March 2018 Code Aurora Security Bulletin

Version 1.1

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-9699, CVE-2016-5869, CVE-2017-9695 Jianqiang Zhao(@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2017-15858, CVE-2017-18149, CVE-2017-18151 Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2017-11082, CVE-2017-14885, CVE-2017-14887, CVE-2017-14889, CVE-2017-15821, CVE-2017-15830, CVE-2017-15831, CVE-2017-18148, CVE-2017-18150 Gengjia Chen (@chengjia4574) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd
CVE-2017-9707 Yuan-Tsung Lo (computernik@gmail.com), and Xuxian Jiang of C0RE Team (http://c0reteam.org)
CVE-2017-11034 Chengming Yang, Baozeng Ding, and Yang Song of Alibaba Mobile Security Group
CVE-2017-15833 Yang Dai(huahuaisadog@gmail.com) and Yu Pan (panyu6325@gmail.com) of vulpecker Team, Qihoo 360 Technology Co. Ltd
CVE-2017-14878, CVE-2017-15815 Scott Bauer < sbauer@plzdonthack.me >
CVE-2018-3575 derrek (https://twitter.com/derrekr6)
CVE-2017-14886, CVE-2017-15820, CVE-2017-15829 Peter Pi of Tencent Security Platform Department
CVE-2017-14882 Hao Chen (@flankersky) and Guang Gong (@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd.
CVE-2018-3560 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-11021 High WLAN HOST 3/8/2017
CVE-2016-5869 Medium Data Network Stack & Connectivity 1/17/2017
CVE-2017-18148 Medium Display 1/9/2017
CVE-2017-8245 Medium Audio 2/16/2017
CVE-2017-18149 Medium Trusted Execution Environment 2/21/2017
CVE-2017-9695 Medium Audio 2/20/2017
CVE-2017-18150 Medium Touch 2/16/2017
CVE-2017-18151 Medium Trusted Execution Environment 2/25/2017
CVE-2017-9699 Medium Audio 2/25/2017
CVE-2017-15855 High WLAN HOST 11/16/2017
CVE-2017-15858 Medium Linux Kernel 3/16/2017
CVE-2017-9707 Medium Kernel 3/23/2017
CVE-2017-11074 High WLAN HOST Internal
CVE-2017-18069 Medium WLAN HOST Internal
CVE-2017-14879 Medium Data Network Stack & Connectivity Internal
CVE-2017-11034 Medium Data Network Stack & Connectivity 5/8/2017
CVE-2017-15833 Medium Power 5/11/2017
CVE-2017-14878 Medium WLAN HOST 6/17/2017
CVE-2017-11082 Medium WLAN HOST 4/24/2017
CVE-2017-18068 High WLAN HOST Internal
CVE-2017-18067 High WLAN HOST Internal
CVE-2018-3575 Medium BTHOST 7/20/2017
CVE-2017-15820 High Graphics_Linux 8/10/2017
CVE-2017-15815 Critical WLAN HOST 8/4/2017
CVE-2017-15829 High Graphics_Linux 8/10/2017
CVE-2017-14882 High WLAN HOST 8/18/2017
CVE-2017-18066 High Power Internal
CVE-2017-15821 High WLAN HOST 9/13/2017
CVE-2017-18065 High WLAN HOST 9/13/2017
CVE-2017-14885 High WLAN HOST 9/13/2017
CVE-2017-15831 High WLAN HOST 9/14/2017
CVE-2017-18064 High WLAN HOST Internal
CVE-2017-18063 High WLAN HOST 9/13/2017
CVE-2017-18062 High WLAN HOST 9/13/2017
CVE-2017-14886 High Graphics_Linux 8/10/2017
CVE-2017-18061 High WIGIG HOST Internal
CVE-2017-18060 Medium WLAN HOST Internal
CVE-2017-18059 Medium WLAN HOST 9/14/2017
CVE-2017-18058 High WLAN HOST Internal
CVE-2017-18057 Medium WLAN HOST Internal
CVE-2017-18056 High WLAN HOST 9/14/2017
CVE-2017-18055 High WLAN HOST 9/14/2017
CVE-2017-18054 High WLAN HOST 9/14/2017
CVE-2017-18053 High WLAN HOST 9/14/2017
CVE-2017-18052 Medium WLAN HOST Internal
CVE-2017-18051 High WLAN HOST 9/14/2017
CVE-2017-18050 High WLAN HOST Internal
CVE-2017-14887 Medium WLAN HOST 9/21/2017
CVE-2017-14889 High WLAN HOST 9/29/2017
CVE-2017-15830 Medium WLAN HOST 9/22/2017
CVE-2018-3560 Medium Audio 11/3/2017

CVE-2017-11021

CVE ID CVE-2017-11021
Title Use of Insufficiently Random Values in WLAN
Description The original mac spoofing feature does not use the following in probe request frames: (a) randomized sequence numbers and (b) randomized source address for cfg80211 scan, vendor scan and pno scan.
Technology Area WLAN HOST
Vulnerability Type CWE-330 Use of Insufficiently Random Values
Access Vector Network
Security Rating High
Date Reported 3/8/2017
Customer Notified Date 8/7/2017
Patch

CVE-2016-5869

CVE ID CVE-2016-5869
Title Heap overflow vulnerability in ipa driver function ecm_ipa_debugfs_enable_write_dma
Description When enabling ECM_IPA driver debug feature, a heap overflow can potentially occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating Medium
Date Reported 1/17/2017
Customer Notified Date 3/14/2017
Patch

CVE-2017-18148

CVE ID CVE-2017-18148
Title Race condition can cause buffer overflow in debugfs
Description In debugfs function panel_debug_base_offset_write(), a race condition can result in buffer overwrite, overread, or memory contents leak to the user space.
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 1/9/2017
Customer Notified Date 4/11/2017
Patch

CVE-2017-8245

CVE ID CVE-2017-8245
Title Out of bounds read when processing a voice SVC request
Description While processing a voice SVC request which is nonstandard by specifying a payload size that will overflow its own declared size, an out of bounds memory copy occurs.
Technology Area Audio
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 2/16/2017
Customer Notified Date 4/11/2017
Patch

CVE-2017-18149

CVE ID CVE-2017-18149
Title Possible stack-based buffer overflow in QCEDEV_IOCTL_SHA_UPDATE_REQ ioctl command handler in QCE driver
Description Calling QCEDEV_IOCTL_SHA_UPDATE_REQ ioctl simultaneously from multiple threads may result in a stack based overflow.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 2/21/2017
Customer Notified Date 5/9/2017
Patch

CVE-2017-9695

CVE ID CVE-2017-9695
Title Double free in wdsp_glink_driver in MSM CCI driver function wdsp_glink_ch_info_init
Description There could be a double free in wdsp_glink_driver in function wdsp_glink_ch_info_init if it’s accessed from multiple clients.
Technology Area Audio
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 2/20/2017
Customer Notified Date 5/9/2017
Patch

CVE-2017-18150

CVE ID CVE-2017-18150
Title Possible heap overwrite in touchscreen driver
Description In fwu_get_image_firmware_id, a heap overflow will occur if the substring that we extract is larger than the size of the “firmware_id” buffer – 2.
Technology Area Touch
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 2/16/2017
Customer Notified Date 5/9/2017
Patch

CVE-2017-18151

CVE ID CVE-2017-18151
Title Use after free in MSM SPCOM driver function spcom_handle_lock_ion_buf_command
Description In spcom_handle_lock_ion_buf_command(), a Use After Free condition can occur due to a reference counter not being decreased under error conditions.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 2/25/2017
Customer Notified Date 5/9/2017
Patch

CVE-2017-9699

CVE ID CVE-2017-9699
Title Use After Free in Audio
Description In the audio driver, a shared data structure could potentially be freed in one thread while still being accessed from another, when both the debug file and the driver node are accessed simultaneously.
Technology Area Audio
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 2/25/2017
Customer Notified Date 7/3/2017
Patch

CVE-2017-15855

CVE ID CVE-2017-15855
Title Improper Validation of Array Index in WLAN
Description In wma_unified_radio_tx_power_level_stats_event_handler(), power_level_offset is received from firmware and if it is greater than total_num_tx_power_levels, then a buffer overwrite can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 11/16/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-15858

CVE ID CVE-2017-15858
Title Use after Free in Linux Kernel
Description In the tx99 debug interface of the ath9k driver, a Use After Free condition can occur.
Technology Area Linux Kernel
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 3/16/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-9707

CVE ID CVE-2017-9707
Title Improper Input Validation in Kernel
Description If the iommu debug interface is enabled it is possible to write to registers.
Technology Area Kernel
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 3/23/2017
Customer Notified Date 7/3/2017
Patch

CVE-2017-11074

CVE ID CVE-2017-11074
Title Buffer Copy without Checking Size of Input in WLAN
Description Removal of obsolete set/reset ssid hotlist API.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/1/2017
Patch

CVE-2017-18069

CVE ID CVE-2017-18069
Title Buffer over-read in wlan driver function oem_cmd_handler()
Description While processing a WLAN_NL_MSG_OEM netlink message in the oem_cmd_handler() function, a buffer over-read may potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 12/4/2017
Patch

CVE-2017-14879

CVE ID CVE-2017-14879
Title Use of Out-of-range Pointer Offset in IPA
Description By calling an IPA ioctl and searching for routing/filer/hdr rule handle from ipa_idr pointer using ipa_idr_find() function, the wrong structure pointer can be returned resulting in a slab out of bound access in the IPA driver.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 11/6/2017
Patch

CVE-2017-11034

CVE ID CVE-2017-11034
Title Buffer Copy without Checking Size of Input in Data
Description While processing gsi_rst_stats() with ch_idx -1 an out of bound access occurs.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 5/8/2017
Customer Notified Date 8/7/2017
Patch

CVE-2017-15833

CVE ID CVE-2017-15833
Title Untrusted Pointer Dereference in Core
Description In a power driver ioctl handler, an Untrusted Pointer Dereference may potentially occur.
Technology Area Power
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating Medium
Date Reported 5/11/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-14878

CVE ID CVE-2017-14878
Title Loop with Unreachable Exit Condition in WLAN
Description A length variable which is used to copy data has size only 8 bits and can be exceeded resulting in a denial of service.
Technology Area WLAN HOST
Vulnerability Type CWE-835 Loop with Unreachable Exit Condition (‘Infinite Loop’)
Access Vector AdjacentNetwork
Security Rating Medium
Date Reported 6/17/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-11082

CVE ID CVE-2017-11082
Title Buffer Copy without Checking Size of Input in WLAN
Description Due to a race condition in a firmware loading routine, a buffer overflow could potentially occur if multiple user space threads try to update the WLAN firmware file through sysfs.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 4/24/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-18068

CVE ID CVE-2017-18068
Title Buffer overflow vulnerability in wmi roam scan filter cmd
Description The length of buffer used to send in wmi_unified_roam_scan_filter_cmd is calculated in wma_roam_scan_filter and it does not take care of all the TLV header potentially leading to a buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017
Patch

CVE-2017-18067

CVE ID CVE-2017-18067
Title Stack overflow vulnerability while processing encrypted AUTH Frame
Description While processing an encrypted authentication management frame, a stack buffer overflow may potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector AdjacentNetwork
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Patch

CVE-2018-3575

CVE ID CVE-2018-3575
Title Improper Validation of Array Index in Bluetooth
Description In the Bluetooth driver, an out-of-bounds read can occur while processing a firmware file.
Technology Area BTHOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 7/20/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-15820

CVE ID CVE-2017-15820
Title Use After Free in Graphics
Description In a KGSL IOCTL handler, a Use After Free Condition can potentially occur.
Technology Area Graphics_Linux
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 8/10/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-15815

CVE ID CVE-2017-15815
Title Buffer Copy without Checking Size of Input in WLAN
Description Potential buffer overflow can happen when processing any 802.11 MGMT frames like Auth frame in limProcessAuthFrame.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/4/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-15829

CVE ID CVE-2017-15829
Title Race condition in GPU Driver
Description A race condition exists in a GPU Driver which can potentially lead to a Use After Free condition.
Technology Area Graphics_Linux
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 8/10/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-14882

CVE ID CVE-2017-14882
Title Buffer Over-read in WLAN
Description While processing VENDOR specific action frame in the function lim_process_action_vendor_specifi(), a comparison is performed with the incoming action frame body without validating if the action frame body received is of valid length potentially leading to an out-of-bounds access.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported 8/18/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-18066

CVE ID CVE-2017-18066
Title Use After Free in Power
Description In msm_core_ioctl(), memory can potentially be accessed after it has been freed.
Technology Area Power
Vulnerability Type CWE-16 Configuration
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017
Patch

CVE-2017-15821

CVE ID CVE-2017-15821
Title Improper Input Validation in WLAN
Description In the function wma_p2p_noa_event_handler(), there is no bound check on a value coming from firmware which can potentially lead to a buffer overwrite.
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported 9/13/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-18065

CVE ID CVE-2017-18065
Title Arbitrary function execution in function wma_action_frame_filter_mac_event_handler
Description In function “wma_action_frame_filter_mac_event_handler”, variable “event->vdev_id” is a uint32 received from firmware that is not properly validated.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 9/13/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-14885

CVE ID CVE-2017-14885
Title Integer Overflow to Buffer Overflow in WLAN
Description wma_unified_link_peer_stats_event_handler function has a variable num_rates which represents the sum of all the peer_stats->num_rates. The current behavior in this function is to validate only the num_rates of the first peer stats (peer_stats->num_rates) against WMA_SVC_MSG_MAX_SIZE, but not the sum of all the peer’s num_rates (num_rates) which may lead to a buffer overflow when the firmware buffer is copied in to the allocated buffer (peer_stats) as the size for the memory allocation – link_stats_results_size is based on num_rates.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 9/13/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-15831

CVE ID CVE-2017-15831
Title Potential Integer Overflow leading to Buffer Overflow in wma_ndp_end_indication_event_handler()
Description In wma_ndp_end_indication_event_handler(), num_ndp_end_indication_list is a variable received from firmware that is not properly sanitized and an integer overflow leading to buffer overflow may potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 9/14/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-18064

CVE ID CVE-2017-18064
Title Improper Input Validation in WLAN
Description In wma_send_bcn_buf_ll(), there is no upper bound check on the number of P2P NOA descriptors coming from firmware.
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Patch

CVE-2017-18063

CVE ID CVE-2017-18063
Title Improper Input Validation in WLAN
Description In wma_nlo_match_evt_handler(), the variable nlo_event comes from firmware and the vdev ID is not properly validated.
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported 9/13/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-18062

CVE ID CVE-2017-18062
Title Improper Input Validation in WLAN
Description In wma_process_utf_event(), there is no bounds check on datalen which may potentially lead to a buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported 9/13/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-14886

CVE ID CVE-2017-14886
Title Loop with Unreachable Exit Condition (‘Infinite Loop’) in Graphics
Description In the ioctl handler for the command IOCTL_KGSL_SPARSE_BIND, an infinite loop may potentially occur.
Technology Area Graphics_Linux
Vulnerability Type CWE-835 Loop with Unreachable Exit Condition (‘Infinite Loop’)
Access Vector Local
Security Rating High
Date Reported 8/10/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-18061

CVE ID CVE-2017-18061
Title Potential buffer overflow in wil_aoa_evt_meas()
Description While processing an AOA measurement event from WIGIG firmware, the len argument is not properly validated.
Technology Area WIGIG HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017
Patch

CVE-2017-18060

CVE ID CVE-2017-18060
Title Potential Out-of-bounds Read in wma_unified_bcntx_status_event_handler()
Description In wma_unified_bcntx_status_event_handler(), resp_event->vdev_id is received from firmware and is not properly validated potentially leading to an out-of-bounds read.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 12/4/2017
Patch

CVE-2017-18059

CVE ID CVE-2017-18059
Title Potential buffer over read in wma_scan_event_callback()
Description In wma_scan_event_callback(), vdev id is received from firmware as part of WMI_SCAN_EVENTID and is not properly validated which can potentially lead to a buffer overread.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 9/14/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-18058

CVE ID CVE-2017-18058
Title Potential Buffer Over-read in wma_wow_wakeup_host_event()
Description In wma_wow_wakeup_host_event(), the wow_buf_pkt_len value received from firmware as part of WMI_WOW_WAKEUP_HOST_EVENTID is not properly validated potentially leading to a buffer over-read.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017
Patch

CVE-2017-18057

CVE ID CVE-2017-18057
Title Potential buffer over read in wma_nlo_scan_cmp_evt_handler()
Description In wma_nlo_scan_cmp_evt_handler(), vdev id is received from firmware as part of WMI_NLO_SCAN_COMPLETE_EVENTID and not properly validated potentially leading to a buffer overread.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 12/4/2017
Patch

CVE-2017-18056

CVE ID CVE-2017-18056
Title Buffer overflow in wma_mcc_vdev_tx_pause_evt_handler()
Description In wma_mcc_vdev_tx_pause_evt_handler(), an out-of-bounds access can occur if the vdev_id is larger than wma->max_bssid using the vdev_map received by the function.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 9/14/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-18055

CVE ID CVE-2017-18055
Title Buffer overflow while processing HW mode change response from WLAN Firmware
Description While processing a hardware mode change response from WLAN firmware, a buffer overflow will occur if the number of VDEVs are more than maximum supported VDEVs.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 9/14/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-18054

CVE ID CVE-2017-18054
Title Possible buffer overflow in wma_pdev_hw_mode_transition_evt_handler()
Description In wma_pdev_hw_mode_transition_evt_handler(), num_vdev_mac_entries comes from firmware and is not properly validated potentially leading to a buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 9/14/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-18053

CVE ID CVE-2017-18053
Title Potential Out-of-bounds read in function wma_p2p_lo_event_handler()
Description In the function wma_p2p_lo_event_handler(), fix_param->vdev_id is received from firmware and is not properly validated potentially leading to an out-of-bounds read.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 9/14/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-18052

CVE ID CVE-2017-18052
Title Potential Out-of-bounds read in WLAN driver function wma_mgmt_tx_bundle_completion_handler()
Description In function wma_mgmt_tx_bundle_completion_handler(), cmpl_params->num_reports, param_buf->desc_ids and param_buf->status are received from firmware and not properly validated potentially leading to out of bounds access.
Technology Area WLAN HOST
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 12/4/2017
Patch

CVE-2017-18051

CVE ID CVE-2017-18051
Title Potential Out-of-bounds Read in function wma_rcpi_event_handler()
Description In the function wma_rcpi_event_handler(), event->vdev_id is received from the firmware and is not properly validated potentially leading to an out-of-bounds read.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 9/14/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-18050

CVE ID CVE-2017-18050
Title Potential Out-of-bounds Read in function wma_tbttoffset_update_event_handler
Description In function wma_tbttoffset_update_event_handler, vdev_map is a uint32 received from firmware and not properly validated potentially leading to an out-of-bounds access.
Technology Area WLAN HOST
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017
Patch

CVE-2017-14887

CVE ID CVE-2017-14887
Title Buffer Copy without Checking Size of Input in WLAN
Description In the processing of messages of type eWNI_SME_MODIFY_ADDITIONAL_IES, an integer overflow leading to heap buffer overflow may potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 9/21/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-14889

CVE ID CVE-2017-14889
Title Improper Input Validation in WLAN
Description Due to the lack of a range check on the array index into the WMI descriptor pool, arbitrary address execution may potentially occur in the process mgmt completion handler.
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported 9/29/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-15830

CVE ID CVE-2017-15830
Title Improper Validation of Array Index in WLAN
Description While processing the command CCXPLMREQ, a buffer overflow can potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 9/22/2017
Customer Notified Date 12/4/2017
Patch

CVE-2018-3560

CVE ID CVE-2018-3560
Title Double Free in Audio
Description In the audio driver, when opening a sound compression device, a Double Free condition can occur.
Technology Area Audio
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 11/3/2017
Customer Notified Date 2/5/2018
Patch

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 March 28, 2018 Bulletin Published
1.1 July 9, 2018 Removed CVE-2017-15834 due to rating downgrade