Camera JPEG engines Integer overflow and signedness issue

2014.02.10
Risk: Low
Local: Yes
Remote: No
CWE: CWE-189


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

Advisory ID QCIR-2013-00005-1 CVE ID(s) CVE-2013-4736 Description The following security vulnerability has been identified in the MSM JPEG engine drivers (Gemini JPEG encoder, Mercury JPEG decoder, Jpeg1.0 common encoder/decoder). CVE-2013-4736: The JPEG engines that are part of the camera driver provide an ioctl system call interface to user space clients for communication. When processing hardware commands ioctl calls, the drivers are incorrectly handling the number of commands included in the user space payload. This can lead to an integer overflow which subsequently results in the driver attempting to process hardware commands from out-of-bounds memory which can cause the kernel to crash. The same code also suffered from incorrectly treating the number of hardware commands as signed. Access Vector: local Security Risk: medium Vulnerability: integer overflow (CWE-190) Affected versions All Android releases from CAF using a Linux kernel from the following heads: msm-3.* jb* ics* gingerbread* Patch We advise customers to apply the following patches for individual branches. Individual Patches msm-3*/jb* releases that use drivers/media/platform/msm/camera_{v1,v2}/{gemini,jpeg_10}: https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=fab0bc54f4b70fd1d85300731822379a487d66ca5 msm-3*/jb*/ics*/gingerbread* releases that use drivers/media/video/msm/{gemini,mercury,jpeg_10}: https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=8c5300aec8cd9882b89e9d169680221541da0d7f https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=81947189009afcfac17d1106101260c660421265 Acknowledgement Qualcomm Innovation Center, Inc. (QuIC) thanks alephzain1@gmail.com for reporting the related issues and working with QuIC to help improve Android device security. Revisions Initial revision Contact security-advisory@quicinc.com

References:

https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=81947189009afcfac17d1106101260c660421265


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top