Security Bulletin

July 2019 Code Aurora Security Bulletin

By July 1, 2019 No Comments

Version 1.0

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2018-13897 CERT
CVE-2019-2272 heidada (heiheidada)
CVE-2019-2276 C0RE Team (c0reteam)
CVE-2019-2301, CVE-2019-2305, CVE-2019-2306 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2019-2309 %i%s%n\nAAA (derrek)
CVE-2019-2312 Gengjia Chen (chengjia4574)
CVE-2019-2314 Gengjia Chen ( @chengjia4574 ) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2019-2326 Peter Pi of Tencent

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2018-13897 High Data Network Stack & Connectivity 7/18/2018
CVE-2019-2263 Medium Core Services Internal
CVE-2019-2272 Medium Multimedia 9/20/2018
CVE-2019-2276 High WLAN HOST 10/19/2018
CVE-2019-2278 High HLOS 11/1/2018
CVE-2019-2290 Medium Multimedia Internal
CVE-2019-2293 Medium Camera Driver Internal
CVE-2019-2299 Medium WLAN HOST Internal
CVE-2019-2301 Medium Qualcomm IPC 6/19/2018
CVE-2019-2305 High WLAN HOST 5/4/2018
CVE-2019-2306 Medium Display 10/10/2018
CVE-2019-2307 High WLAN HOST Internal
CVE-2019-2308 Critical DSP Service Internal
CVE-2019-2309 Medium WLAN HOST 2/14/2018
CVE-2019-2312 Medium WLAN HOST 10/30/2018
CVE-2019-2314 Medium Display 11/15/2018
CVE-2019-2316 High HLOS Internal
CVE-2019-2326 High Audio 12/4/2018
CVE-2019-2328 High Audio Internal
CVE-2019-2330 Critical Kernel Internal
CVE-2019-2345 Medium Camera_Linux Internal

CVE-2018-13897

CVE ID CVE-2018-13897
Title Information Exposure in HLOS Data
Description Client’s hostname gets added to DNS record on device which is running dnsmasq resulting in an information exposure
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-200 Information Exposure
Access Vector Remote
Security Rating High
Date Reported 7/18/2018
Customer Notified Date 10/1/2018
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 615/16/SD 415, SD 625, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 855, SDA660, SDM630, SDM660
Patch

CVE-2019-2263

CVE ID CVE-2019-2263
Title Use After Free While Reading from Diag Driver
Description Access to freed memory can happen while reading from diag driver due to use after free issue
Technology Area Core Services
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 4/1/2019
Affected Chipsets IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA9531, QCA9980, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDM660, SDX20, Snapdragon_High_Med_2016
Patch

CVE-2019-2272

CVE ID CVE-2019-2272
Title Buffer Copy Without Checking Size of Input in Display
Description Buffer overflow can occur in display function due to lack of validation of header block size set by user.
Technology Area Multimedia
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 9/20/2018
Customer Notified Date 4/1/2019
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820A, SD 845 / SD 850, SDM660, SDX20
Patch

CVE-2019-2276

CVE ID CVE-2019-2276
Title Buffer Over-read in WLAN
Description Possible out of bound read occurs while processing beaconing request due to lack of check on action frames received from user controlled space
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported 10/19/2018
Customer Notified Date 3/4/2019
Affected Chipsets MDM9607, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX24
Patch

CVE-2019-2278

CVE ID CVE-2019-2278
Title Improper Authentication in Boot
Description User keystore signature is ignored in boot and can lead to bypass boot image signature verification
Technology Area HLOS
Vulnerability Type CWE-287 Improper Authentication
Access Vector Local
Security Rating High
Date Reported 11/1/2018
Customer Notified Date 4/1/2019
Affected Chipsets MDM9607, MDM9640, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 845 / SD 850, SDM660
Patch

CVE-2019-2290

CVE ID CVE-2019-2290
Title Use After Free Issue in Camera
Description Multiple open and close from multiple threads will lead camera driver to access destroyed session data pointer
Technology Area Multimedia
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 4/1/2019
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDM660, SDX20, SDX24, Snapdragon_High_Med_2016
Patch

CVE-2019-2293

CVE ID CVE-2019-2293
Title Use After Free in Camera
Description Pointer dereference while freeing IFE resources due to lack of length check of in port resource.
Technology Area Camera Driver
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 4/1/2019
Affected Chipsets MSM8909W, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX24
Patch

CVE-2019-2299

CVE ID CVE-2019-2299
Title Integer Overflow to Buffer Overflow in WLAN
Description An out-of-bound write can be triggered by a specially-crafted command supplied by a userspace application.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 4/1/2019
Affected Chipsets IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM660, SDX20, SDX24
Patch

CVE-2019-2301

CVE ID CVE-2019-2301
Title Buffer Copy Without Checking Size of Input in Kernel
Description Possibility of out-of-bound read if id received from SPI is not in range of FIFO
Technology Area Qualcomm IPC
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 6/19/2018
Customer Notified Date 4/1/2019
Affected Chipsets IPQ4019, IPQ8064, MSM8909W, MSM8996AU, QCA9980, QCS605, Qualcomm 215, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 845 / SD 850, SD 855, SDM439, SDM660, SDX24
Patch

CVE-2019-2305

CVE ID CVE-2019-2305
Title Buffer Over-read Issue in WLAN
Description Out of bound access when reason code is extracted from frame data without validating the frame length
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported 5/4/2018
Customer Notified Date 4/1/2019
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2019-2306

CVE ID CVE-2019-2306
Title Buffer Over-read Issue in Display
Description Improper casting of structure while handling the buffer leads to out of bound read in display
Technology Area Display
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 10/10/2018
Customer Notified Date 4/1/2019
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20
Patch

CVE-2019-2307

CVE ID CVE-2019-2307
Title Integer Underflow Issue in WLAN
Description Possible integer underflow due to lack of validation before calculation of data length in 802.11 Rx management configuration
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 4/1/2019
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2019-2308

CVE ID CVE-2019-2308
Title Permissions, Privileges and Access Control Issue in DSP Services
Description User application could potentially make RPC call to the fastrpc driver and the driver will allow the message to go through to the remote subsystem
Technology Area DSP Service
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 4/1/2019
Affected Chipsets MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2019-2309

CVE ID CVE-2019-2309
Title Buffer Over-read Issue in WLAN
Description While storing calibrated data from firmware in cache, An integer overflow may occur since data length received may exceed real data length.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 2/14/2018
Customer Notified Date 4/1/2019
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 845 / SD 850, SDM660, SDX20
Patch

CVE-2019-2312

CVE ID CVE-2019-2312
Title Buffer Copy Without Checking Size of Input in WLAN
Description When handling the vendor command there exists a potential buffer overflow due to lack of input validation of data buffer received
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 10/30/2018
Customer Notified Date 4/1/2019
Affected Chipsets MDM9607, MDM9640, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX24
Patch

CVE-2019-2314

CVE ID CVE-2019-2314
Title Use After Free Issue in Display
Description Possible race condition that will cause a use-after-free when writing to two sysfs entries at nearly the same time
Technology Area Display
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 11/15/2018
Customer Notified Date 4/1/2019
Affected Chipsets MSM8909W, QCS405, QCS605, Qualcomm 215, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855, SDM439, SDM660, SDX20, SDX24
Patch

CVE-2019-2316

CVE ID CVE-2019-2316
Title Use After Free Issue in HLOS
Description When computing the digest a local variable is used after going out of scope
Technology Area HLOS
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 4/1/2019
Affected Chipsets MDM9640, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855, SDM660, SDX24
Patch

CVE-2019-2326

CVE ID CVE-2019-2326
Title Improper Validation of Array Index in Audio Driver
Description Data token is received from ADSP and is used without validation as an index into the array leads to out of bound access
Technology Area Audio
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 12/4/2018
Customer Notified Date 4/1/2019
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2019-2328

CVE ID CVE-2019-2328
Title Buffer Copy Without Checking Size of Input in Audio Driver
Description Possible buffer overflow when number of channels passed is more than size of channel mapping array
Technology Area Audio
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 4/1/2019
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2019-2330

CVE ID CVE-2019-2330
Title Improper Input Validation in Kernel
Description improper input validation in allocation request for secure allocations can lead to page fault.
Technology Area Kernel
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 4/1/2019
Affected Chipsets IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2019-2345

CVE ID CVE-2019-2345
Title Always-incorrect Control Flow Implementation in Camera Library
Description Race condition while accessing DMA buffer in jpeg driver
Technology Area Camera_Linux
Vulnerability Type CWE-670 Always-Incorrect Control Flow Implementation
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 4/1/2019
Affected Chipsets MSM8909W, MSM8996AU, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDM660, SDX20, SDX24
Patch

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms

  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 July 1, 2019 Bulletin Published