Version 1.2
Published: 07/02/2018
This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2017-15856, CVE-2018-5858, CVE-2018-5865 | Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
| CVE-2017-5754 | Google Project Zero |
| CVE-2018-3564 | Yang Dai(huahuaisadog@gmail.com) and Yu Pan (panyu6325@gmail.com) of vulpecker Team, Qihoo 360 Technology Co. Ltd |
| CVE-2018-3569, CVE-2018-5834, CVE-2018-5862 | Hao Chen (@flankersky) and Guang Gong (@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd. |
| CVE-2018-3577, CVE-2018-5830, CVE-2018-5864 | Gengjia Chen ( @chengjia4574 ), pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
| CVE-2018-3587, CVE-2018-5832, CVE-2018-5853, CVE-2018-5886, CVE-2018-5895 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/Â for individual credit information. |
| CVE-2018-5829 | freenerguo of Tencent’s Xuanwu Lab |
| CVE-2018-5831 | Wen Guanxing from Pangu LAB |
| CVE-2018-5835 | Scott Bauer |
| CVE-2018-5836 | This issue was reported to Qualcomm by a security researcher that asked to remain anonymous. |
| CVE-2018-5855 | Gengjia Chen |
| CVE-2018-5859 | heidada |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2017-15856 | Medium | Automotive Connectivity | 9/11/2017 |
| CVE-2017-5754 | High | Kernel | 7/28/2017 |
| CVE-2018-3564 | High | DSP Service | 6/8/2017 |
| CVE-2018-3569 | High | WLAN HOST | 11/17/2017 |
| CVE-2018-3577 | Medium | WLAN HOST | 9/14/2017 |
| CVE-2018-3587 | Medium | WLAN HOST | 9/21/2017 |
| CVE-2018-5829 | High | WLAN HOST | 11/14/2017 |
| CVE-2018-5830 | High | WLAN HOST | 11/28/2017 |
| CVE-2018-5831 | Medium | Graphics | 11/19/2017 |
| CVE-2018-5832 | Medium | Camera | 11/12/2017 |
| CVE-2018-5834 | Medium | WLAN HOST | 11/16/2017 |
| CVE-2018-5835 | Medium | WLAN HOST | 11/21/2017 |
| CVE-2018-5836 | Medium | WLAN HOST | 11/22/2017 |
| CVE-2018-5853 | Medium | WLAN HOST | 3/7/2017 |
| CVE-2018-5855 | High | WLAN HOST | 12/8/2017 |
| CVE-2018-5858 | Medium | Audio | 12/25/2017 |
| CVE-2018-5859 | Medium | Display | 11/8/2017 |
| CVE-2018-5862 | Medium | WLAN HOST | 11/20/2017 |
| CVE-2018-5864 | Medium | WLAN HOST | 12/13/2017 |
| CVE-2018-5865 | Medium | WLAN HOST | 1/11/2018 |
| CVE-2018-5872 | Critical | WLAN HOST | Internal |
| CVE-2018-5873 | High | Kernel | Internal |
| CVE-2018-5886 | High | DSP Service | 8/24/2017 |
| CVE-2018-5893 | High | WLAN HOST | Internal |
| CVE-2018-5895 | Medium | WLAN HOST | 12/6/2017 |
| CVE-2018-5899 | Medium | WLAN HOST | Internal |
CVE-2017-15856
| CVE ID | CVE-2017-15856 |
| Title | Double free in AUTOMOTIVECONNECTIVITY |
| Description | Due to a race condition while processing the power stats debug file to read status, a double free condition can occur. |
| Technology Area | Automotive Connectivity |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/11/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2017-5754
| CVE ID | CVE-2017-5754 |
| Title | Out-of-order Execution of Microprocessor Leads to Privileged Data Access by Unprivileged User |
| Description | Out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. The data is brought into L1 data caches before the permission checks on the kernel-memory and thus leaking the valuable data to unprivileged world. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 7/28/2017 |
| Customer Notified Date | 5/7/2018 |
| Patch |
|
CVE-2018-3564
| CVE ID | CVE-2018-3564 |
| Title | Use After Free in Multimedia |
| Description | In the FastRPC driver, a Use After Free condition can occur when mapping on the remote processor fails. |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 6/8/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3569
| CVE ID | CVE-2018-3569 |
| Title | Buffer Over-read vulnerability in WLAN |
| Description | A buffer over-read can occur during a fast initial link setup (FILS) connection. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/17/2017 |
| Customer Notified Date | 3/5/2018 |
| Patch |
CVE-2018-3577
| CVE ID | CVE-2018-3577 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | While processing fragments, when the fragment count becomes very large, an integer overflow leading to a buffer overflow can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/14/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3587
| CVE ID | CVE-2018-3587 |
| Title | Use After Free in WLAN |
| Description | In a firmware memory dump feature, a Use After Free condition can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/21/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
|
CVE-2018-5829
| CVE ID | CVE-2018-5829 |
| Title | Buffer Over-read in WLAN |
| Description | In wlan_hdd_cfg80211_set_privacy_ibss(), a buffer over-read can potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | 11/14/2017 |
| Customer Notified Date | 3/5/2018 |
| Patch |
CVE-2018-5830
| CVE ID | CVE-2018-5830 |
| Title | Improper Restriction of Operations within the Bounds of a Memory Buffer in WLAN |
| Description | While processing the HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND message, a buffer overflow can potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/28/2017 |
| Customer Notified Date | 3/5/2018 |
| Patch |
CVE-2018-5831
| CVE ID | CVE-2018-5831 |
| Title | Integer Overflow or Wraparound in Graphics |
| Description | In the KGSL driver, a reference counting error can lead to a Use After Free condition. |
| Technology Area | Graphics |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/19/2017 |
| Customer Notified Date | 3/5/2018 |
| Patch |
CVE-2018-5832
| CVE ID | CVE-2018-5832 |
| Title | Use After Free in Camera |
| Description | Due to a race condition in a camera driver ioctl handler, a Use After Free condition can occur. |
| Technology Area | Camera |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/12/2017 |
| Customer Notified Date | 3/5/2018 |
| Patch |
CVE-2018-5834
| CVE ID | CVE-2018-5834 |
| Title | Incorrect Calculation of Buffer Size in WLAN |
| Description | In __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-131 Incorrect Calculation of Buffer Size |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/16/2017 |
| Customer Notified Date | 3/5/2018 |
| Patch |
CVE-2018-5835
| CVE ID | CVE-2018-5835 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | If the seq_len is greater then CSR_MAX_RSC_LEN, a buffer overflow in __wlan_hdd_cfg80211_add_key() may occur when copying keyRSC. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/21/2017 |
| Customer Notified Date | 3/5/2018 |
| Patch |
CVE-2018-5836
| CVE ID | CVE-2018-5836 |
| Title | Buffer Over-read in WLAN |
| Description | In wma_nan_rsp_event_handler(), the data_len value is received from firmware and not properly validated which could potentially lead to an out-of-bounds access. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/22/2017 |
| Customer Notified Date | 3/5/2018 |
| Patch |
CVE-2018-5853
| CVE ID | CVE-2018-5853 |
| Title | Use After Free in WLAN |
| Description | A race condition exists in a driver potentially leading to a use-after-free condition. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/7/2017 |
| Customer Notified Date | 4/2/2018 |
| Patch |
CVE-2018-5855
| CVE ID | CVE-2018-5855 |
| Title | Buffer Over-read in WLAN |
| Description | While padding or shrinking a nested wmi packet, a buffer over-read can potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Network |
| Security Rating | High |
| Date Reported | 12/8/2017 |
| Customer Notified Date | 4/2/2018 |
| Patch |
CVE-2018-5858
| CVE ID | CVE-2018-5858 |
| Title | Buffer Copy without Checking Size of Input in Audio |
| Description | In the audio debugfs, out of bounds access can occur. |
| Technology Area | Audio |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/25/2017 |
| Customer Notified Date | 4/2/2018 |
| Patch |
CVE-2018-5859
| CVE ID | CVE-2018-5859 |
| Title | Use After Free in Display |
| Description | Due to a race condition in the MDSS MDP driver, a Use After Free condition can occur. |
| Technology Area | Display |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/8/2017 |
| Customer Notified Date | 4/2/2018 |
| Patch |
CVE-2018-5862
| CVE ID | CVE-2018-5862 |
| Title | Incorrect Calculation of Buffer Size in WLAN |
| Description | In __wlan_hdd_cfg80211_vendor_scan(), when SCAN_SSIDS and QCA_WLAN_VENDOR_ATTR_SCAN_FREQUENCIES are parsed, a buffer overwrite can potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-131 Incorrect Calculation of Buffer Size |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/20/2017 |
| Customer Notified Date | 4/2/2018 |
| Patch |
CVE-2018-5864
| CVE ID | CVE-2018-5864 |
| Title | Improper Restriction of Operations within the Bounds of a Memory Buffer in WLAN |
| Description | While processing a WMI_APFIND event, a buffer over-read and information leak can potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/13/2017 |
| Customer Notified Date | 4/2/2018 |
| Patch |
CVE-2018-5865
| CVE ID | CVE-2018-5865 |
| Title | Integer Underflow in WLAN |
| Description | While processing a debug log event from firmware, an integer underflow and/or buffer over-read can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-191 Integer Underflow (Wrap or Wraparound) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/11/2018 |
| Customer Notified Date | 4/2/2018 |
| Patch |
CVE-2018-5872
| CVE ID | CVE-2018-5872 |
| Title | Use of Out-of-range Pointer Offset in WLAN |
| Description | While parsing over-the-air information elements, the use of an out-of-range pointer offset can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 4/2/2018 |
| Patch |
CVE-2018-5873
| CVE ID | CVE-2018-5873 |
| Title | Use After Free in Kernel |
| Description | Due to a race condition when accessing files, a Use After Free condition in the kernel can occur. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 4/2/2018 |
| Patch |
CVE-2018-5886
| CVE ID | CVE-2018-5886 |
| Title | Buffer Over-read in DSP |
| Description | A pointer in an ADSPRPC command is not properly validated which can lead to kernel memory being accessed. |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 8/24/2017 |
| Customer Notified Date | 5/7/2018 |
| Patch |
CVE-2018-5893
| CVE ID | CVE-2018-5893 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | While processing a message from firmware in htt_t2h_msg_handler_fast(), a buffer overwrite can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/5/2018 |
| Patch |
CVE-2018-5895
| CVE ID | CVE-2018-5895 |
| Title | Buffer Over-read in WLAN |
| Description | Buffer over-read may happen in wma_process_utf_event() due to improper buffer length validation before writing into param_buf->num_wow_packet_buffer. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/6/2017 |
| Customer Notified Date | 5/7/2018 |
| Patch |
CVE-2018-5899
| CVE ID | CVE-2018-5899 |
| Title | Use After Free in WLAN |
| Description | Whenever TDLS connection is setup, we are freeing the netbuf in ol_tx_completion_handler and after that, we are accessing it in NBUF_UPDATE_TX_PKT_COUNT causing a use after free. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 5/7/2018 |
| Patch |
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | July 2, 2018 | Bulletin Published |
| 1.1 | August 9, 2018 | updated link for CVE-2018-5855 |
| 1.2 | June 22, 2020 | updated rating for CVE-2018-5886 |