVE-2017-18056 | High | WLAN HOST | 9/14/2017 |
| CVE-2017-18055 | High | WLAN HOST | 9/14/2017 |
| CVE-2017-18054 | High | WLAN HOST | 9/14/2017 |
| CVE-2017-18053 | High | WLAN HOST | 9/14/2017 |
| CVE-2017-18052 | Medium | WLAN HOST | Internal |
| CVE-2017-18051 | High | WLAN HOST | 9/14/2017 |
| CVE-2017-18050 | High | WLAN HOST | Internal |
| CVE-2017-14887 | Medium | WLAN HOST | 9/21/2017 |
| CVE-2017-14889 | High | WLAN HOST | 9/29/2017 |
| CVE-2017-15830 | Medium | WLAN HOST | 9/22/2017 |
| CVE-2018-3560 | Medium | Audio | 11/3/2017 |
CVE-2017-11021
| CVE ID | CVE-2017-11021 |
| Title | Use of Insufficiently Random Values in WLAN |
| Description | The original mac spoofing feature does not use the following in probe request frames: (a) randomized sequence numbers and (b) randomized source address for cfg80211 scan, vendor scan and pno scan. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-330 Use of Insufficiently Random Values |
| Access Vector | Network |
| Security Rating | High |
| Date Reported | 3/8/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2016-5869
| CVE ID | CVE-2016-5869 |
| Title | Heap overflow vulnerability in ipa driver function ecm_ipa_debugfs_enable_write_dma |
| Description | When enabling ECM_IPA driver debug feature, a heap overflow can potentially occur. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/17/2017 |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2017-18148
| CVE ID | CVE-2017-18148 |
| Title | Race condition can cause buffer overflow in debugfs |
| Description | In debugfs function panel_debug_base_offset_write(), a race condition can result in buffer overwrite, overread, or memory contents leak to the user space. |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/9/2017 |
| Customer Notified Date | 4/11/2017 |
| Patch |
CVE-2017-8245
| CVE ID | CVE-2017-8245 |
| Title | Out of bounds read when processing a voice SVC request |
| Description | While processing a voice SVC request which is nonstandard by specifying a payload size that will overflow its own declared size, an out of bounds memory copy occurs. |
| Technology Area | Audio |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/16/2017 |
| Customer Notified Date | 4/11/2017 |
| Patch |
CVE-2017-18149
| CVE ID | CVE-2017-18149 |
| Title | Possible stack-based buffer overflow in QCEDEV_IOCTL_SHA_UPDATE_REQ ioctl command handler in QCE driver |
| Description | Calling QCEDEV_IOCTL_SHA_UPDATE_REQ ioctl simultaneously from multiple threads may result in a stack based overflow. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/21/2017 |
| Customer Notified Date | 5/9/2017 |
| Patch |
CVE-2017-9695
| CVE ID | CVE-2017-9695 |
| Title | Double free in wdsp_glink_driver in MSM CCI driver function wdsp_glink_ch_info_init |
| Description | There could be a double free in wdsp_glink_driver in function wdsp_glink_ch_info_init if it’s accessed from multiple clients. |
| Technology Area | Audio |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/20/2017 |
| Customer Notified Date | 5/9/2017 |
| Patch |
CVE-2017-18150
| CVE ID | CVE-2017-18150 |
| Title | Possible heap overwrite in touchscreen driver |
| Description | In fwu_get_image_firmware_id, a heap overflow will occur if the substring that we extract is larger than the size of the “firmware_id” buffer – 2. |
| Technology Area | Touch |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/16/2017 |
| Customer Notified Date | 5/9/2017 |
| Patch |
CVE-2017-18151
| CVE ID | CVE-2017-18151 |
| Title | Use after free in MSM SPCOM driver function spcom_handle_lock_ion_buf_command |
| Description | In spcom_handle_lock_ion_buf_command(), a Use After Free condition can occur due to a reference counter not being decreased under error conditions. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/25/2017 |
| Customer Notified Date | 5/9/2017 |
| Patch |
CVE-2017-9699
| CVE ID | CVE-2017-9699 |
| Title | Use After Free in Audio |
| Description | In the audio driver, a shared data structure could potentially be freed in one thread while still being accessed from another, when both the debug file and the driver node are accessed simultaneously. |
| Technology Area | Audio |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/25/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-15855
| CVE ID | CVE-2017-15855 |
| Title | Improper Validation of Array Index in WLAN |
| Description | In wma_unified_radio_tx_power_level_stats_event_handler(), power_level_offset is received from firmware and if it is greater than total_num_tx_power_levels, then a buffer overwrite can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/16/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2017-15858
| CVE ID | CVE-2017-15858 |
| Title | Use after Free in Linux Kernel |
| Description | In the tx99 debug interface of the ath9k driver, a Use After Free condition can occur. |
| Technology Area | Linux Kernel |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/16/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2017-9707
| CVE ID | CVE-2017-9707 |
| Title | Improper Input Validation in Kernel |
| Description | If the iommu debug interface is enabled it is possible to write to registers. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/23/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-11074
| CVE ID | CVE-2017-11074 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | Removal of obsolete set/reset ssid hotlist API. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-18069
| CVE ID | CVE-2017-18069 |
| Title | Buffer over-read in wlan driver function oem_cmd_handler() |
| Description | While processing a WLAN_NL_MSG_OEM netlink message in the oem_cmd_handler() function, a buffer over-read may potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-14879
| CVE ID | CVE-2017-14879 |
| Title | Use of Out-of-range Pointer Offset in IPA |
| Description | By calling an IPA ioctl and searching for routing/filer/hdr rule handle from ipa_idr pointer using ipa_idr_find() function, the wrong structure pointer can be returned resulting in a slab out of bound access in the IPA driver. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 11/6/2017 |
| Patch |
|
CVE-2017-11034
| CVE ID | CVE-2017-11034 |
| Title | Buffer Copy without Checking Size of Input in Data |
| Description | While processing gsi_rst_stats() with ch_idx -1 an out of bound access occurs. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/8/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-15833
| CVE ID | CVE-2017-15833 |
| Title | Untrusted Pointer Dereference in Core |
| Description | In a power driver ioctl handler, an Untrusted Pointer Dereference may potentially occur. |
| Technology Area | Power |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/11/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-14878
| CVE ID | CVE-2017-14878 |
| Title | Loop with Unreachable Exit Condition in WLAN |
| Description | A length variable which is used to copy data has size only 8 bits and can be exceeded resulting in a denial of service. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-835 Loop with Unreachable Exit Condition (‘Infinite Loop’) |
| Access Vector | AdjacentNetwork |
| Security Rating | Medium |
| Date Reported | 6/17/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
|
CVE-2017-11082
| CVE ID | CVE-2017-11082 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | Due to a race condition in a firmware loading routine, a buffer overflow could potentially occur if multiple user space threads try to update the WLAN firmware file through sysfs. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/24/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-18068
| CVE ID | CVE-2017-18068 |
| Title | Buffer overflow vulnerability in wmi roam scan filter cmd |
| Description | The length of buffer used to send in wmi_unified_roam_scan_filter_cmd is calculated in wma_roam_scan_filter and it does not take care of all the TLV header potentially leading to a buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18067
| CVE ID | CVE-2017-18067 |
| Title | Stack overflow vulnerability while processing encrypted AUTH Frame |
| Description | While processing an encrypted authentication management frame, a stack buffer overflow may potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2018-3575
| CVE ID | CVE-2018-3575 |
| Title | Improper Validation of Array Index in Bluetooth |
| Description | In the Bluetooth driver, an out-of-bounds read can occur while processing a firmware file. |
| Technology Area | BTHOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 7/20/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2017-15820
| CVE ID | CVE-2017-15820 |
| Title | Use After Free in Graphics |
| Description | In a KGSL IOCTL handler, a Use After Free Condition can potentially occur. |
| Technology Area | Graphics_Linux |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 8/10/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-15815
| CVE ID | CVE-2017-15815 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | Potential buffer overflow can happen when processing any 802.11 MGMT frames like Auth frame in limProcessAuthFrame. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 8/4/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-15829
| CVE ID | CVE-2017-15829 |
| Title | Race condition in GPU Driver |
| Description | A race condition exists in a GPU Driver which can potentially lead to a Use After Free condition. |
| Technology Area | Graphics_Linux |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 8/10/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-14882
| CVE ID | CVE-2017-14882 |
| Title | Buffer Over-read in WLAN |
| Description | While processing VENDOR specific action frame in the function lim_process_action_vendor_specifi(), a comparison is performed with the incoming action frame body without validating if the action frame body received is of valid length potentially leading to an out-of-bounds access. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Network |
| Security Rating | High |
| Date Reported | 8/18/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-18066
| CVE ID | CVE-2017-18066 |
| Title | Use After Free in Power |
| Description | In msm_core_ioctl(), memory can potentially be accessed after it has been freed. |
| Technology Area | Power |
| Vulnerability Type | CWE-16 Configuration |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-15821
| CVE ID | CVE-2017-15821 |
| Title | Improper Input Validation in WLAN |
| Description | In the function wma_p2p_noa_event_handler(), there is no bound check on a value coming from firmware which can potentially lead to a buffer overwrite. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/13/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-18065
| CVE ID | CVE-2017-18065 |
| Title | Arbitrary function execution in function wma_action_frame_filter_mac_event_handler |
| Description | In function “wma_action_frame_filter_mac_event_handler”, variable “event->vdev_id” is a uint32 received from firmware that is not properly validated. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/13/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-14885
| CVE ID | CVE-2017-14885 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | wma_unified_link_peer_stats_event_handler function has a variable num_rates which represents the sum of all the peer_stats->num_rates. The current behavior in this function is to validate only the num_rates of the first peer stats (peer_stats->num_rates) against WMA_SVC_MSG_MAX_SIZE, but not the sum of all the peer’s num_rates (num_rates) which may lead to a buffer overflow when the firmware buffer is copied in to the allocated buffer (peer_stats) as the size for the memory allocation – link_stats_results_size is based on num_rates. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/13/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-15831
| CVE ID | CVE-2017-15831 |
| Title | Potential Integer Overflow leading to Buffer Overflow in wma_ndp_end_indication_event_handler() |
| Description | In wma_ndp_end_indication_event_handler(), num_ndp_end_indication_list is a variable received from firmware that is not properly sanitized and an integer overflow leading to buffer overflow may potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/14/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18064
| CVE ID | CVE-2017-18064 |
| Title | Improper Input Validation in WLAN |
| Description | In wma_send_bcn_buf_ll(), there is no upper bound check on the number of P2P NOA descriptors coming from firmware. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-18063
| CVE ID | CVE-2017-18063 |
| Title | Improper Input Validation in WLAN |
| Description | In wma_nlo_match_evt_handler(), the variable nlo_event comes from firmware and the vdev ID is not properly validated. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/13/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-18062
| CVE ID | CVE-2017-18062 |
| Title | Improper Input Validation in WLAN |
| Description | In wma_process_utf_event(), there is no bounds check on datalen which may potentially lead to a buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/13/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-14886
| CVE ID | CVE-2017-14886 |
| Title | Loop with Unreachable Exit Condition (‘Infinite Loop’) in Graphics |
| Description | In the ioctl handler for the command IOCTL_KGSL_SPARSE_BIND, an infinite loop may potentially occur. |
| Technology Area | Graphics_Linux |
| Vulnerability Type | CWE-835 Loop with Unreachable Exit Condition (‘Infinite Loop’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 8/10/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18061
| CVE ID | CVE-2017-18061 |
| Title | Potential buffer overflow in wil_aoa_evt_meas() |
| Description | While processing an AOA measurement event from WIGIG firmware, the len argument is not properly validated. |
| Technology Area | WIGIG HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Network |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18060
| CVE ID | CVE-2017-18060 |
| Title | Potential Out-of-bounds Read in wma_unified_bcntx_status_event_handler() |
| Description | In wma_unified_bcntx_status_event_handler(), resp_event->vdev_id is received from firmware and is not properly validated potentially leading to an out-of-bounds read. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18059
| CVE ID | CVE-2017-18059 |
| Title | Potential buffer over read in wma_scan_event_callback() |
| Description | In wma_scan_event_callback(), vdev id is received from firmware as part of WMI_SCAN_EVENTID and is not properly validated which can potentially lead to a buffer overread. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/14/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18058
| CVE ID | CVE-2017-18058 |
| Title | Potential Buffer Over-read in wma_wow_wakeup_host_event() |
| Description | In wma_wow_wakeup_host_event(), the wow_buf_pkt_len value received from firmware as part of WMI_WOW_WAKEUP_HOST_EVENTID is not properly validated potentially leading to a buffer over-read. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18057
| CVE ID | CVE-2017-18057 |
| Title | Potential buffer over read in wma_nlo_scan_cmp_evt_handler() |
| Description | In wma_nlo_scan_cmp_evt_handler(), vdev id is received from firmware as part of WMI_NLO_SCAN_COMPLETE_EVENTID and not properly validated potentially leading to a buffer overread. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18056
| CVE ID | CVE-2017-18056 |
| Title | Buffer overflow in wma_mcc_vdev_tx_pause_evt_handler() |
| Description | In wma_mcc_vdev_tx_pause_evt_handler(), an out-of-bounds access can occur if the vdev_id is larger than wma->max_bssid using the vdev_map received by the function. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/14/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18055
| CVE ID | CVE-2017-18055 |
| Title | Buffer overflow while processing HW mode change response from WLAN Firmware |
| Description | While processing a hardware mode change response from WLAN firmware, a buffer overflow will occur if the number of VDEVs are more than maximum supported VDEVs. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/14/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18054
| CVE ID | CVE-2017-18054 |
| Title | Possible buffer overflow in wma_pdev_hw_mode_transition_evt_handler() |
| Description | In wma_pdev_hw_mode_transition_evt_handler(), num_vdev_mac_entries comes from firmware and is not properly validated potentially leading to a buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/14/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18053
| CVE ID | CVE-2017-18053 |
| Title | Potential Out-of-bounds read in function wma_p2p_lo_event_handler() |
| Description | In the function wma_p2p_lo_event_handler(), fix_param->vdev_id is received from firmware and is not properly validated potentially leading to an out-of-bounds read. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/14/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18052
| CVE ID | CVE-2017-18052 |
| Title | Potential Out-of-bounds read in WLAN driver function wma_mgmt_tx_bundle_completion_handler() |
| Description | In function wma_mgmt_tx_bundle_completion_handler(), cmpl_params->num_reports, param_buf->desc_ids and param_buf->status are received from firmware and not properly validated potentially leading to out of bounds access. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18051
| CVE ID | CVE-2017-18051 |
| Title | Potential Out-of-bounds Read in function wma_rcpi_event_handler() |
| Description | In the function wma_rcpi_event_handler(), event->vdev_id is received from the firmware and is not properly validated potentially leading to an out-of-bounds read. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/14/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-18050
| CVE ID | CVE-2017-18050 |
| Title | Potential Out-of-bounds Read in function wma_tbttoffset_update_event_handler |
| Description | In function wma_tbttoffset_update_event_handler, vdev_map is a uint32 received from firmware and not properly validated potentially leading to an out-of-bounds access. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-14887
| CVE ID | CVE-2017-14887 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | In the processing of messages of type eWNI_SME_MODIFY_ADDITIONAL_IES, an integer overflow leading to heap buffer overflow may potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/21/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-14889
| CVE ID | CVE-2017-14889 |
| Title | Improper Input Validation in WLAN |
| Description | Due to the lack of a range check on the array index into the WMI descriptor pool, arbitrary address execution may potentially occur in the process mgmt completion handler. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/29/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-15830
| CVE ID | CVE-2017-15830 |
| Title | Improper Validation of Array Index in WLAN |
| Description | While processing the command CCXPLMREQ, a buffer overflow can potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/22/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2018-3560
| CVE ID | CVE-2018-3560 |
| Title | Double Free in Audio |
| Description | In the audio driver, when opening a sound compression device, a Double Free condition can occur. |
| Technology Area | Audio |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/3/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | March 28, 2018 | Bulletin Published |
| 1.1 | July 9, 2018 | Removed CVE-2017-15834 due to rating downgrade |