May 2018 Code Aurora Security Bulletin

Version 1.0

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2018-3571, CVE-2018-3572 Peter Pi of Tencent Security Platform Department
CVE-2018-5833 This issue was found by Google when evaluating a previous fix.
CVE-2017-0781, CVE-2017-11037, CVE-2017-11039, CVE-2017-11070, CVE-2017-11077, CVE-2017-11083, CVE-2017-11084, CVE-2017-11086, CVE-2017-14904, CVE-2017-15857, CVE-2017-17767, CVE-2017-17768, CVE-2017-18154, CVE-2018-3585 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.
CVE-2018-3562, CVE-2018-3579, CVE-2018-3580, CVE-2018-3581, CVE-2018-3582 This issue was reported to Qualcomm by a security researcher who asked to remain anonymous.
CVE-2017-14883, CVE-2017-14884, CVE-2017-14888, CVE-2017-15832, CVE-2017-15854, CVE-2017-18070, CVE-2018-3565 Gengjia Chen ( @chengjia4574 ), pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2018-3576, CVE-2018-3578 Hao Chen(@flankersky) and Guang Gong(@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd.
CVE-2017-11036, CVE-2017-15842, CVE-2017-15843 Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2017-11072, CVE-2017-14871 derrek (https://twitter.com/derrekr6)
CVE-2017-11065, CVE-2017-14880 Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2017-17769 Pengfei Ding
CVE-2015-0235 Qualys
CVE-2017-0464 Found internally, then reported by an external researcher to Google, who reported it to us.
CVE-2017-11068, CVE-2017-11094, CVE-2017-11095, CVE-2017-15835, CVE-2017-17772 Scott Bauer

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2018-3572 Medium Audio 11/2/2017
CVE-2018-5833 Medium Multimedia 8/30/2017
CVE-2018-5900 High Boot Internal
CVE-2018-5901 High Boot Internal
CVE-2018-3585 Medium Camera 8/30/2017
CVE-2018-5846 High Data Network Stack & Connectivity Internal
CVE-2018-5902 High Data Network Stack & Connectivity Internal
CVE-2018-5840 High Display Internal
CVE-2018-5845 High Display Internal
CVE-2018-5847 High Display Internal
CVE-2018-5849 Medium Trusted Execution Environment 8/22/2017
CVE-2018-3571 Medium Graphics 8/31/2017
CVE-2018-5841 High Kernel Internal
CVE-2018-5844 High Video Internal
CVE-2018-5848 High WIGIG Internal
CVE-2018-3562 High WLAN HOST 11/8/2017
CVE-2018-3565 High WLAN HOST 10/24/2017
CVE-2018-3576 Medium WLAN HOST 9/20/2017
CVE-2018-3578 Medium WLAN HOST 11/16/2017
CVE-2018-3579 Medium WLAN HOST 11/13/2017
CVE-2018-3580 High WLAN HOST 11/8/2017
CVE-2018-3581 Medium WLAN HOST 11/13/2017
CVE-2018-3582 High WLAN HOST 11/13/2017
CVE-2018-5842 High WLAN HOST 9/20/2017
CVE-2018-5843 High WLAN HOST Internal
CVE-2018-5850 High WLAN HOST Internal
CVE-2018-5851 High WLAN HOST Internal
CVE-2017-0399 High Audio Internal
CVE-2017-0400 High Audio Internal
CVE-2017-0401 High Audio Internal
CVE-2017-0402 High Audio Internal
CVE-2017-15842 Medium Audio 10/9/2017
CVE-2017-18165 High Audio Internal
CVE-2017-11086 Medium Multimedia 4/4/2017
CVE-2017-11072 Medium Boot 6/27/2017
CVE-2017-14871 Medium Boot 6/22/2017
CVE-2017-17768 High Boot 10/13/2017
CVE-2017-18162 High Boot Internal
CVE-2017-11039 Medium Camera 12/9/2016
CVE-2017-11077 Medium Camera 4/10/2017
CVE-2017-15857 Medium Camera 8/30/2017
CVE-2015-8215 Medium Data Network Stack & Connectivity Internal
CVE-2017-14880 Medium Data Network Stack & Connectivity 7/14/2017
CVE-2017-14904 Medium Display 8/15/2017
CVE-2017-15827 Medium Display 6/1/2017
CVE-2017-17769 High Display 8/1/2017
CVE-2017-18154 Medium Display 8/15/2017
CVE-2017-18161 High Display Internal
CVE-2017-18164 High Display Internal
CVE-2017-18166 High Display Internal
CVE-2017-18167 Medium Display Internal
CVE-2015-0235 Critical OE Internal
CVE-2017-11037 Medium Power 1/6/2017
CVE-2015-3847 High Security Internal
CVE-2017-11065 Medium SoC Infrastructure 5/2/2017
CVE-2017-15843 Medium SoC Infrastructure 3/15/2017
CVE-2017-18163 High Trusted Execution Environment Internal
CVE-2014-9940 High Stability Internal
CVE-2016-2454 High Video Internal
CVE-2017-11070 High Video 6/9/2017
CVE-2017-17767 High Video 9/19/2017
CVE-2017-11036 Medium WIGIG 5/2/2017
CVE-2017-0464 Medium WLAN HOST 8/25/2016
CVE-2017-11068 Critical WLAN HOST 5/9/2017
CVE-2017-11083 Medium WLAN HOST 6/2/2017
CVE-2017-11084 Medium WLAN HOST 4/14/2017
CVE-2017-11094 Critical WLAN HOST 5/14/2017
CVE-2017-11095 Critical WLAN HOST 5/2/2017
CVE-2017-14883 High WLAN HOST 9/13/2017
CVE-2017-14884 High WLAN HOST 9/14/2017
CVE-2017-14888 Medium WLAN HOST 9/21/2017
CVE-2017-15819 High WLAN HOST Internal
CVE-2017-15832 High WLAN HOST 9/15/2017
CVE-2017-15835 Medium WLAN HOST 8/23/2017
CVE-2017-15854 High WLAN HOST 9/15/2017
CVE-2017-17772 High WLAN HOST 11/17/2017
CVE-2017-18070 High WLAN HOST 9/14/2017
CVE-2017-18168 High WLAN HOST Internal
CVE-2016-6716 Medium Android UI Internal
CVE-2017-0781 Critical Bluetooth HOST Internal
CVE-2017-11020 High Bluetooth HOST Internal

CVE-2018-3572

CVE ID CVE-2018-3572
Title Improper Restriction of Operations within the Bounds of a Memory Buffer in Audio
Description While processing a DSP buffer in an audio driver’s event handler, an index of a buffer is not checked before accessing the buffer.
Technology Area Audio
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating Medium
Date Reported 11/2/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-5833

CVE ID CVE-2018-5833
Title Improper Validation of Array Index in Camera
Description In the camera driver, an out-of-bounds access can occur.
Technology Area Multimedia
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 8/30/2017
Customer Notified Date 3/5/2018
Patch

CVE-2018-5900

CVE ID CVE-2018-5900
Title Incorrect Type Conversion or Cast in Boot
Description Data loss can potentially occur when using a GetTimerCountms() function
Technology Area Boot
Vulnerability Type CWE-704 Incorrect Type Conversion or Cast
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5901

CVE ID CVE-2018-5901
Title Incorrect Type Conversion or Cast in Boot
Description While device is failed to locate the VB protocol, the return value is not correct because of the type of IsSecureBootEnable is BOOLEAN, but the type of Status is UINTN
Technology Area Boot
Vulnerability Type CWE-704 Incorrect Type Conversion or Cast
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-3585

CVE ID CVE-2018-3585
Title Improper Validation of Array Index in Camera
Description In the camera driver, an null pointer access can occur due to an error in copying region params from userspace.
Technology Area Camera
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 8/30/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-5846

CVE ID CVE-2018-5846
Title Use After Free in IPA
Description A Use After Free condition can occur in the IPA driver whenever the IPA IOCTLs IPA_IOC_NOTIFY_WAN_UPSTREAM_ROUTE_ADD/IPA_IOC_NOTIFY_WAN_UPSTREAM_ROUTE_DEL/IPA_IOC_NOTIFY_WAN_EMBMS_CONNECTED are called
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5902

CVE ID CVE-2018-5902
Title Improper Access Control in Data
Description While processing a userspace command to enable a GSI debug register read, an unauthorized access to protected registers can occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Patch

CVE-2018-5840

CVE ID CVE-2018-5840
Title Buffer Copy without Checking Size of Input in Display
Description Buffer Copy without Checking Size of Input can occur during the DRM SDE driver initialization sequence.
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5845

CVE ID CVE-2018-5845
Title Use After Free in Display Driver
Description A race condition in drm_atomic_nonblocking_commit() in the display driver can potentially lead to a Use After Free scenario.
Technology Area Display
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5847

CVE ID CVE-2018-5847
Title Use After Free in Display
Description Early or late retirement of rotation requests can result in a Use After Free condition.
Technology Area Display
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5849

CVE ID CVE-2018-5849
Title Use After Free in QTEE
Description Due to a race condition in the QTEECOM driver, when more than one HLOS client loads the same TA, a Use After Free condition can occur.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 8/22/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3571

CVE ID CVE-2018-3571
Title Use After Free in Graphics
Description In the KGSL driver, a Use After Free condition can occur when printing information about sparse memory allocations
Technology Area Graphics
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 8/31/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-5841

CVE ID CVE-2018-5841
Title Improper Input Validation in Kernel
Description dcc_curr_list is initialized with a default invalid value that is expected to be programmed by the user through a sysfs node which could lead to an invalid access
Technology Area Kernel
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Patch

CVE-2018-5844

CVE ID CVE-2018-5844
Title Use After Free in Video
Description In the video driver function set_output_buffers(), binfo can be accessed after being freed in a failure scenario.
Technology Area Video
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5848

CVE ID CVE-2018-5848
Title Buffer Copy without Checking Size of Input in WIGIG
Description In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the ‘ie_len’ argument can cause a buffer overflow
Technology Area WIGIG
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Patch

CVE-2018-3562

CVE ID CVE-2018-3562
Title Buffer Over-read in WLAN
Description Buffer over -read can occur while processing a FILS authentication frame
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector AdjacentNetwork
Security Rating High
Date Reported 11/8/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3565

CVE ID CVE-2018-3565
Title Buffer Copy without Checking Size of Input in WLAN
Description While sending a probe request indication in lim_send_sme_probe_req_ind(), a buffer overflow can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 10/24/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3576

CVE ID CVE-2018-3576
Title Improper Validation of Array Index in WLAN
Description improper validation of array index in WiFi driver function sapInterferenceRssiCount() leads to array out-of-bounds access.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 9/20/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3578

CVE ID CVE-2018-3578
Title Incorrect Calculation of Buffer Size in WLAN
Description Type mismatch for ie_len can cause the WLAN driver to allocate less memory on the heap due to implicit casting leading to a heap buffer overflow
Technology Area WLAN HOST
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Local
Security Rating Medium
Date Reported 11/16/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3579

CVE ID CVE-2018-3579
Title Buffer Over-read in WLAN
Description In the WLAN driver, event->num_entries_in_page is a value received from firmware that is not properly validated which can lead to a buffer over-read
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 11/13/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3580

CVE ID CVE-2018-3580
Title Stack-based Buffer Overflow in WLAN
Description Stack-based buffer overflow can occur In the WLAN driver if the pmkid_count value is larger than the PMKIDCache size.
Technology Area WLAN HOST
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector AdjacentNetwork
Security Rating High
Date Reported 11/8/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3581

CVE ID CVE-2018-3581
Title Improper Restriction of Operations within the Bounds of a Memory Buffer in WLAN
Description In the WLAN driver, a buffer overwrite can occur if the vdev_id received from firmware is larger than max_bssid.
Technology Area WLAN HOST
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating Medium
Date Reported 11/13/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3582

CVE ID CVE-2018-3582
Title Buffer Copy without Checking Size of Input in WLAN
Description Buffer overflow can occur due to improper input validation in multiple WMA event handler functions
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 11/13/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-5842

CVE ID CVE-2018-5842
Title Buffer Copy without Checking Size of Input in WLAN
Description An arbitrary address write can occur if a compromised WLAN firmware sends incorrect data to WLAN driver
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 9/20/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-5843

CVE ID CVE-2018-5843
Title Improper Restriction of Operations within the Bounds of a memory Buffer in WLAN
Description In the function wma_pdev_div_info_evt_handler(), there is no upper bound check on the value event->num_chains_valid received from firmware which can lead to a buffer overwrite of the fixed size chain_rssi_result structure.
Technology Area WLAN HOST
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5850

CVE ID CVE-2018-5850
Title Improper Input Validation in WLAN
Description In the function csr_update_fils_params_rso(), insufficient validation on a key length can result in an integer underflow leading to a buffer overflow
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Patch

CVE-2018-5851

CVE ID CVE-2018-5851
Title Improper Validation of Array Index in WLAN
Description Buffer over flow can occur while processing a HTT_T2H_MSG_TYPE_TX_COMPL_IND message with an out-of-range num_msdus value
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Patch

CVE-2017-0399

CVE ID CVE-2017-0399
Title Improper Validation of Array Index in Audio
Description An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBundle.cpp in libeffects in audioserver could enable a local malicious application to access data outside of its permission levels
Technology Area Audio
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 4/11/2017
Patch

CVE-2017-0400

CVE ID CVE-2017-0400
Title Improper Validation of Array Index in Audio
Description An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBundle.cpp in libeffects in audioserver could enable a local malicious application to access data outside of its permission levels
Technology Area Audio
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 4/11/2017
Patch

CVE-2017-0401

CVE ID CVE-2017-0401
Title Improper Validation of Array Index in Audio
Description Function equalizer_get_num_presets() does not check if the preset value is a negative number before using the value as an array index. This could result in an over-read
Technology Area Audio
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 4/11/2017
Patch

CVE-2017-0402

CVE ID CVE-2017-0402
Title Improper Validation of Array Index in Audio
Description An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBundle.cpp in libeffects in audioserver could enable a local malicious application to access data outside of its permission levels
Technology Area Audio
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 4/11/2017
Patch

CVE-2017-15842

CVE ID CVE-2017-15842
Title Use After Free in Audio.
Description Buffer might get used after it gets freed due to unlocking the mutex before freeing the buffer.
Technology Area Audio
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 10/9/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-18165

CVE ID CVE-2017-18165
Title NULL Pointer Dereference in Audio
Description In case of memory allocation failure, _vol_cmd_cnt is not reset. In _volume_cmds_free, NULL pointer dereference would happen for _vol_cmds[i]
Technology Area Audio
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Patch

CVE-2017-11086

CVE ID CVE-2017-11086
Title Improper Validation of Array Index in Camera
Description In the camera driver, an out-of-bounds access can occur due to the same msm_sd_subdev being added into ordered_sd_list.
Technology Area Multimedia
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 4/4/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-11072

CVE ID CVE-2017-11072
Title Buffer Copy without Checking Size of Input in Boot
Description While calculating CRC for GPT header fields with partition entries greater than 16384 buffer overflow occurs.
Technology Area Boot
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 6/27/2017
Customer Notified Date 9/1/2017
Patch

CVE-2017-14871

CVE ID CVE-2017-14871
Title Information Exposure in Boot
Description During the Meta image flashing, an integer overflow of the image header size which is passed as an argument to function HandleRawImageFlash() may potentially occur.
Technology Area Boot
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 6/22/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-17768

CVE ID CVE-2017-17768
Title Integer Overflow to Buffer Overflow in WLAN
Description In multiple WiFI driver functions, integer overflows leading to heap buffer overflow may potentially occur.
Technology Area Boot
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported 10/13/2017
Customer Notified Date 1/1/2018
Patch

CVE-2017-18162

CVE ID CVE-2017-18162
Title Integer Overflow or Wraparound in Boot
Description UNITN is used to store size of a buffer such as dataBytesReceived, mNumberDataBytes, and are further used in arithmetic expressions with UNIT32/UNIT64 makes the code vulnerable to integer overflows and truncation errors.
Technology Area Boot
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017
Patch

CVE-2017-11039

CVE ID CVE-2017-11039
Title Buffer Over-read in Camera
Description In msm_actuator, a kernel out-of-bounds access could potentially occur due to invalid actuator operation and unexpected behavior in lens movement.
Technology Area Camera
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 12/9/2016
Customer Notified Date 8/7/2017
Patch

CVE-2017-11077

CVE ID CVE-2017-11077
Title Use After Free in Camera
Description A race condition exists in the camera driver due to the lack of a fine-grained locking mechanism in vb2 operations.
Technology Area Camera
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 4/10/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-15857

CVE ID CVE-2017-15857
Title Improper Validation of Array Index in Camera
Description In the camera driver, an out-of-bounds access can occur due to an error in copying region params from userspace.
Technology Area Camera
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 8/30/2017
Customer Notified Date 12/4/2017
Patch

CVE-2015-8215

CVE ID CVE-2015-8215
Title Improper Input Validation in Data
Description The current code does not restrict the MTU being set by a user application. A remote user can send a malformed RA with a very low or very high MTU. The user application without proper checks can set the wrong MTU using proc values, which can stop packet flow.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-20 Improper Input Validation
Access Vector AdjacentNetwork
Security Rating Medium
Date Reported Internal
Customer Notified Date 7/3/2017
Patch

CVE-2017-14880

CVE ID CVE-2017-14880
Title Time-of-check Time-of-use (TOCTOU) Race Condition in Data
Description While IPA WAN-driver is processing multiple requests from modem/user-space module, the global variable “num_q6_rule” does not have a mutex lock and thus can be accessed and modified by multiple threads.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 7/14/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-14904

CVE ID CVE-2017-14904
Title Use of Out-of-range Pointer Offset in Display
Description A crafted binder request can cause an arbitrary unmap in MediaServer.
Technology Area Display
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating Medium
Date Reported 8/15/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-15827

CVE ID CVE-2017-15827
Title Possible buffer overflow when dsi commands are sent from dsi sysfs node
Description A buffer overflow can potentially occur when trying to process the dsi on commands in mdss_dsi_cmd_flush as there is no check for length of string coming from the user.
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 6/1/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-17769

CVE ID CVE-2017-17769
Title Information Exposure in Audio
Description Information leakage can occur in the audio driver.
Technology Area Display
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported 8/1/2017
Customer Notified Date 1/1/2018
Patch

CVE-2017-18154

CVE ID CVE-2017-18154
Title Use of Out-of-range Pointer Offset in Display
Description A crafted binder request can cause an arbitrary unmap in MediaServer.
Technology Area Display
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating Medium
Date Reported 8/15/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-18161

CVE ID CVE-2017-18161
Title NULL Pointer Dereference in Display
Description NULL pointer dereference can occur display because the parameters which are assumed to have been configured in the normal scenario are accessed without checking.
Technology Area Display
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/10/2017
Patch

CVE-2017-18164

CVE ID CVE-2017-18164
Title NULL Pointer Dereference in Display
Description NULL pointer dereference could occur if post-processing ioctl (MSMFB_MDP_PP) is used to read/write calibration data using NULL pipe pointer.
Technology Area Display
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Patch

CVE-2017-18166

CVE ID CVE-2017-18166
Title Improper Input Validation in Display
Description Improper input validation of input config->len in mdss_mdp_igc_lut_config() can lead to buffer overflow
Technology Area Display
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 4/11/2017
Patch

CVE-2017-18167

CVE ID CVE-2017-18167
Title Uncontrolled Resource Consumption in Display
Description Possible Memory leak issue in compat path of display driver
Technology Area Display
Vulnerability Type CWE-400 Uncontrolled Resource Consumption (‘Resource Exhaustion’)
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 7/3/2017
Patch

CVE-2015-0235

CVE ID CVE-2015-0235
Title Buffer Copy Without Checking Size of Input in OE
Description Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka “GHOST
Technology Area OE
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Network
Security Rating Critical
Date Reported Internal
Customer Notified Date 9/1/2017
Patch

CVE-2017-11037

CVE ID CVE-2017-11037
Title Time-of-check Time-of-use (TOCTOU) Race Condition in Core
Description When multiple entities access the /sys/kernel/debug/pc_debug_counter simultaneously, a Use After Free condition can occur.
Technology Area Power
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 1/6/2017
Customer Notified Date 8/7/2017
Patch

CVE-2015-3847

CVE ID CVE-2015-3847
Title Improper Access Control on Bluetooth
Description A vulnerability in Android’s Bluetooth component could allow a local application to delete stored SMS messages.
Technology Area Security
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017
Patch

CVE-2017-11065

CVE ID CVE-2017-11065
Title Improper Validation of Array Index in Core
Description The user supplied acd offset is not verified to be within the acd register range which could lead to out-of-bounds read/write.
Technology Area SoC Infrastructure
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 5/2/2017
Customer Notified Date 9/1/2017
Patch

CVE-2017-15843

CVE ID CVE-2017-15843
Title Double Free in msm_bus_floor_vote_context()
Description Due to a race condition in a bus driver, a double free in msm_bus_floor_vote_context() can potentially occur.
Technology Area SoC Infrastructure
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 3/15/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-18163

CVE ID CVE-2017-18163
Title Information Exposure in Boot
Description Improper Handling of memory allocation failure scenario may lead to unauthorized access and decryption of MDTP data
Technology Area Trusted Execution Environment
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Patch

CVE-2014-9940

CVE ID CVE-2014-9940
Title Possible Use After Free in regulator_ena_gpio_free
Description In the regulator_ena_gpio_free routine, the loop could access the pin after freeing it
Technology Area Stability
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Patch

CVE-2016-2454

CVE ID CVE-2016-2454
Title Improper Input Validation in Video Hardware
Description Remote attackers can cause a denial of service (reboot) in hardware video codec via a crafted file
Technology Area Video
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017
Patch

CVE-2017-11070

CVE ID CVE-2017-11070
Title Use After Free in Video
Description Input buffer is accessed in one thread and can be potentially freed in another.
Technology Area Video
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 6/9/2017
Customer Notified Date 9/1/2017
Patch

CVE-2017-17767

CVE ID CVE-2017-17767
Title Use After Free in Video
Description The IL client may free a buffer OMX Video Encoder Component and then subsequently access the already freed buffer.
Technology Area Video
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 9/19/2017
Customer Notified Date 1/1/2018
Patch

CVE-2017-11036

CVE ID CVE-2017-11036
Title Buffer Over-read in WIGIG
Description While sending Tx management frame through debug-fs, a buffer overflow occurs if an invalid length is provided.
Technology Area WIGIG
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 5/2/2017
Customer Notified Date 8/7/2017
Patch

CVE-2017-0464

CVE ID CVE-2017-0464
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overflow can occur when processing a QCA_NL80211_VENDOR_SUBCMD_GSCAN_SET_SSID_HOTLIST cfg80211 vendor command where an instance of the QCA_WLAN_VENDOR_ATTR_GSCAN_SSID_THRESHOLD_PARAM_SSID attribute exceeds the documented maximum size
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 8/25/2016
Customer Notified Date 8/7/2017
Patch

CVE-2017-11068

CVE ID CVE-2017-11068
Title Buffer Copy without Checking Size of Input in WLAN
Description In the function rrmProcessBeaconReportReq(), if the total number of channels (across all the channel lists) in the beacon report request exceeds 8, a heap-based buffer overflow can potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 5/9/2017
Customer Notified Date 9/1/2017
Patch

CVE-2017-11083

CVE ID CVE-2017-11083
Title Buffer Over-read in WLAN
Description Request ID in __wlan_hdd_cfg80211_set_epno_list is improperly attributed to the enum QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID , which is part of the attributes corresponding to extscan configuration. This results to an invalid input validation while validating the request id in wlan_hdd_cfg80211_set_epno_list as this enum value represents to a different set in qca_wlan_vendor_attr_pno_config_params .
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 6/2/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-11084

CVE ID CVE-2017-11084
Title Buffer Copy without Checking Size of Input in WLAN
Description If the extn capabilities, which are user-controlled, has size greater than the maximum supported, a buffer overflow can potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 4/14/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-11094

CVE ID CVE-2017-11094
Title Buffer Over-read in WLAN
Description In case where access point is sending challenge text greater than 128 bytes, a buffer over-read can potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 5/14/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-11095

CVE ID CVE-2017-11095
Title Stack-based Buffer Overflow in WLAN
Description Due to the lack of a boundary check for “pIe->arraybound”, a stack overflow can potentially occur in the WiFi driver function “sirConvertReassocReqFrame2Struct”.
Technology Area WLAN HOST
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 5/2/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-14883

CVE ID CVE-2017-14883
Title Integer Overflow to Buffer Overflow in WLAN
Description In the function wma_unified_power_debug_stats_event_handler(), if the value param_buf->num_debug_register received from the FW command buffer is close to max of uint32, then the computation performed using this variable to calculate stats_registers_len may overflow to a smaller value leading to less than required memory allocated for power_stats_results and potentially a buffer overflow while copying the FW buffer to local buffer.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 9/13/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-14884

CVE ID CVE-2017-14884
Title Buffer Copy without Checking Size of Input in WLAN
Description Due to lack of bounds checking on the variable “data_len” from the function WLANQCMBR_McProcessMsg(), a buffer overflow may potentially occur in WLANFTM_McProcessMsg().
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 9/14/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-14888

CVE ID CVE-2017-14888
Title Buffer Copy without Checking Size of Input in WLAN
Description In the function limProcessUpdateAddIEs(), userspace can pass IEs to the host driver and if multiple append commands are received, then the integer variable that stores the length can overflow and the subsequent copy of the IE data may potentially lead to a heap buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 9/21/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-15819

CVE ID CVE-2017-15819
Title Stack-based Buffer Overflow in WLAN
Description In WLAN, a stack-based buffer overflow vulnerability may potentially occur while processing an encrypted AUTH Frame.
Technology Area WLAN HOST
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector AdjacentNetwork
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Patch

CVE-2017-15832

CVE ID CVE-2017-15832
Title Buffer overwrite due to improper input validation in WLAN host
Description Buffer overwrite in the WLAN host driver by leveraging a compromised WLAN FW
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported 9/15/2017
Customer Notified Date 12/4/2017
Patch

CVE-2017-15835

CVE ID CVE-2017-15835
Title Loop with Unreachable Exit Condition in WLAN
Description While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service.
Technology Area WLAN HOST
Vulnerability Type CWE-835 Loop with Unreachable Exit Condition (‘Infinite Loop’)
Access Vector AdjacentNetwork
Security Rating Medium
Date Reported 8/23/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-15854

CVE ID CVE-2017-15854
Title Interger Overflow to Buffer Overflow in WLAN
Description The value of fix_param->num_chans is received from firmware and if it is too large, an integer overflow can occur in wma_radio_chan_stats_event_handler() for the derived length len leading to a subsequent buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 9/15/2017
Customer Notified Date 1/1/2018
Patch

CVE-2017-17772

CVE ID CVE-2017-17772
Title Multiple buffer overread vulnerabilities in WLAN
Description In multiple functions that process 802.11 frames, out-of-bounds reads can occur due to insufficient validation.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector AdjacentNetwork
Security Rating High
Date Reported 11/17/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-18070

CVE ID CVE-2017-18070
Title Integer Overflow to Buffer Overflow in WLAN
Description In wma_ndp_end_response_event_handler(), the variable len_end_rsp is a uint32 which can be overflowed if the value of variable “event->num_ndp_end_rsp_per_ndi_list” is very large which can then lead to a heap overwrite of the heap object end_rsp.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 9/14/2017
Customer Notified Date 1/1/2018
Patch

CVE-2017-18168

CVE ID CVE-2017-18168
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overrun vulnerability while processing get chain RSSI vendor command
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/1/2017
Patch

CVE-2016-6716

CVE ID CVE-2016-6716
Title Improper Acess Control in AOSP Launcher
Description An elevation of privilege vulnerability in the AOSP Launcher could allow a local malicious application to create shortcuts that have elevated privileges without the user’s consent
Technology Area Android UI
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 2/14/2017
Patch

CVE-2017-0781

CVE ID CVE-2017-0781
Title Incorrect Calculation of Buffer Size in Bluetooth
Description An incorrect buffer size is calculated when BT_HDR is included and memory can leak when BNEP control frames are pulled in fragments.
Technology Area Bluetooth HOST
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/4/2017
Patch

CVE-2017-11020

CVE ID CVE-2017-11020
Title Use After Free in Bluetooth
Description When Bluetooth timeouts occur, sometimes alarm callback frees the alarm and tries to use it again.
Technology Area Bluetooth HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/1/2017
Patch

Industry Coordination

Security ratings of issues included in Android security
bulletins and these bulletins match in the most common scenarios but may
differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms

  • Differences in assessment of some specific
    scenarios that involves local denial of service or privilege escalation
    vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 May 8, 2018 Bulletin Published