May 2019 Code Aurora Security Bulletin

Version 1.1

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2018-11819, CVE-2018-3583	haochen (flank3rsky)
CVE-2018-11929	C0RE Team (c0reteam)
CVE-2018-11934, CVE-2018-11939	Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2018-11942	xbq (xbq)
CVE-2018-11947	dokyungs@uci.edu
CVE-2018-5883, CVE-2018-5911	Gengjia Chen (chengjia4574)
CVE-2018-5903	%i%s%n\nAAA (derrek)

Table of vulnerabilities

Public ID	Security Rating	Technology Area	Date Reported
CVE-2018-11819	Medium	WLAN HOST	12/13/2017
CVE-2018-11929	Medium	WLAN HOST	4/11/2018
CVE-2018-11934	Medium	WLAN HOST	4/9/2018
CVE-2018-11939	Medium	WLAN HOST	5/4/2018
CVE-2018-11942	Medium	WLAN HOST	1/26/2018
CVE-2018-11947	Medium	WLAN HOST	4/26/2018
CVE-2018-13919	High	Data Network Stack & Connectivity	Internal
CVE-2018-3583	High	WLAN HOST	6/20/2017
CVE-2018-5883	High	WLAN HOST	9/13/2017
CVE-2018-5903	High	WLAN HOST	12/8/2017
CVE-2018-5911	Medium	WLAN HOST	2/24/2018

CVE-2018-11819

CVE ID	CVE-2018-11819
Title	Use After Free in WLAN
Description	Use after issue in WLAN function due to multiple ACS scan requests at a time
Technology Area	WLAN HOST
Vulnerability Type	CWE-416 Use After Free
Access Vector	Local
Security Rating	Medium
Date Reported	12/13/2017
Customer Notified Date	8/6/2018
Affected Chipsets	MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 675, SD 730, SD 820A, SD 835, SD 855, SDA660, SDX20, SDX24
Patch	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=1b8c7285d4e85961711fef80107de12085b58116

CVE-2018-11929

CVE ID	CVE-2018-11929
Title	Buffer Copy Without Checking Size of Input in WLAN
Description	Lack of input validation in WLAN function can lead to potential heap overflow.
Technology Area	WLAN HOST
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector	Local
Security Rating	Medium
Date Reported	4/11/2018
Customer Notified Date	8/6/2018
Affected Chipsets	MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX20, SDX24
Patch	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=5731e378340326b0fdb6dc2b517a508e47dfe722

CVE-2018-11934

CVE ID	CVE-2018-11934
Title	Buffer Copy Without Checking Size of Input in WLAN
Description	Possible out of bounds write due to improper input validation while processing DO_ACS vendor command.
Technology Area	WLAN HOST
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector	Local
Security Rating	Medium
Date Reported	4/9/2018
Customer Notified Date	8/6/2018
Affected Chipsets	MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=dcecfdf44c8526930771b4150caebfc9cd6cc3f5 https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=04db58e9e0d6e861fb4ba365784608eb9063efe7

CVE-2018-11939

CVE ID	CVE-2018-11939
Title	Use After Free in WLAN
Description	While processing multiple EVENT_CONNECT_RESULT events, a single BSSID value may be referenced multiple times resulting in use-after-free issue
Technology Area	WLAN HOST
Vulnerability Type	CWE-416 Use After Free
Access Vector	Local
Security Rating	Medium
Date Reported	5/4/2018
Customer Notified Date	8/6/2018
Affected Chipsets	MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, QCA6574AU, SD 210/SD 212/SD 205, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SDX20
Patch	https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=135739e1facf79effe5a7932d1c183a04543fa28

CVE-2018-11942

CVE ID	CVE-2018-11942
Title	Information Exposure in WLAN
Description	Failure to initialize the reserved memory which is sent to the firmware might lead to exposure of 1 byte of uninitialized kernel SKB memory to FW.
Technology Area	WLAN HOST
Vulnerability Type	CWE-200 Information Exposure
Access Vector	Local
Security Rating	Medium
Date Reported	1/26/2018
Customer Notified Date	8/6/2018
Affected Chipsets	IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch	https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=c352d6073172d79d731ae7349af910debf717d77

CVE-2018-11947

CVE ID	CVE-2018-11947
Title	Information Exposure in WLAN
Description	The txrx stats req might be double freed in the pdev detach when the host driver is unloading.
Technology Area	WLAN HOST
Vulnerability Type	CWE-200 Information Exposure, CWE-415 Double Free
Access Vector	Local
Security Rating	Medium
Date Reported	4/26/2018
Customer Notified Date	8/6/2018
Affected Chipsets	IPQ8064, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCA9558, QCA9880, QCA9886, QCA9980, QCS405, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=7705166bba74d29e2fe4c74a90608caed2958930 https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=e9ceae083854c55eeec2381c0c7568885441d352 https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=c646dc8cc30b8102bab16a44e7cf159eb086988a

CVE-2018-13919

CVE ID	CVE-2018-13919
Title	Use-After-Free issue in IPA Driver
Description	Use-after-free vulnerability will occur if reset of the routing table encounters an invalid rule id while processing command to reset.
Technology Area	Data Network Stack & Connectivity
Vulnerability Type	CWE-416 Use After Free
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	12/3/2018
Affected Chipsets	MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, QCS405, QCS605, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX20, SDX24
Patch	https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=2df8cec1c3ee66d82313e67c2f3129e62296a4de

CVE-2018-3583

CVE ID	CVE-2018-3583
Title	Buffer Copy without Checking Size of Input in WLAN
Description	A buffer overflow can occur while processing an extscan hotlist event
Technology Area	WLAN HOST
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector	Local
Security Rating	High
Date Reported	6/20/2017
Customer Notified Date	2/5/2018
Affected Chipsets	MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA9379, QCS605, SD 625, SD 636, SD 820, SD 820A, SD 835, SD 855, SDA660, SDM630, SDM660, SDX20
Patch	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=53e6d889ac29336ba212a0d4a987455a85736fa8

CVE-2018-5883

CVE ID	CVE-2018-5883
Title	Improper Validation of Array Index in WLAN
Description	Buffer overflow in WLAN driver event handlers due to improper validation of array index
Technology Area	WLAN HOST
Vulnerability Type	CWE-129 Improper Validation of Array Index
Access Vector	Local
Security Rating	High
Date Reported	9/13/2017
Customer Notified Date	5/7/2018
Affected Chipsets	MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS405, QCS605, SD 636, SD 675, SD 730, SD 820A, SD 835, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=a67fee043d7459b1c09033b4ca24c41fab5ea4a9

CVE-2018-5903

CVE ID	CVE-2018-5903
Title	Improper Validation of Array Index in WLAN
Description	Out of bounds read occurs due to improper validation of array while processing VDEV stop response from WLAN firmware.
Technology Area	WLAN HOST
Vulnerability Type	CWE-129 Improper Validation of Array Index
Access Vector	Local
Security Rating	High
Date Reported	12/8/2017
Customer Notified Date	5/7/2018
Affected Chipsets	MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS405, QCS605, SD 210/SD 212/SD 205, SD 615/16/SD 415, SD 625, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=20365fa599f42f6e1f175d9d5d60d964927c2160

CVE-2018-5911

CVE ID	CVE-2018-5911
Title	Possible Buffer Overflow in WLAN
Description	Buffer overflow in WLAN function due to improper check of buffer size before copying.
Technology Area	WLAN HOST
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector	Local
Security Rating	Medium
Date Reported	2/24/2018
Customer Notified Date	5/7/2018
Affected Chipsets	MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS605, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 855, SDM630, SDM660, SDX20, SDX24
Patch	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ea2fc6eef2c742467f0322d0ff0fc7ba6c917f66

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

• Consideration of security protections such as SELinux not enforced on some platforms
• Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version	Date	Comments
1.0	May 6, 2019	Bulletin Published
1.1	August 9, 2019	Added link to CVE-2018-11934