Version 1.0
This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2017-9704, CVE-2018-11983, CVE-2018-11984, CVE-2018-11986, CVE-2018-11987 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. |
| CVE-2018-11985 | derrek (@derrekr6 https://twitter.com/derrekr6) |
| CVE-2018-11988 | Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2017-9704 | High | Camera | 2/22/2017 |
| CVE-2018-11960 | High | HWEngines | Internal |
| CVE-2018-11961 | High | GPS AP-Linux | Internal |
| CVE-2018-11963 | High | Multimedia | Internal |
| CVE-2018-11964 | High | Yocto | Internal |
| CVE-2018-11965 | High | Yocto | Internal |
| CVE-2018-11983 | Medium | Core Services | 5/29/2018 |
| CVE-2018-11984 | Medium | Core Services | 5/31/2018 |
| CVE-2018-11985 | Medium | Boot | 12/7/2017 |
| CVE-2018-11986 | Medium | Multimedia | 6/19/2018 |
| CVE-2018-11987 | Medium | Kernel | 5/4/2018 |
| CVE-2018-11988 | Medium | Trusted Execution Environment | 12/14/2017 |
CVE-2017-9704
| CVE ID | CVE-2017-9704 |
| Title | Use After Free in Camera |
| Description | There is no synchronization between msm_vb2_get_buf and msm_delete_stream (and several other buffer operations) which can lead to use after free. |
| Technology Area | Camera |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 2/22/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch |
|
CVE-2018-11960
| CVE ID | CVE-2018-11960 |
| Title | Use After Free in HWEngines |
| Description | A use after free condition can occur in the SPS driver which can lead to error in kernel |
| Technology Area | HWEngines |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/3/2018 |
| Patch |
CVE-2018-11961
| CVE ID | CVE-2018-11961 |
| Title | Buffer Copy Without Checking Size of Input in GPS. |
| Description | When updating some GNSS configurations, there is a possibility of accessing out of bound vector index. |
| Technology Area | GPS AP-Linux |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/3/2018 |
| Patch |
CVE-2018-11963
| CVE ID | CVE-2018-11963 |
| Title | Buffer Over-read in Camera |
| Description | Buffer overread may occur due to non-null terminated strings while processing vsprintf in Camera Jpeg driver. |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/3/2018 |
| Patch |
CVE-2018-11964
| CVE ID | CVE-2018-11964 |
| Title | Permissions, Privileges and Access Controls in Yocto |
| Description | In current scenario /etc/passwd can be read by group and others. Although /etc/passwd is hashed but exposing the content may lead to security issue. |
| Technology Area | Yocto |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/3/2018 |
| Patch |
CVE-2018-11965
| CVE ID | CVE-2018-11965 |
| Title | Improper Access controls in Yocto |
| Description | Anyone can execute proptrigger.sh , which will lead to change in properties. |
| Technology Area | Yocto |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/3/2018 |
| Patch |
CVE-2018-11983
| CVE ID | CVE-2018-11983 |
| Title | Possible Use-After-Free issue for Mask Pointers after Reallocation |
| Description | Error in kernel observed while accessing freed mask pointers after reallocating memory for mask table. |
| Technology Area | Core Services |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/29/2018 |
| Customer Notified Date | 9/3/2018 |
| Patch |
CVE-2018-11984
| CVE ID | CVE-2018-11984 |
| Title | Use After Free in Diag Services |
| Description | A use after free condition and an out-of-bounds access can occur in the DIAG driver. |
| Technology Area | Core Services |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/31/2018 |
| Customer Notified Date | 9/3/2018 |
| Patch |
CVE-2018-11985
| CVE ID | CVE-2018-11985 |
| Title | Configuration Issue in Boot |
| Description | When allocating heap using user supplied size, possible heap overflow vunerability , due to interger overflow in roundup to native pointer. |
| Technology Area | Boot |
| Vulnerability Type | CWE-16 Configuration |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/7/2017 |
| Customer Notified Date | 9/3/2018 |
| Patch |
CVE-2018-11986
| CVE ID | CVE-2018-11986 |
| Title | Buffer Copy Without Checking Size of Input in Camera |
| Description | TX and RX FIFOs of Microcontroller in camera subsystem are used to exchange commands and messages between Micro FW and CPP driver. TX FIFO depth is 16 32-bit words, incase of errors there is a chance of overflow |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/19/2018 |
| Customer Notified Date | 9/3/2018 |
| Patch |
CVE-2018-11987
| CVE ID | CVE-2018-11987 |
| Title | Double Free Issue in Kernel. |
| Description | On boot if there is an unlikely memory alloc failure for the secure pool, it can result in wrong pointer access causing kernel panic. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/4/2018 |
| Customer Notified Date | 9/3/2018 |
| Patch |
CVE-2018-11988
| CVE ID | CVE-2018-11988 |
| Title | Use After Free in Ecosystem. |
| Description | Un-trusted pointer de-reference issue by accessing a variable which is already freed. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/14/2017 |
| Customer Notified Date | 9/3/2018 |
| Patch |
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | December 3, 2018 | Bulletin Published | 1.1 | April 20, 2020 | added patch links to CVE-2017-9704 |