June 2018 Code Aurora Security Bulletin

Version 1.0

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-13218	Google Project Zero
CVE-2017-18169, CVE-2018-5854, CVE-2018-5857, CVE-2018-5860	Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.
CVE-2018-5863	derrek (https://twitter.com/derrekr6)

Table of vulnerabilities

Public ID	Security Rating	Technology Area	Date Reported
CVE-2017-13218	High	Kernel	7/28/2017
CVE-2017-18169	Medium	Kernel	1/27/2017
CVE-2018-5854	High	Boot	1/17/2018
CVE-2018-5857	Medium	Audio	12/11/2017
CVE-2018-5860	Medium	Display	3/3/2017
CVE-2018-5863	Medium	WLAN HOST	12/11/2017

CVE-2017-13218

CVE ID	CVE-2017-13218
Title	Permissions, Privileges and Acess control issue in Kernel
Description	Access to CNTVCT_EL0 could be used for side channel attacks and this could lead to local information disclosure with no additional execution privileges needed.
Technology Area	Kernel
Vulnerability Type	CWE-264 Permissions, Privileges, and Access Controls
Access Vector	Local
Security Rating	High
Date Reported	7/28/2017
Customer Notified Date	4/2/2018
Patch	https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=17db761255f92491df05a7ba267d1f4043633fda https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b9481b9af45cce160d6c0ac3ddf3f20f491f6f98 https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=2585f7f82e9da284d5942fd54a183a101ddbe289 https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=f52e0fa819e88b01a989fe2be2b082262be8a3dd https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=d74d8eb4536cbe715691fa0a7c615e8fe3ecc5bf https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=a6a585a209065ba5e248144632e9373ea9126185

CVE-2017-18169

CVE ID	CVE-2017-18169
Title	Reachable Assertion in Kernel
Description	User process can perform the kernel DOS in ashmem when doing cache maintanence operation.
Technology Area	Kernel
Vulnerability Type	CWE-617 Reachable Assertion
Access Vector	Local
Security Rating	Medium
Date Reported	1/27/2017
Customer Notified Date	7/3/2017
Patch	https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.10.git;a=commit;h=2a2f0b7463f4de9ca225769204ff62c71760709c

CVE-2018-5854

CVE ID	CVE-2018-5854
Title	Stack-based Buffer Overflow in Boot
Description	In fastboot, a stack-based buffer overflow can occur.
Technology Area	Boot
Vulnerability Type	CWE-121 Stack-based Buffer Overflow
Access Vector	Local
Security Rating	High
Date Reported	1/17/2018
Customer Notified Date	4/2/2018
Patch	https://source.codeaurora.org/quic/la/abl/tianocore/edk2/commit/?id=aedca87c9a42723dfb5f7084ba855da1208f1889

CVE-2018-5857

CVE ID	CVE-2018-5857
Title	Use After Free in Audio
Description	In the WCD CPE codec, a Use After Free condition can occur.
Technology Area	Audio
Vulnerability Type	CWE-416 Use After Free
Access Vector	Local
Security Rating	Medium
Date Reported	12/11/2017
Customer Notified Date	4/2/2018
Patch	https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=58a3e7f77510ee45439ef80240772ac932340bc1 https://source.codeaurora.org/quic/la/platform/vendor/opensource/audio-kernel/commit/?id=e9f2a44eac9b8be954a99a5a0728b9c01b1cecb5

CVE-2018-5860

CVE ID	CVE-2018-5860
Title	Use of Uninitialized Variable in Display
Description	In the MDSS driver, a data structure may be used without being initialized correctly.
Technology Area	Display
Vulnerability Type	CWE-457 Use of Uninitialized Variable
Access Vector	Local
Security Rating	Medium
Date Reported	3/3/2017
Customer Notified Date	4/2/2018
Patch	https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=940c7552ab06a039512c1b0beeb72ee333220abe

CVE-2018-5863

CVE ID	CVE-2018-5863
Title	Buffer Copy without Checking Size of Input in WLAN
Description	If userspace provides a too-large WPA RSN IE length in wlan_hdd_cfg80211_set_ie(), a buffer overflow occurs.
Technology Area	WLAN HOST
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector	Local
Security Rating	Medium
Date Reported	12/11/2017
Customer Notified Date	4/2/2018
Patch	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=8224f2679b0b881c3f236bfb0a837b2cb5c39130

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

Consideration of security protections such as SELinux not enforced on some platforms
Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version	Date	Comments
1.0	June 4, 2018	Bulletin Published