Security Bulletin

April 2019 Code Aurora Security Bulletin

By April 1, 2019 No Comments

Version 1.0

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2018-11905 Gengjia Chen (chengjia4574)
CVE-2018-11937 C0RE Team (c0reteam)
CVE-2018-11940 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2018-11953 haochen (flank3rsky)
CVE-2019-2247 Joe0x20 (digforfree)
CVE-2019-2248 heidada (heiheidada)

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2018-11905 High DSP Service, WLAN HOST 11/8/2017
CVE-2018-11923 High WLAN HOST Internal
CVE-2018-11924 Medium WLAN HOST Internal
CVE-2018-11925 High WLAN HOST Internal
CVE-2018-11927 High WLAN HOST Internal
CVE-2018-11930 High WLAN HOST Internal
CVE-2018-11937 High WLAN HOST 4/23/2018
CVE-2018-11940 Critical WLAN HOST 5/9/2018
CVE-2018-11949 High WLAN HOST Internal
CVE-2018-11953 High WLAN HOST 4/24/2018
CVE-2018-11967 High DSP Service Internal
CVE-2018-13899 High Video Internal
CVE-2018-13920 High Kernel Internal
CVE-2019-2247 Medium Qualcomm IPC 9/27/2018
CVE-2019-2248 Medium Display 9/20/2018

CVE-2018-11905

CVE ID CVE-2018-11905
Title Buffer Copy Without Checking Size of Input in WLAN
Description Possible buffer overflow in WLAN function due to lack of input validation in values received from firmware
Technology Area DSP Service, WLAN HOST
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer, CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 11/8/2017
Customer Notified Date 8/6/2018
Patch

CVE-2018-11923

CVE ID CVE-2018-11923
Title Buffer Copy Without Checking Size of Input in WLAN
Description Improper buffer length check before copying can lead to integer overflow and then a buffer overflow in WMA event handler
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11924

CVE ID CVE-2018-11924
Title Integer Overflow to Buffer Overflow in WLAN
Description Improper buffer length validation in WLAN function can lead to a potential integer oveflow issue
Technology Area WLAN HOST
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11925

CVE ID CVE-2018-11925
Title Integer Overflow or Wraparound in WLAN
Description Data length received from firmware is not validated against the max allowed size which can result in buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11927

CVE ID CVE-2018-11927
Title Improper Validation of Array Index in WLAN
Description Improper input validation on input which is used as an array index will lead to an out of bounds issue while processing AP find event from firmware
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11930

CVE ID CVE-2018-11930
Title Integer Underflow Issue in WLAN
Description Improper input validation on input data which is used to locate and copy the additional IEs in WLAN function can lead to potential integer truncation issue.
Technology Area WLAN HOST
Vulnerability Type CWE-191 Integer Underflow (Wrap or Wraparound)
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11937

CVE ID CVE-2018-11937
Title Buffer Over-read Issue in WLAN
Description Lack of input validation before copying can lead to a buffer over read in WLAN function
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported 4/23/2018
Customer Notified Date 8/6/2018
Patch

CVE-2018-11940

CVE ID CVE-2018-11940
Title Buffer Copy Without Checking Size of Input in WLAN
Description Lack of check in length before using memcpy in WLAN function can lead to OOB access
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Remote
Security Rating Critical
Date Reported 5/9/2018
Customer Notified Date 8/6/2018
Patch

CVE-2018-11949

CVE ID CVE-2018-11949
Title Use of Uninitialized Variable in WLAN
Description Failure to initialize the extra buffer can lead to an out of buffer access in WLAN function
Technology Area WLAN HOST
Vulnerability Type CWE-457 Use of Uninitialized Variable
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11953

CVE ID CVE-2018-11953
Title Buffer Over-read Issue in WLAN
Description While processing ssid IE length from remote AP, possible out-of-bounds access may occur due to crafted ssid IE length.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported 4/24/2018
Customer Notified Date 8/6/2018
Patch

CVE-2018-11967

CVE ID CVE-2018-11967
Title Permissions, Privileges and Access Controls Issues in DSP Services
Description Signature verification of the skel library could potentially be disabled as the memory region on the remote subsystem in which the library is loaded is allocated from userspace currently
Technology Area DSP Service
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/5/2018
Patch

CVE-2018-13899

CVE ID CVE-2018-13899
Title Use After Free in Video Driver
Description Processing messages after error may result in user after free memory fault
Technology Area Video
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/5/2018
Patch

CVE-2018-13920

CVE ID CVE-2018-13920
Title Use-After-Free Issue in Kernel
Description Use-after-free condition due to Improper handling of hrtimers when the PMU driver tries to access its events
Technology Area Kernel
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/3/2018
Patch

CVE-2019-2247

CVE ID CVE-2019-2247
Title Double Free Issue in Kernel
Description Possibility of double free issue while running multiple instances of smp2p test because of proper protection is missing while using global variable.
Technology Area Qualcomm IPC
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 9/27/2018
Customer Notified Date 1/7/2019
Patch

CVE-2019-2248

CVE ID CVE-2019-2248
Title Stack Based Buffer Overflow Issues in Display
Description Buffer overflow can occur if invalid header tries to overwrite the existing buffer which fix size allocation.
Technology Area Display
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 9/20/2018
Customer Notified Date 1/7/2019
Patch

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 April 1, 2019 Bulletin Published