April 2018 Code Aurora Security Bulletin

Version 1.0

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2016-8444, CVE-2017-0441, CVE-2017-0443, CVE-2017-11061, CVE-2017-15837, CVE-2017-15853, CVE-2018-3584, CVE-2018-5826 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.
CVE-2017-11075 Pengfei Ding <604559863@qq.com>
CVE-2017-14890, CVE-2017-14894, CVE-2017-15836, CVE-2018-3566, CVE-2018-3567, CVE-2018-3568, CVE-2018-5828 Gengjia Chen ( @chengjia4574 ), pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2017-15817, CVE-2017-15822 Scott Bauer < sbauer@plzdonthack.me >
CVE-2017-18152 This issue was reported to Qualcomm by a security researcher who asked to remain anonymous.
CVE-2018-3563 Peter Pi of Tencent Security Platform Department

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2016-8418 Critical Trusted Execution Environment Internal
CVE-2016-8444 High Camera 9/21/2016
CVE-2017-0441 High WLAN HOST 11/23/2016
CVE-2017-0443 High WLAN HOST 11/16/2016
CVE-2017-11061 Medium WLAN HOST 5/31/2017
CVE-2017-11075 Medium Audio 8/22/2017
CVE-2017-14890 High WLAN HOST 9/15/2017
CVE-2017-14894 High WLAN HOST 9/30/2017
CVE-2017-14896 Medium Trusted Execution Environment Internal
CVE-2017-15817 Critical WLAN HOST 5/14/2017
CVE-2017-15822 Critical WLAN HOST 8/4/2017
CVE-2017-15836 High WLAN HOST 9/29/2017
CVE-2017-15837 Medium WLAN HOST 9/19/2017
CVE-2017-15846 Medium Camera 7/27/2017
CVE-2017-15853 Medium WLAN HOST 9/19/2017
CVE-2017-15859 High WLAN HOST Internal
CVE-2017-15860 High WLAN HOST Internal
CVE-2017-15861 High WLAN HOST Internal
CVE-2017-15862 High WLAN HOST 9/13/2017
CVE-2017-17764 High WLAN HOST Internal
CVE-2017-17765 High WLAN HOST 9/13/2017
CVE-2017-17766 High WLAN HOST 9/13/2017
CVE-2017-17770 High Kernel Internal
CVE-2017-17771 High Camera Internal
CVE-2017-18152 High WLAN HOST 11/16/2017
CVE-2018-3563 High Audio 11/2/2017
CVE-2018-3566 High WLAN HOST 10/24/2017
CVE-2018-3567 High WLAN HOST 11/6/2017
CVE-2018-3568 High WLAN HOST 11/13/2017
CVE-2018-3584 Medium Connectivity 10/20/2017
CVE-2018-3598 Medium Camera 12/5/2016
CVE-2018-3599 High Core Services Internal
CVE-2018-5820 High WLAN HOST Internal
CVE-2018-5821 High WLAN HOST Internal
CVE-2018-5822 High WLAN HOST Internal
CVE-2018-5823 High WLAN HOST 6/20/2017
CVE-2018-5824 High WLAN HOST Internal
CVE-2018-5825 High Data Network Stack & Connectivity Internal
CVE-2018-5826 Medium WLAN HOST 11/28/2017
CVE-2018-5827 High WLAN HOST 6/20/2017
CVE-2018-5828 High WLAN HOST 9/18/2017

CVE-2016-8418

CVE ID CVE-2016-8418
Title Improper Acess Control in Crypto Driver
Description A remote code execution vulnerability in the Qualcomm crypto driver could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of remote code execution in the context of the kernel
Technology Area Trusted Execution Environment
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Network
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/13/2016
Patch

CVE-2016-8444

CVE ID CVE-2016-8444
Title Improper Acess Control in Camera
Description An elevation of privilege vulnerability in the Qualcomm camera could enable a local malicious application to execute arbitrary code within the context of the kernel.
Technology Area Camera
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 9/21/2016
Customer Notified Date 1/10/2017
Patch

CVE-2017-0441

CVE ID CVE-2017-0441
Title Possible integer overflow to buffer overflow in QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE
Description The wlan driver supports the vendor command QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE, which supplies a “number of APs” attribute as well as a list of per-AP attributes. However there is no validation that the number of APs provided won’t overflow the destination buffer. In addition there is no validation that the number of APs actually provided matches the number of APs expected.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 11/23/2016
Customer Notified Date 1/10/2017
Patch

CVE-2017-0443

CVE ID CVE-2017-0443
Title Out-of-bounds write in wlan driver at function __wlan_hdd_cfg80211_set_ext_roam_params
Description When processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor command, for the following roam commands there are input validation issues:

QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
Both of these commands have a “number of BSSIDs” attribute as well as a list of BSSIDs. However there is no validation that the number of BSSIDs provided won’t overflow the destination buffer. In addition there is no validation that the number of BSSIDs actually provided matches the number of BSSIDs expected.

Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 11/16/2016
Customer Notified Date 1/10/2017
Patch

CVE-2017-11061

CVE ID CVE-2017-11061
Title Buffer Over-read in WLAN
Description While processing cfg80211 vendor sub command QCA_NL80211_VENDOR_SUBCMD_ROAM, a buffer over-read can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 5/31/2017
Customer Notified Date 9/1/2017
Patch

CVE-2017-11075

CVE ID CVE-2017-11075
Title Use After Free in Audio
Description If cmd_pkt and reg_pkt are called from different userspace threads, a use after free condition can potentially occur in wdsp_glink_write().
Technology Area Audio
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 8/22/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-14890

CVE ID CVE-2017-14890
Title Improper Validation of Array Index in WLAN
Description In the processing of an SWBA event, the vdev_map value is not properly validated leading to a potential buffer overwrite in function wma_send_bcn_buf_ll().
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 9/15/2017
Customer Notified Date 1/1/2018
Patch

CVE-2017-14894

CVE ID CVE-2017-14894
Title Improper Validation of Array Index in WLAN
Description In wma_vdev_start_resp_handler(), vdev id is received from firmware as part of WMI_VDEV_START_RESP_EVENTID. This vdev id can be greater than max bssid stored in wma handle and this would result in buffer overwrite while accessing wma_handle->interfaces[vdev_id].
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 9/30/2017
Customer Notified Date 1/1/2018
Patch

CVE-2017-14896

CVE ID CVE-2017-14896
Title Integer overflow leading to kernel memory write in gud driver
Description There is a memory allocation without a length field validation in the mobicore driver which can result in an undersize buffer allocation. Ultimately this can result in a kernel memory overwrite.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 9/1/2017
Patch

CVE-2017-15817

CVE ID CVE-2017-15817
Title Stack-based Buffer Overflow in WLAN
Description When an access point sends a challenge text greater than 128 bytes, the host driver is unable to validate this potentially leading to authentication failure.
Technology Area WLAN HOST
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 5/14/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-15822

CVE ID CVE-2017-15822
Title Buffer Copy without Checking Size of Input in WLAN
Description While processing a 802.11 management frame, a buffer overflow may potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/4/2017
Customer Notified Date 1/1/2018
Patch

CVE-2017-15836

CVE ID CVE-2017-15836
Title Integer Overflow to Buffer Overflow in WLAN
Description If the firmware sends a service ready event to the host with a large number in the num_hw_modes or num_phy, then it could result in an integer overflow which may potentially lead to a buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 9/29/2017
Customer Notified Date 1/1/2018
Patch

CVE-2017-15837

CVE ID CVE-2017-15837
Title Buffer Over-read in WLAN
Description A policy for the packet pattern attribute NL80211_PKTPAT_OFFSET is not defined which can lead to a buffer over-read in nla_get_u32().
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 9/19/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-15846

CVE ID CVE-2017-15846
Title Untrusted Pointer Dereference in Camera
Description In the video_ioctl2() function in the camera driver, an untrusted pointer dereference may potentially occur.
Technology Area Camera
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating Medium
Date Reported 7/27/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-15853

CVE ID CVE-2017-15853
Title Buffer Over-read in WLAN
Description While processing PTT commands, ptt_sock_send_msg_to_app() is invoked without validating the packet length. If the packet length is invalid, then a buffer over-read can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 9/19/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-15859

CVE ID CVE-2017-15859
Title Buffer Copy without Checking Size of Input in WLAN
Description While processing the QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_SCALE_DECR_DB vendor command, in which attribute QCA_WLAN_VENDOR_ATTR_TXPOWER_SCALE_DECR_DB contains fewer than 1 byte, a buffer overrun occurs.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/1/2017
Patch

CVE-2017-15860

CVE ID CVE-2017-15860
Title Stack-based Buffer Overflow in WLAN
Description While processing an encrypted authentication management frame, a stack buffer overflow may potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector AdjacentNetwork
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Patch

CVE-2017-15861

CVE ID CVE-2017-15861
Title Improper Input Validation
Description In the function wma_roam_synch_event_handler(), vdev_id is received from firmware and used to access an array without validation.
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Patch

CVE-2017-15862

CVE ID CVE-2017-15862
Title Integer Overflow to Buffer Overflow in WLAN
Description In wma_unified_link_radio_stats_event_handler(), the number of radio channels coming from firmware is not properly validated potentially to an integer overflow vulnerability followed by a buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 9/13/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-17764

CVE ID CVE-2017-17764
Title Integer Overflow to Buffer Overflow in WLAN
Description The num_failure_info value from firmware is not properly validated in wma_rx_aggr_failure_event_handler() so that an integer overflow vulnerability in a buffer size calculation may potentially lead to a buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Patch

CVE-2017-17765

CVE ID CVE-2017-17765
Title Integer Overflow to Buffer Overflow in WLAN
Description Multiple values received from firmware are not properly validated in wma_get_ll_stats_ext_buf() and are used to allocate the sizes of buffers and may be vulnerable to integer overflow leading to buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 9/13/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-17766

CVE ID CVE-2017-17766
Title Integer Overflow to Buffer Overflow in WLAN
Description In wma_peer_info_event_handler(), the value of num_peers received from firmware is not properly validated so that an integer overflow vulnerability in the size of a buffer allocation may potentially lead to a buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 9/13/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-17770

CVE ID CVE-2017-17770
Title Untrusted Pointer Dereference in Power
Description In a power driver ioctl handler, an Untrusted Pointer Dereference may potentially occur.
Technology Area Kernel
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017
Patch

CVE-2017-17771

CVE ID CVE-2017-17771
Title Improper Validation of Array Index in Camera
Description In msm_isp_prepare_v4l2_buf, an array out of bounds can occur.
Technology Area Camera
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 5/9/2017
Patch

CVE-2017-18152

CVE ID CVE-2017-18152
Title Improper Validation of Array Index in WLAN
Description A Buffer overwrite vulnerability exists in WLAN power level status handler due to improper Validation of array index.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 11/16/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3563

CVE ID CVE-2018-3563
Title Untrusted Pointer Dereference in Audio
Description Untrusted pointer dereference in apr_cb_func can lead to an arbitrary code exectuion
Technology Area Audio
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating High
Date Reported 11/2/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3566

CVE ID CVE-2018-3566
Title Buffer Copy without Checking Size of Input in WLAN
Description A buffer overwrite may occur in ProcSetReqInternal() due to missing length check
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 10/24/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3567

CVE ID CVE-2018-3567
Title Buffer Copy without Checking Size of Input in WLAN
Description A Buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 11/6/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3568

CVE ID CVE-2018-3568
Title Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) in WLAN.
Description In the packet logging feature, a buffer overflow can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 11/13/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3584

CVE ID CVE-2018-3584
Title Use After Free in Wiredconnectivity
Description A Use After Free condition can occur in the function rmnet_usb_ctrl_init().
Technology Area Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 10/20/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3598

CVE ID CVE-2018-3598
Title Information Exposure in Camera
Description Insufficient validation of parameters from userspace In the camera driver can lead to information leak and out-of-bounds access
Technology Area Camera
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 12/5/2016
Customer Notified Date 1/1/2018
Patch

CVE-2018-3599

CVE ID CVE-2018-3599
Title Use After Free in Core
Description While notifying a DCI client, a Use After Free condition can occur.
Technology Area Core Services
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5820

CVE ID CVE-2018-5820
Title Integer Overflow to Buffer Overflow in WLAN
Description In the function wma_tbttoffset_update_event_handler(), a parameter received from firmware is used to allocate memory for a local buffer and is not properly validated. This can potentially result in an integer overflow subsequently leading to a heap overwrite.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5821

CVE ID CVE-2018-5821
Title Improper Restriction of Operations within the Bounds of a Memory Buffer in WLAN
Description In function wma_wow_wakeup_host_event(), wake_info->vdev_id is received from FW and is used directly as array index to access wma->interfaces whose max index should be (max_bssid-1). If wake_info->vdev_id is greater than or equal to max_bssid, an out-of-bounds read occurs.
Technology Area WLAN HOST
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5822

CVE ID CVE-2018-5822
Title Buffer overflow vulnerability in WLAN
Description Compromised WLAN FW can potentially cause a buffer overwrite
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5823

CVE ID CVE-2018-5823
Title Buffer Copy without Checking Size of Input in WLAN
Description Improper buffer length validation in extscan hotlist event can lead to potential buffer overflow
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 6/20/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-5824

CVE ID CVE-2018-5824
Title Buffer Copy without Checking Size of Input in WLAN
Description While processing HTT_T2H_MSG_TYPE_RX_FLUSH or HTT_T2H_MSG_TYPE_RX_PN_IND messages, a buffer overflow can occur if the tid value obtained from the firmware is out of range.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Patch

CVE-2018-5825

CVE ID CVE-2018-5825
Title Use After Free in Data
Description In the kernel IPA driver, a Use After Free condition can occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Patch

CVE-2018-5826

CVE ID CVE-2018-5826
Title Use After Free in WLAN
Description Due to a race condition, a Use After Free condition can occur in the WLAN driver.
Technology Area WLAN HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 11/28/2017
Customer Notified Date 3/5/2018
Patch

CVE-2018-5827

CVE ID CVE-2018-5827
Title Buffer Copy without Checking Size of Input in WLAN
Description A buffer overflow Vulnerability exists in WLAN while processing an extscan hotlist event
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 6/20/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-5828

CVE ID CVE-2018-5828
Title Improper Restriction of Operations within the Bounds of a Memory Buffer in WLAN
Description In function wma_extscan_start_stop_event_handler(), vdev_id comes from the variable event from firmware and is not properly validated potentially leading to a buffer overwrite.
Technology Area WLAN HOST
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating High
Date Reported 9/18/2017
Customer Notified Date 1/1/2018
Patch

Industry Coordination

Security ratings of issues included in Android security
bulletins and these bulletins match in the most common scenarios but may
differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific
    scenarios that involves local denial of service or privilege escalation
    vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 April 24, 2018 Bulletin Published