December 2018 Code Aurora Security Bulletin

By December 3, 2018Security Bulletin

Version 1.0

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-9704, CVE-2018-11983, CVE-2018-11984, CVE-2018-11986, CVE-2018-11987 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information.
CVE-2018-11985 derrek (@derrekr6 https://twitter.com/derrekr6)
CVE-2018-11988 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-9704 High Camera 2/22/2017
CVE-2018-11960 High HWEngines Internal
CVE-2018-11961 High GPS AP-Linux Internal
CVE-2018-11963 High Multimedia Internal
CVE-2018-11964 High Yocto Internal
CVE-2018-11965 High Yocto Internal
CVE-2018-11983 Medium Core Services 5/29/2018
CVE-2018-11984 Medium Core Services 5/31/2018
CVE-2018-11985 Medium Boot 12/7/2017
CVE-2018-11986 Medium Multimedia 6/19/2018
CVE-2018-11987 Medium Kernel 5/4/2018
CVE-2018-11988 Medium Trusted Execution Environment 12/14/2017

CVE-2017-9704

CVE ID CVE-2017-9704
Title Use After Free in Camera
Description There is no synchronization between msm_vb2_get_buf and msm_delete_stream (and several other buffer operations) which can lead to use after free.
Technology Area Camera
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 2/22/2017
Customer Notified Date 7/3/2017
Patch

CVE-2018-11960

CVE ID CVE-2018-11960
Title Use After Free in HWEngines
Description A use after free condition can occur in the SPS driver which can lead to error in kernel
Technology Area HWEngines
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/3/2018
Patch

CVE-2018-11961

CVE ID CVE-2018-11961
Title Buffer Copy Without Checking Size of Input in GPS.
Description When updating some GNSS configurations, there is a possibility of accessing out of bound vector index.
Technology Area GPS AP-Linux
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/3/2018
Patch

CVE-2018-11963

CVE ID CVE-2018-11963
Title Buffer Over-read in Camera
Description Buffer overread may occur due to non-null terminated strings while processing vsprintf in Camera Jpeg driver.
Technology Area Multimedia
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/3/2018
Patch

CVE-2018-11964

CVE ID CVE-2018-11964
Title Permissions, Privileges and Access Controls in Yocto
Description In current scenario /etc/passwd can be read by group and others. Although /etc/passwd is hashed but exposing the content may lead to security issue.
Technology Area Yocto
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/3/2018
Patch

CVE-2018-11965

CVE ID CVE-2018-11965
Title Improper Access controls in Yocto
Description Anyone can execute proptrigger.sh , which will lead to change in properties.
Technology Area Yocto
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/3/2018
Patch

CVE-2018-11983

CVE ID CVE-2018-11983
Title Possible Use-After-Free issue for Mask Pointers after Reallocation
Description Error in kernel observed while accessing freed mask pointers after reallocating memory for mask table.
Technology Area Core Services
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 5/29/2018
Customer Notified Date 9/3/2018
Patch

CVE-2018-11984

CVE ID CVE-2018-11984
Title Use After Free in Diag Services
Description A use after free condition and an out-of-bounds access can occur in the DIAG driver.
Technology Area Core Services
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 5/31/2018
Customer Notified Date 9/3/2018
Patch

CVE-2018-11985

CVE ID CVE-2018-11985
Title Configuration Issue in Boot
Description When allocating heap using user supplied size, possible heap overflow vunerability , due to interger overflow in roundup to native pointer.
Technology Area Boot
Vulnerability Type CWE-16 Configuration
Access Vector Local
Security Rating Medium
Date Reported 12/7/2017
Customer Notified Date 9/3/2018
Patch

CVE-2018-11986

CVE ID CVE-2018-11986
Title Buffer Copy Without Checking Size of Input in Camera
Description TX and RX FIFOs of Microcontroller in camera subsystem are used to exchange commands and messages between Micro FW and CPP driver. TX FIFO depth is 16 32-bit words, incase of errors there is a chance of overflow
Technology Area Multimedia
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 6/19/2018
Customer Notified Date 9/3/2018
Patch

CVE-2018-11987

CVE ID CVE-2018-11987
Title Double Free Issue in Kernel.
Description On boot if there is an unlikely memory alloc failure for the secure pool, it can result in wrong pointer access causing kernel panic.
Technology Area Kernel
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 5/4/2018
Customer Notified Date 9/3/2018
Patch

CVE-2018-11988

CVE ID CVE-2018-11988
Title Use After Free in Ecosystem.
Description Un-trusted pointer de-reference issue by accessing a variable which is already freed.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 12/14/2017
Customer Notified Date 9/3/2018
Patch

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms

  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 December 3, 2018 Bulletin Published