July 2018 Code Aurora Security Bulletin

Version 1.1

Published: 07/02/2018

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-15856, CVE-2018-5858, CVE-2018-5865 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2017-5754 Google Project Zero
CVE-2018-3564 Yang Dai(huahuaisadog@gmail.com) and Yu Pan (panyu6325@gmail.com) of vulpecker Team, Qihoo 360 Technology Co. Ltd
CVE-2018-3569, CVE-2018-5834, CVE-2018-5862 Hao Chen (@flankersky) and Guang Gong (@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd.
CVE-2018-3577, CVE-2018-5830, CVE-2018-5864 Gengjia Chen ( @chengjia4574 ), pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2018-3587, CVE-2018-5832, CVE-2018-5853, CVE-2018-5886, CVE-2018-5895 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.
CVE-2018-5829 freenerguo of Tencent’s Xuanwu Lab
CVE-2018-5831 Wen Guanxing from Pangu LAB
CVE-2018-5835 Scott Bauer
CVE-2018-5836 This issue was reported to Qualcomm by a security researcher that asked to remain anonymous.
CVE-2018-5855 Gengjia Chen
CVE-2018-5859 heidada

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-15856 Medium Automotive Connectivity 9/11/2017
CVE-2017-5754 High Kernel 7/28/2017
CVE-2018-3564 High DSP Service 6/8/2017
CVE-2018-3569 High WLAN HOST 11/17/2017
CVE-2018-3577 Medium WLAN HOST 9/14/2017
CVE-2018-3587 Medium WLAN HOST 9/21/2017
CVE-2018-5829 High WLAN HOST 11/14/2017
CVE-2018-5830 High WLAN HOST 11/28/2017
CVE-2018-5831 Medium Graphics 11/19/2017
CVE-2018-5832 Medium Camera 11/12/2017
CVE-2018-5834 Medium WLAN HOST 11/16/2017
CVE-2018-5835 Medium WLAN HOST 11/21/2017
CVE-2018-5836 Medium WLAN HOST 11/22/2017
CVE-2018-5853 Medium WLAN HOST 3/7/2017
CVE-2018-5855 High WLAN HOST 12/8/2017
CVE-2018-5858 Medium Audio 12/25/2017
CVE-2018-5859 Medium Display 11/8/2017
CVE-2018-5862 Medium WLAN HOST 11/20/2017
CVE-2018-5864 Medium WLAN HOST 12/13/2017
CVE-2018-5865 Medium WLAN HOST 1/11/2018
CVE-2018-5872 Critical WLAN HOST Internal
CVE-2018-5873 High Kernel Internal
CVE-2018-5886 Medium DSP Service 8/24/2017
CVE-2018-5893 High WLAN HOST Internal
CVE-2018-5895 Medium WLAN HOST 12/6/2017
CVE-2018-5899 Medium WLAN HOST Internal

CVE-2017-15856

CVE ID CVE-2017-15856
Title Double free in AUTOMOTIVECONNECTIVITY
Description Due to a race condition while processing the power stats debug file to read status, a double free condition can occur.
Technology Area Automotive Connectivity
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 9/11/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-5754

CVE ID CVE-2017-5754
Title Out-of-order Execution of Microprocessor Leads to Privileged Data Access by Unprivileged User
Description Out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. The data is brought into L1 data caches before the permission checks on the kernel-memory and thus leaking the valuable data to unprivileged world.
Technology Area Kernel
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported 7/28/2017
Customer Notified Date 5/7/2018
Patch
    Even if you are porting the patches yourself, please engage your customer engineering contact. The order of patches matters.

CVE-2018-3564

CVE ID CVE-2018-3564
Title Use After Free in Multimedia
Description In the FastRPC driver, a Use After Free condition can occur when mapping on the remote processor fails.
Technology Area DSP Service
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 6/8/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3569

CVE ID CVE-2018-3569
Title Buffer Over-read vulnerability in WLAN
Description A buffer over-read can occur during a fast initial link setup (FILS) connection.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
Date Reported 11/17/2017
Customer Notified Date 3/5/2018
Patch

CVE-2018-3577

CVE ID CVE-2018-3577
Title Integer Overflow to Buffer Overflow in WLAN
Description While processing fragments, when the fragment count becomes very large, an integer overflow leading to a buffer overflow can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 9/14/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3587

CVE ID CVE-2018-3587
Title Use After Free in WLAN
Description In a firmware memory dump feature, a Use After Free condition can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 9/21/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-5829

CVE ID CVE-2018-5829
Title Buffer Over-read in WLAN
Description In wlan_hdd_cfg80211_set_privacy_ibss(), a buffer over-read can potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector AdjacentNetwork
Security Rating High
Date Reported 11/14/2017
Customer Notified Date 3/5/2018
Patch

CVE-2018-5830

CVE ID CVE-2018-5830
Title Improper Restriction of Operations within the Bounds of a Memory Buffer in WLAN
Description While processing the HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND message, a buffer overflow can potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating High
Date Reported 11/28/2017
Customer Notified Date 3/5/2018
Patch

CVE-2018-5831

CVE ID CVE-2018-5831
Title Integer Overflow or Wraparound in Graphics
Description In the KGSL driver, a reference counting error can lead to a Use After Free condition.
Technology Area Graphics
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating Medium
Date Reported 11/19/2017
Customer Notified Date 3/5/2018
Patch

CVE-2018-5832

CVE ID CVE-2018-5832
Title Use After Free in Camera
Description Due to a race condition in a camera driver ioctl handler, a Use After Free condition can occur.
Technology Area Camera
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 11/12/2017
Customer Notified Date 3/5/2018
Patch

CVE-2018-5834

CVE ID CVE-2018-5834
Title Incorrect Calculation of Buffer Size in WLAN
Description In __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Local
Security Rating Medium
Date Reported 11/16/2017
Customer Notified Date 3/5/2018
Patch

CVE-2018-5835

CVE ID CVE-2018-5835
Title Buffer Copy without Checking Size of Input in WLAN
Description If the seq_len is greater then CSR_MAX_RSC_LEN, a buffer overflow in __wlan_hdd_cfg80211_add_key() may occur when copying keyRSC.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 11/21/2017
Customer Notified Date 3/5/2018
Patch

CVE-2018-5836

CVE ID CVE-2018-5836
Title Buffer Over-read in WLAN
Description In wma_nan_rsp_event_handler(), the data_len value is received from firmware and not properly validated which could potentially lead to an out-of-bounds access.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 11/22/2017
Customer Notified Date 3/5/2018
Patch

CVE-2018-5853

CVE ID CVE-2018-5853
Title Use After Free in WLAN
Description A race condition exists in a driver potentially leading to a use-after-free condition.
Technology Area WLAN HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 3/7/2017
Customer Notified Date 4/2/2018
Patch

CVE-2018-5855

CVE ID CVE-2018-5855
Title Buffer Over-read in WLAN
Description While padding or shrinking a nested wmi packet, a buffer over-read can potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported 12/8/2017
Customer Notified Date 4/2/2018
Patch

CVE-2018-5858

CVE ID CVE-2018-5858
Title Buffer Copy without Checking Size of Input in Audio
Description In the audio debugfs, out of bounds access can occur.
Technology Area Audio
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/25/2017
Customer Notified Date 4/2/2018
Patch

CVE-2018-5859

CVE ID CVE-2018-5859
Title Use After Free in Display
Description Due to a race condition in the MDSS MDP driver, a Use After Free condition can occur.
Technology Area Display
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 11/8/2017
Customer Notified Date 4/2/2018
Patch

CVE-2018-5862

CVE ID CVE-2018-5862
Title Incorrect Calculation of Buffer Size in WLAN
Description In __wlan_hdd_cfg80211_vendor_scan(), when SCAN_SSIDS and QCA_WLAN_VENDOR_ATTR_SCAN_FREQUENCIES are parsed, a buffer overwrite can potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Local
Security Rating Medium
Date Reported 11/20/2017
Customer Notified Date 4/2/2018
Patch

CVE-2018-5864

CVE ID CVE-2018-5864
Title Improper Restriction of Operations within the Bounds of a Memory Buffer in WLAN
Description While processing a WMI_APFIND event, a buffer over-read and information leak can potentially occur.
Technology Area WLAN HOST
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating Medium
Date Reported 12/13/2017
Customer Notified Date 4/2/2018
Patch

CVE-2018-5865

CVE ID CVE-2018-5865
Title Integer Underflow in WLAN
Description While processing a debug log event from firmware, an integer underflow and/or buffer over-read can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-191 Integer Underflow (Wrap or Wraparound)
Access Vector Local
Security Rating Medium
Date Reported 1/11/2018
Customer Notified Date 4/2/2018
Patch

CVE-2018-5872

CVE ID CVE-2018-5872
Title Use of Out-of-range Pointer Offset in WLAN
Description While parsing over-the-air information elements, the use of an out-of-range pointer offset can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported Internal
Customer Notified Date 4/2/2018
Patch

CVE-2018-5873

CVE ID CVE-2018-5873
Title Use After Free in Kernel
Description Due to a race condition when accessing files, a Use After Free condition in the kernel can occur.
Technology Area Kernel
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 4/2/2018
Patch

CVE-2018-5886

CVE ID CVE-2018-5886
Title Buffer Over-read in DSP
Description A pointer in an ADSPRPC command is not properly validated which can lead to kernel memory being accessed.
Technology Area DSP Service
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 8/24/2017
Customer Notified Date 5/7/2018
Patch

CVE-2018-5893

CVE ID CVE-2018-5893
Title Buffer Copy without Checking Size of Input in WLAN
Description While processing a message from firmware in htt_t2h_msg_handler_fast(), a buffer overwrite can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 3/5/2018
Patch

CVE-2018-5895

CVE ID CVE-2018-5895
Title Buffer Over-read in WLAN
Description Buffer over-read may happen in wma_process_utf_event() due to improper buffer length validation before writing into param_buf->num_wow_packet_buffer.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 12/6/2017
Customer Notified Date 5/7/2018
Patch

CVE-2018-5899

CVE ID CVE-2018-5899
Title Use After Free in WLAN
Description Whenever TDLS connection is setup, we are freeing the netbuf in ol_tx_completion_handler and after that, we are accessing it in NBUF_UPDATE_TX_PKT_COUNT causing a use after free.
Technology Area WLAN HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 5/7/2018
Patch

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms

  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 July 2, 2018 Bulletin Published
1.1 August 9, 2018 updated link for CVE-2018-5855