February 2020

February 2020 Security Bulletin

Version 1.0

Published: 02/03/2020

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

We have discontinued publication of the open source public bulletin at https://www.codeaurora.org/security-advisories/security-bulletins. Starting from September 2019, we will have one single monthly bulletin listing both open-source and closed-source vulnerabilities

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2019-10567 Guang Gong (higongguang@gmail.com) of Alpha Lab, Qihoo 360
CVE-2019-14040, CVE-2019-14041 Tamir Zahavi-Brunner ([@tamir_zb](https://twitter.com/tamir_zb)) of Zimperium zLabs Team
CVE-2019-14088 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.

This table summarizes security vulnerabilities that were addressed through proprietary software

Table of Vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2019-10590 High Video Internal
CVE-2019-14051 High KERNEL Internal
CVE-2019-14057 High Video Internal
CVE-2019-14060 High Audio Internal

CVE-2019-10590

CVE ID CVE-2019-10590
Title Improper Validation of Array Index Issue in Video
Description Out of bound access while parsing dts atom, which is non-standard as it does not have valid number of tracks
Technology Area Video
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14051

CVE ID CVE-2019-14051
Title Integer Overflow to Buffer Overflow Issue in Kernel
Description Subsequent additions performed during Module loading while allocating the memory would lead to integer overflow and then to buffer overflow
Technology Area KERNEL
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* MDM9206, MDM9607

CVE-2019-14057

CVE ID CVE-2019-14057
Title Buffer Copy Without Checking Size of Input in Video
Description Buffer Over read of codec private data while parsing an mkv file due to lack of check of buffer size before read
Technology Area Video
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14060

CVE ID CVE-2019-14060
Title Access of Uninitialized Pointer in Audio
Description Uninitialized stack data gets used If memory is not allocated for blob or if the allocated blob is less than the struct size required due to lack of check of return value for read or write blob
Technology Area Audio
Vulnerability Type CWE-824 Access of Uninitialized Pointer
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

* Data is generated only at the time of bulletin creation

This table summarizes security vulnerabilities that were addressed through open source software located at the corresponding open source project links

Table of Vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2019-10567 High Graphics 08/29/2019
CVE-2019-14040 Medium HLOS 08/04/2019
CVE-2019-14041 Medium HLOS 08/04/2019
CVE-2019-14044 High Camera Driver Internal
CVE-2019-14046 High Camera Driver Internal
CVE-2019-14049 High Kernel Internal
CVE-2019-14055 High Core Services Internal
CVE-2019-14063 High Audio Internal
CVE-2019-14088 Medium Multimedia 10/18/2019

CVE-2019-10567

CVE ID CVE-2019-10567
Title Configuration Issue in Linux Graphics
Description There is a way to deceive the GPU kernel driver into thinking there is room in the GPU ringbuffer and overwriting existing commands could allow unintended GPU opcodes to be executed
Technology Area Graphics
Vulnerability Type CWE-16 Configuration
Access Vector Local
Security Rating High
Date Reported 08/29/2019
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-14040

CVE ID CVE-2019-14040
Title Use After Free Issue in QSEE
Description Using memory after being freed in qsee due to wrong implementation can lead to unexpected behavior such as execution of unknown code
Technology Area HLOS
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 08/04/2019
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SM8150, SXR1130
Patch*

CVE-2019-14041

CVE ID CVE-2019-14041
Title Buffer Copy Without Checking Size of Input in QTEE
Description During listener modified response processing, a buffer overrun occurs due to lack of buffer size verification when updating message buffer with physical address information
Technology Area HLOS
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating Medium
Date Reported 08/04/2019
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, Nicobar, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-14044

CVE ID CVE-2019-14044
Title Improper Validation of Array Index in Camera
Description Out of bound access due to access of uninitialized memory segment in an array of pointers while normal camera open close
Technology Area Camera Driver
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* QCS605, SDM439, SDM630, SDM636, SDM660, SDX24
Patch*

CVE-2019-14046

CVE ID CVE-2019-14046
Title Improper Validation of Array Index in Kernel
Description Out of bound access while allocating memory for an array in camera due to improper validation of elements parameters
Technology Area Camera Driver
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* QCS605, SDM439, SDX24
Patch*

CVE-2019-14049

CVE ID CVE-2019-14049
Title Stage 2 Fault Issue in Kernel
Description Stage-2 fault will occur while writing to an ION system allocation which has been assigned to non-HLOS memory which is non-standard
Technology Area Kernel
Vulnerability Type CWE-617 Reachable Assertion
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MSM8953, QCN7605, QCS605, SC8180X, SDA845, SDM429, SDM439, SDM450, SDM632, SDX20, SDX24, SDX55, SM8150, SXR1130
Patch*

CVE-2019-14055

CVE ID CVE-2019-14055
Title Use After Free Issue in Diag Services
Description Possibility of use-after-free and double free because of not marking buffer as NULL after freeing can lead to dangling pointer access
Technology Area Core Services
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8939, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS605, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-14063

CVE ID CVE-2019-14063
Title Buffer Over-read Issue in Audio
Description Out of bound access due to Invalid inputs to dapm mux settings which results into kernel failure
Technology Area Audio
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9607, Nicobar, QCS405, Rennell, SA6155P, Saipan, SC8180X, SDM630, SDM636, SDM660, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2019-14088

CVE ID CVE-2019-14088
Title Use After Free Issue in Camera
Description Possible use after free issue while CRM is accessing the link pointer from device private data due to lack of resource protection
Technology Area Multimedia
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 10/18/2019
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, MDM9206, MDM9207C, MDM9607, QCS605, SDM429W, SDX24, SM8150, SXR1130
Patch*

* Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms

     

  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 February 3, 2020 Bulletin Published

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.