Version 1.0
This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2018-13897 | CERT |
| CVE-2019-2272 | heidada (heiheidada) |
| CVE-2019-2276 | C0RE Team (c0reteam) |
| CVE-2019-2301, CVE-2019-2305, CVE-2019-2306 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin. |
| CVE-2019-2309 | %i%s%n\nAAA (derrek) |
| CVE-2019-2312 | Gengjia Chen (chengjia4574) |
| CVE-2019-2314 | Gengjia Chen ( @chengjia4574 ) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
| CVE-2019-2326 | Peter Pi of Tencent |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2018-13897 | High | Data Network Stack & Connectivity | 7/18/2018 |
| CVE-2019-2263 | Medium | Core Services | Internal |
| CVE-2019-2272 | Medium | Multimedia | 9/20/2018 |
| CVE-2019-2276 | High | WLAN HOST | 10/19/2018 |
| CVE-2019-2278 | High | HLOS | 11/1/2018 |
| CVE-2019-2290 | Medium | Multimedia | Internal |
| CVE-2019-2293 | Medium | Camera Driver | Internal |
| CVE-2019-2299 | Medium | WLAN HOST | Internal |
| CVE-2019-2301 | Medium | Qualcomm IPC | 6/19/2018 |
| CVE-2019-2305 | High | WLAN HOST | 5/4/2018 |
| CVE-2019-2306 | Medium | Display | 10/10/2018 |
| CVE-2019-2307 | High | WLAN HOST | Internal |
| CVE-2019-2308 | Critical | DSP Service | Internal |
| CVE-2019-2309 | Medium | WLAN HOST | 2/14/2018 |
| CVE-2019-2312 | Medium | WLAN HOST | 10/30/2018 |
| CVE-2019-2314 | Medium | Display | 11/15/2018 |
| CVE-2019-2316 | High | HLOS | Internal |
| CVE-2019-2326 | High | Audio | 12/4/2018 |
| CVE-2019-2328 | High | Audio | Internal |
| CVE-2019-2330 | Critical | Kernel | Internal |
| CVE-2019-2345 | Medium | Camera_Linux | Internal |
CVE-2018-13897
| CVE ID | CVE-2018-13897 |
| Title | Information Exposure in HLOS Data |
| Description | Client’s hostname gets added to DNS record on device which is running dnsmasq resulting in an information exposure |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 7/18/2018 |
| Customer Notified Date | 10/1/2018 |
| Affected Chipsets | MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 615/16/SD 415, SD 625, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 855, SDA660, SDM630, SDM660 |
| Patch |
CVE-2019-2263
| CVE ID | CVE-2019-2263 |
| Title | Use After Free While Reading from Diag Driver |
| Description | Access to freed memory can happen while reading from diag driver due to use after free issue |
| Technology Area | Core Services |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA9531, QCA9980, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDM660, SDX20, Snapdragon_High_Med_2016 |
| Patch |
CVE-2019-2272
| CVE ID | CVE-2019-2272 |
| Title | Buffer Copy Without Checking Size of Input in Display |
| Description | Buffer overflow can occur in display function due to lack of validation of header block size set by user. |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/20/2018 |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820A, SD 845 / SD 850, SDM660, SDX20 |
| Patch |
CVE-2019-2276
| CVE ID | CVE-2019-2276 |
| Title | Buffer Over-read in WLAN |
| Description | Possible out of bound read occurs while processing beaconing request due to lack of check on action frames received from user controlled space |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 10/19/2018 |
| Customer Notified Date | 3/4/2019 |
| Affected Chipsets | MDM9607, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX24 |
| Patch |
CVE-2019-2278
| CVE ID | CVE-2019-2278 |
| Title | Improper Authentication in Boot |
| Description | User keystore signature is ignored in boot and can lead to bypass boot image signature verification |
| Technology Area | HLOS |
| Vulnerability Type | CWE-287 Improper Authentication |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/1/2018 |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MDM9607, MDM9640, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 845 / SD 850, SDM660 |
| Patch |
CVE-2019-2290
| CVE ID | CVE-2019-2290 |
| Title | Use After Free Issue in Camera |
| Description | Multiple open and close from multiple threads will lead camera driver to access destroyed session data pointer |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDM660, SDX20, SDX24, Snapdragon_High_Med_2016 |
| Patch |
|
CVE-2019-2293
| CVE ID | CVE-2019-2293 |
| Title | Use After Free in Camera |
| Description | Pointer dereference while freeing IFE resources due to lack of length check of in port resource. |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MSM8909W, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX24 |
| Patch |
CVE-2019-2299
| CVE ID | CVE-2019-2299 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | An out-of-bound write can be triggered by a specially-crafted command supplied by a userspace application. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM660, SDX20, SDX24 |
| Patch |
CVE-2019-2301
| CVE ID | CVE-2019-2301 |
| Title | Buffer Copy Without Checking Size of Input in Kernel |
| Description | Possibility of out-of-bound read if id received from SPI is not in range of FIFO |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/19/2018 |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | IPQ4019, IPQ8064, MSM8909W, MSM8996AU, QCA9980, QCS605, Qualcomm 215, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 845 / SD 850, SD 855, SDM439, SDM660, SDX24 |
| Patch |
CVE-2019-2305
| CVE ID | CVE-2019-2305 |
| Title | Buffer Over-read Issue in WLAN |
| Description | Out of bound access when reason code is extracted from frame data without validating the frame length |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 5/4/2018 |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24 |
| Patch |
CVE-2019-2306
CVE-2019-2307
| CVE ID | CVE-2019-2307 |
| Title | Integer Underflow Issue in WLAN |
| Description | Possible integer underflow due to lack of validation before calculation of data length in 802.11 Rx management configuration |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX20, SDX24 |
| Patch |
CVE-2019-2308
| CVE ID | CVE-2019-2308 |
| Title | Permissions, Privileges and Access Control Issue in DSP Services |
| Description | User application could potentially make RPC call to the fastrpc driver and the driver will allow the message to go through to the remote subsystem |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 |
| Patch |
CVE-2019-2309
| CVE ID | CVE-2019-2309 |
| Title | Buffer Over-read Issue in WLAN |
| Description | While storing calibrated data from firmware in cache, An integer overflow may occur since data length received may exceed real data length. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/14/2018 |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 845 / SD 850, SDM660, SDX20 |
| Patch |
CVE-2019-2312
| CVE ID | CVE-2019-2312 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | When handling the vendor command there exists a potential buffer overflow due to lack of input validation of data buffer received |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 10/30/2018 |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MDM9607, MDM9640, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX24 |
| Patch |
CVE-2019-2314
| CVE ID | CVE-2019-2314 |
| Title | Use After Free Issue in Display |
| Description | Possible race condition that will cause a use-after-free when writing to two sysfs entries at nearly the same time |
| Technology Area | Display |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/15/2018 |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MSM8909W, QCS405, QCS605, Qualcomm 215, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855, SDM439, SDM660, SDX20, SDX24 |
| Patch |
CVE-2019-2316
| CVE ID | CVE-2019-2316 |
| Title | Use After Free Issue in HLOS |
| Description | When computing the digest a local variable is used after going out of scope |
| Technology Area | HLOS |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MDM9640, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855, SDM660, SDX24 |
| Patch |
CVE-2019-2326
| CVE ID | CVE-2019-2326 |
| Title | Improper Validation of Array Index in Audio Driver |
| Description | Data token is received from ADSP and is used without validation as an index into the array leads to out of bound access |
| Technology Area | Audio |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 12/4/2018 |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 |
| Patch |
CVE-2019-2328
| CVE ID | CVE-2019-2328 |
| Title | Buffer Copy Without Checking Size of Input in Audio Driver |
| Description | Possible buffer overflow when number of channels passed is more than size of channel mapping array |
| Technology Area | Audio |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 |
| Patch |
CVE-2019-2330
| CVE ID | CVE-2019-2330 |
| Title | Improper Input Validation in Kernel |
| Description | improper input validation in allocation request for secure allocations can lead to page fault. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 |
| Patch |
CVE-2019-2345
| CVE ID | CVE-2019-2345 |
| Title | Always-incorrect Control Flow Implementation in Camera Library |
| Description | Race condition while accessing DMA buffer in jpeg driver |
| Technology Area | Camera_Linux |
| Vulnerability Type | CWE-670 Always-Incorrect Control Flow Implementation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 4/1/2019 |
| Affected Chipsets | MSM8909W, MSM8996AU, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDM660, SDX20, SDX24 |
| Patch |
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | July 1, 2019 | Bulletin Published |