Version 1.0
This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2016-8444, CVE-2017-0441, CVE-2017-0443, CVE-2017-11061, CVE-2017-15837, CVE-2017-15853, CVE-2018-3584, CVE-2018-5826 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information. |
| CVE-2017-11075 | Pengfei Ding <604559863@qq.com> |
| CVE-2017-14890, CVE-2017-14894, CVE-2017-15836, CVE-2018-3566, CVE-2018-3567, CVE-2018-3568, CVE-2018-5828 | Gengjia Chen ( @chengjia4574 ), pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
| CVE-2017-15817, CVE-2017-15822 | Scott Bauer < sbauer@plzdonthack.me > |
| CVE-2017-18152 | This issue was reported to Qualcomm by a security researcher who asked to remain anonymous. |
| CVE-2018-3563 | Peter Pi of Tencent Security Platform Department |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2016-8418 | Critical | Trusted Execution Environment | Internal |
| CVE-2016-8444 | High | Camera | 9/21/2016 |
| CVE-2017-0441 | High | WLAN HOST | 11/23/2016 |
| CVE-2017-0443 | High | WLAN HOST | 11/16/2016 |
| CVE-2017-11061 | Medium | WLAN HOST | 5/31/2017 |
| CVE-2017-11075 | Medium | Audio | 8/22/2017 |
| CVE-2017-14890 | High | WLAN HOST | 9/15/2017 |
| CVE-2017-14894 | High | WLAN HOST | 9/30/2017 |
| CVE-2017-14896 | Medium | Trusted Execution Environment | Internal |
| CVE-2017-15817 | Critical | WLAN HOST | 5/14/2017 |
| CVE-2017-15822 | Critical | WLAN HOST | 8/4/2017 |
| CVE-2017-15836 | High | WLAN HOST | 9/29/2017 |
| CVE-2017-15837 | Medium | WLAN HOST | 9/19/2017 |
| CVE-2017-15846 | Medium | Camera | 7/27/2017 |
| CVE-2017-15853 | Medium | WLAN HOST | 9/19/2017 |
| CVE-2017-15859 | High | WLAN HOST | Internal |
| CVE-2017-15860 | High | WLAN HOST | Internal |
| CVE-2017-15861 | High | WLAN HOST | Internal |
| CVE-2017-15862 | High | WLAN HOST | 9/13/2017 |
| CVE-2017-17764 | High | WLAN HOST | Internal |
| CVE-2017-17765 | High | WLAN HOST | 9/13/2017 |
| CVE-2017-17766 | High | WLAN HOST | 9/13/2017 |
| CVE-2017-17770 | High | Kernel | Internal |
| CVE-2017-17771 | High | Camera | Internal |
| CVE-2017-18152 | High | WLAN HOST | 11/16/2017 |
| CVE-2018-3563 | High | Audio | 11/2/2017 |
| CVE-2018-3566 | High | WLAN HOST | 10/24/2017 |
| CVE-2018-3567 | High | WLAN HOST | 11/6/2017 |
| CVE-2018-3568 | High | WLAN HOST | 11/13/2017 |
| CVE-2018-3584 | Medium | Connectivity | 10/20/2017 |
| CVE-2018-3598 | Medium | Camera | 12/5/2016 |
| CVE-2018-3599 | High | Core Services | Internal |
| CVE-2018-5820 | High | WLAN HOST | Internal |
| CVE-2018-5821 | High | WLAN HOST | Internal |
| CVE-2018-5822 | High | WLAN HOST | Internal |
| CVE-2018-5823 | High | WLAN HOST | 6/20/2017 |
| CVE-2018-5824 | High | WLAN HOST | Internal |
| CVE-2018-5825 | High | Data Network Stack & Connectivity | Internal |
| CVE-2018-5826 | Medium | WLAN HOST | 11/28/2017 |
| CVE-2018-5827 | High | WLAN HOST | 6/20/2017 |
| CVE-2018-5828 | High | WLAN HOST | 9/18/2017 |
CVE-2016-8418
| CVE ID | CVE-2016-8418 |
| Title | Improper Acess Control in Crypto Driver |
| Description | A remote code execution vulnerability in the Qualcomm crypto driver could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of remote code execution in the context of the kernel |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Network |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 12/13/2016 |
| Patch |
CVE-2016-8444
| CVE ID | CVE-2016-8444 |
| Title | Improper Acess Control in Camera |
| Description | An elevation of privilege vulnerability in the Qualcomm camera could enable a local malicious application to execute arbitrary code within the context of the kernel. |
| Technology Area | Camera |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/21/2016 |
| Customer Notified Date | 1/10/2017 |
| Patch |
CVE-2017-0441
| CVE ID | CVE-2017-0441 |
| Title | Possible integer overflow to buffer overflow in QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE |
| Description | The wlan driver supports the vendor command QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE, which supplies a “number of APs” attribute as well as a list of per-AP attributes. However there is no validation that the number of APs provided won’t overflow the destination buffer. In addition there is no validation that the number of APs actually provided matches the number of APs expected. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/23/2016 |
| Customer Notified Date | 1/10/2017 |
| Patch |
CVE-2017-0443
| CVE ID | CVE-2017-0443 |
| Title | Out-of-bounds write in wlan driver at function __wlan_hdd_cfg80211_set_ext_roam_params |
| Description | When processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor command, for the following roam commands there are input validation issues:
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/16/2016 |
| Customer Notified Date | 1/10/2017 |
| Patch |
CVE-2017-11061
| CVE ID | CVE-2017-11061 |
| Title | Buffer Over-read in WLAN |
| Description | While processing cfg80211 vendor sub command QCA_NL80211_VENDOR_SUBCMD_ROAM, a buffer over-read can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/31/2017 |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-11075
| CVE ID | CVE-2017-11075 |
| Title | Use After Free in Audio |
| Description | If cmd_pkt and reg_pkt are called from different userspace threads, a use after free condition can potentially occur in wdsp_glink_write(). |
| Technology Area | Audio |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 8/22/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-14890
| CVE ID | CVE-2017-14890 |
| Title | Improper Validation of Array Index in WLAN |
| Description | In the processing of an SWBA event, the vdev_map value is not properly validated leading to a potential buffer overwrite in function wma_send_bcn_buf_ll(). |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/15/2017 |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2017-14894
| CVE ID | CVE-2017-14894 |
| Title | Improper Validation of Array Index in WLAN |
| Description | In wma_vdev_start_resp_handler(), vdev id is received from firmware as part of WMI_VDEV_START_RESP_EVENTID. This vdev id can be greater than max bssid stored in wma handle and this would result in buffer overwrite while accessing wma_handle->interfaces[vdev_id]. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/30/2017 |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2017-14896
| CVE ID | CVE-2017-14896 |
| Title | Integer overflow leading to kernel memory write in gud driver |
| Description | There is a memory allocation without a length field validation in the mobicore driver which can result in an undersize buffer allocation. Ultimately this can result in a kernel memory overwrite. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-15817
| CVE ID | CVE-2017-15817 |
| Title | Stack-based Buffer Overflow in WLAN |
| Description | When an access point sends a challenge text greater than 128 bytes, the host driver is unable to validate this potentially leading to authentication failure. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 5/14/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-15822
| CVE ID | CVE-2017-15822 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | While processing a 802.11 management frame, a buffer overflow may potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 8/4/2017 |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2017-15836
| CVE ID | CVE-2017-15836 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | If the firmware sends a service ready event to the host with a large number in the num_hw_modes or num_phy, then it could result in an integer overflow which may potentially lead to a buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/29/2017 |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2017-15837
| CVE ID | CVE-2017-15837 |
| Title | Buffer Over-read in WLAN |
| Description | A policy for the packet pattern attribute NL80211_PKTPAT_OFFSET is not defined which can lead to a buffer over-read in nla_get_u32(). |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/19/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-15846
| CVE ID | CVE-2017-15846 |
| Title | Untrusted Pointer Dereference in Camera |
| Description | In the video_ioctl2() function in the camera driver, an untrusted pointer dereference may potentially occur. |
| Technology Area | Camera |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 7/27/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-15853
| CVE ID | CVE-2017-15853 |
| Title | Buffer Over-read in WLAN |
| Description | While processing PTT commands, ptt_sock_send_msg_to_app() is invoked without validating the packet length. If the packet length is invalid, then a buffer over-read can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/19/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-15859
| CVE ID | CVE-2017-15859 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | While processing the QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_SCALE_DECR_DB vendor command, in which attribute QCA_WLAN_VENDOR_ATTR_TXPOWER_SCALE_DECR_DB contains fewer than 1 byte, a buffer overrun occurs. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-15860
| CVE ID | CVE-2017-15860 |
| Title | Stack-based Buffer Overflow in WLAN |
| Description | While processing an encrypted authentication management frame, a stack buffer overflow may potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-15861
| CVE ID | CVE-2017-15861 |
| Title | Improper Input Validation |
| Description | In the function wma_roam_synch_event_handler(), vdev_id is received from firmware and used to access an array without validation. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-15862
| CVE ID | CVE-2017-15862 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | In wma_unified_link_radio_stats_event_handler(), the number of radio channels coming from firmware is not properly validated potentially to an integer overflow vulnerability followed by a buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/13/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-17764
| CVE ID | CVE-2017-17764 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | The num_failure_info value from firmware is not properly validated in wma_rx_aggr_failure_event_handler() so that an integer overflow vulnerability in a buffer size calculation may potentially lead to a buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-17765
| CVE ID | CVE-2017-17765 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | Multiple values received from firmware are not properly validated in wma_get_ll_stats_ext_buf() and are used to allocate the sizes of buffers and may be vulnerable to integer overflow leading to buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/13/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-17766
| CVE ID | CVE-2017-17766 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | In wma_peer_info_event_handler(), the value of num_peers received from firmware is not properly validated so that an integer overflow vulnerability in the size of a buffer allocation may potentially lead to a buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/13/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-17770
| CVE ID | CVE-2017-17770 |
| Title | Untrusted Pointer Dereference in Power |
| Description | In a power driver ioctl handler, an Untrusted Pointer Dereference may potentially occur. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-17771
| CVE ID | CVE-2017-17771 |
| Title | Improper Validation of Array Index in Camera |
| Description | In msm_isp_prepare_v4l2_buf, an array out of bounds can occur. |
| Technology Area | Camera |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 5/9/2017 |
| Patch |
CVE-2017-18152
| CVE ID | CVE-2017-18152 |
| Title | Improper Validation of Array Index in WLAN |
| Description | A Buffer overwrite vulnerability exists in WLAN power level status handler due to improper Validation of array index. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/16/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3563
| CVE ID | CVE-2018-3563 |
| Title | Untrusted Pointer Dereference in Audio |
| Description | Untrusted pointer dereference in apr_cb_func can lead to an arbitrary code exectuion |
| Technology Area | Audio |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/2/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
|
CVE-2018-3566
| CVE ID | CVE-2018-3566 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | A buffer overwrite may occur in ProcSetReqInternal() due to missing length check |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 10/24/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3567
| CVE ID | CVE-2018-3567 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | A Buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/6/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3568
| CVE ID | CVE-2018-3568 |
| Title | Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) in WLAN. |
| Description | In the packet logging feature, a buffer overflow can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/13/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3584
| CVE ID | CVE-2018-3584 |
| Title | Use After Free in Wiredconnectivity |
| Description | A Use After Free condition can occur in the function rmnet_usb_ctrl_init(). |
| Technology Area | Connectivity |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 10/20/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3598
| CVE ID | CVE-2018-3598 |
| Title | Information Exposure in Camera |
| Description | Insufficient validation of parameters from userspace In the camera driver can lead to information leak and out-of-bounds access |
| Technology Area | Camera |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/5/2016 |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-3599
| CVE ID | CVE-2018-3599 |
| Title | Use After Free in Core |
| Description | While notifying a DCI client, a Use After Free condition can occur. |
| Technology Area | Core Services |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5820
| CVE ID | CVE-2018-5820 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | In the function wma_tbttoffset_update_event_handler(), a parameter received from firmware is used to allocate memory for a local buffer and is not properly validated. This can potentially result in an integer overflow subsequently leading to a heap overwrite. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5821
| CVE ID | CVE-2018-5821 |
| Title | Improper Restriction of Operations within the Bounds of a Memory Buffer in WLAN |
| Description | In function wma_wow_wakeup_host_event(), wake_info->vdev_id is received from FW and is used directly as array index to access wma->interfaces whose max index should be (max_bssid-1). If wake_info->vdev_id is greater than or equal to max_bssid, an out-of-bounds read occurs. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5822
| CVE ID | CVE-2018-5822 |
| Title | Buffer overflow vulnerability in WLAN |
| Description | Compromised WLAN FW can potentially cause a buffer overwrite |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5823
| CVE ID | CVE-2018-5823 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | Improper buffer length validation in extscan hotlist event can lead to potential buffer overflow |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 6/20/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-5824
| CVE ID | CVE-2018-5824 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | While processing HTT_T2H_MSG_TYPE_RX_FLUSH or HTT_T2H_MSG_TYPE_RX_PN_IND messages, a buffer overflow can occur if the tid value obtained from the firmware is out of range. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-5825
| CVE ID | CVE-2018-5825 |
| Title | Use After Free in Data |
| Description | In the kernel IPA driver, a Use After Free condition can occur. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/5/2018 |
| Patch |
|
CVE-2018-5826
| CVE ID | CVE-2018-5826 |
| Title | Use After Free in WLAN |
| Description | Due to a race condition, a Use After Free condition can occur in the WLAN driver. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/28/2017 |
| Customer Notified Date | 3/5/2018 |
| Patch |
CVE-2018-5827
| CVE ID | CVE-2018-5827 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | A buffer overflow Vulnerability exists in WLAN while processing an extscan hotlist event |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 6/20/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-5828
| CVE ID | CVE-2018-5828 |
| Title | Improper Restriction of Operations within the Bounds of a Memory Buffer in WLAN |
| Description | In function wma_extscan_start_stop_event_handler(), vdev_id comes from the variable event from firmware and is not properly validated potentially leading to a buffer overwrite. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/18/2017 |
| Customer Notified Date | 1/1/2018 |
| Patch |
Industry Coordination
Security ratings of issues included in Android security
bulletins and these bulletins match in the most common scenarios but may
differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific
scenarios that involves local denial of service or privilege escalation
vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | April 24, 2018 | Bulletin Published |