Security Bulletin

June 2019 Code Aurora Security Bulletin

By June 3, 2019 No Comments

Version 1.0

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2018-11955, CVE-2019-2279, CVE-2019-2287 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2019-2277 Hao Chen(@flankersky) and Guang Gong(@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd.

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2018-11955 High WLAN HOST 5/3/2018
CVE-2019-2260 High Kernel Internal
CVE-2019-2264 Medium Qualcomm IPC Internal
CVE-2019-2269 Critical WLAN HOST Internal
CVE-2019-2277 Medium WLAN HOST 10/31/2018
CVE-2019-2279 Critical Video 10/10/2018
CVE-2019-2287 Critical Video 10/10/2018
CVE-2019-2292 High WLAN HOST Internal

CVE-2018-11955

CVE ID CVE-2018-11955
Title Buffer Over-read in WLAN
Description Lack of check on length of reason-code fetched from payload may lead driver access the memory not allocated to the frame and results in OOB read
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported 5/3/2018
Customer Notified Date 8/6/2018
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 665, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM439, SDM660, SDX20, SDX24
Patch

CVE-2019-2260

CVE ID CVE-2019-2260
Title Use After Free Vulnerability in Core
Description A race condition occurs while processing perf-event can lead to a use after free condition
Technology Area Kernel
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/3/2018
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM439, SDM630, SDM660, SDX20, SDX24, Snapdragon_High_Med_2016, SXR1130
Patch

CVE-2019-2264

CVE ID CVE-2019-2264
Title Use After Free Issue in Kernel
Description Null pointer dereference occurs for channel context while opening glink channel
Technology Area Qualcomm IPC
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 3/4/2019
Affected Chipsets MDM9607, MDM9640, MSM8909W, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SDM439, SDM630, SDM660, SDX24
Patch

CVE-2019-2269

CVE ID CVE-2019-2269
Title Stack-based Buffer Overflow in WLAN
Description Possible buffer overflow while processing the high level lim process action frame due to improper buffer length validation
Technology Area WLAN HOST
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 3/4/2019
Affected Chipsets MDM9150, MDM9650, MSM8996AU, QCS405, QCS605, SD 625, SD 636, SD 665, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24, SXR1130
Patch

CVE-2019-2277

CVE ID CVE-2019-2277
Title Buffer Copy Without Checking Size of Input in WLAN
Description OOB read due to lack of NULL termination on user controlled data in WLAN
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 10/31/2018
Customer Notified Date 3/4/2019
Affected Chipsets MSM8996AU, QCS405, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX24
Patch

CVE-2019-2279

CVE ID CVE-2019-2279
Title Use of Out-of-Range pointer Offset in Video Firmware
Description Shared memory gets updated with invalid data and may lead to access beyond the allocated memory.
Technology Area Video
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Remote
Security Rating Critical
Date Reported 10/10/2018
Customer Notified Date 3/4/2019
Affected Chipsets MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, Snapdragon_High_Med_2016
Patch

CVE-2019-2287

CVE ID CVE-2019-2287
Title Use of Out-of-range Pointer Offset in Video
Description Improper input validation for inputs received from firmware can lead to an out of bound write issue in video driver.
Technology Area Video
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Remote
Security Rating Critical
Date Reported 10/10/2018
Customer Notified Date 3/4/2019
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2019-2292

CVE ID CVE-2019-2292
Title Buffer Copy Without Checking Size of Input in WLAN
Description OOB access can occur due to buffer copy without checking size of input received from WLAN FW
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 3/4/2019
Affected Chipsets MDM9150, MDM9650, MSM8996AU, QCA6574AU, QCS405, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 665, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms

  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 June 3, 2019 Bulletin Published