This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.
Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.
We have discontinued publication of the open source public bulletin at https://www.codeaurora.org/security-advisories/security-bulletins. Starting from September 2019, we will have one single monthly bulletin listing both open-source and closed-source vulnerabilities
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2019-10567 | Guang Gong (higongguang@gmail.com) of Alpha Lab, Qihoo 360 |
| CVE-2019-14040, CVE-2019-14041 | Tamir Zahavi-Brunner ([@tamir_zb](https://twitter.com/tamir_zb)) of Zimperium zLabs Team |
| CVE-2019-14088 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin. |
This table summarizes security vulnerabilities that were addressed through proprietary software
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2019-10590 | High | Video | Internal |
| CVE-2019-14051 | High | KERNEL | Internal |
| CVE-2019-14057 | High | Video | Internal |
| CVE-2019-14060 | High | Audio | Internal |
| CVE ID | CVE-2019-10590 |
| Title | Improper Validation of Array Index Issue in Video |
| Description | Out of bound access while parsing dts atom, which is non-standard as it does not have valid number of tracks |
| Technology Area | Video |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| CVE ID | CVE-2019-14051 |
| Title | Integer Overflow to Buffer Overflow Issue in Kernel |
| Description | Subsequent additions performed during Module loading while allocating the memory would lead to integer overflow and then to buffer overflow |
| Technology Area | KERNEL |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | MDM9206, MDM9607 |
| CVE ID | CVE-2019-14057 |
| Title | Buffer Copy Without Checking Size of Input in Video |
| Description | Buffer Over read of codec private data while parsing an mkv file due to lack of check of buffer size before read |
| Technology Area | Video |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| CVE ID | CVE-2019-14060 |
| Title | Access of Uninitialized Pointer in Audio |
| Description | Uninitialized stack data gets used If memory is not allocated for blob or if the allocated blob is less than the struct size required due to lack of check of return value for read or write blob |
| Technology Area | Audio |
| Vulnerability Type | CWE-824 Access of Uninitialized Pointer |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
* Data is generated only at the time of bulletin creation
This table summarizes security vulnerabilities that were addressed through open source software located at the corresponding open source project links
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2019-10567 | High | Graphics | 08/29/2019 |
| CVE-2019-14040 | Medium | HLOS | 08/04/2019 |
| CVE-2019-14041 | Medium | HLOS | 08/04/2019 |
| CVE-2019-14044 | High | Camera Driver | Internal |
| CVE-2019-14046 | High | Camera Driver | Internal |
| CVE-2019-14049 | High | Kernel | Internal |
| CVE-2019-14055 | High | Core Services | Internal |
| CVE-2019-14063 | High | Audio | Internal |
| CVE-2019-14088 | Medium | Multimedia | 10/18/2019 |
| CVE ID | CVE-2019-10567 |
| Title | Configuration Issue in Linux Graphics |
| Description | There is a way to deceive the GPU kernel driver into thinking there is room in the GPU ringbuffer and overwriting existing commands could allow unintended GPU opcodes to be executed |
| Technology Area | Graphics |
| Vulnerability Type | CWE-16 Configuration |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 08/29/2019 |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
|
| CVE ID | CVE-2019-14040 |
| Title | Use After Free Issue in QSEE |
| Description | Using memory after being freed in qsee due to wrong implementation can lead to unexpected behavior such as execution of unknown code |
| Technology Area | HLOS |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 08/04/2019 |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SM8150, SXR1130 |
| Patch* |
| CVE ID | CVE-2019-14041 |
| Title | Buffer Copy Without Checking Size of Input in QTEE |
| Description | During listener modified response processing, a buffer overrun occurs due to lack of buffer size verification when updating message buffer with physical address information |
| Technology Area | HLOS |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 08/04/2019 |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, Nicobar, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
| CVE ID | CVE-2019-14044 |
| Title | Improper Validation of Array Index in Camera |
| Description | Out of bound access due to access of uninitialized memory segment in an array of pointers while normal camera open close |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | QCS605, SDM439, SDM630, SDM636, SDM660, SDX24 |
| Patch* |
| CVE ID | CVE-2019-14046 |
| Title | Improper Validation of Array Index in Kernel |
| Description | Out of bound access while allocating memory for an array in camera due to improper validation of elements parameters |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | QCS605, SDM439, SDX24 |
| Patch* |
| CVE ID | CVE-2019-14049 |
| Title | Stage 2 Fault Issue in Kernel |
| Description | Stage-2 fault will occur while writing to an ION system allocation which has been assigned to non-HLOS memory which is non-standard |
| Technology Area | Kernel |
| Vulnerability Type | CWE-617 Reachable Assertion |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MSM8953, QCN7605, QCS605, SC8180X, SDA845, SDM429, SDM439, SDM450, SDM632, SDX20, SDX24, SDX55, SM8150, SXR1130 |
| Patch* |
|
| CVE ID | CVE-2019-14055 |
| Title | Use After Free Issue in Diag Services |
| Description | Possibility of use-after-free and double free because of not marking buffer as NULL after freeing can lead to dangling pointer access |
| Technology Area | Core Services |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8939, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS605, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
| CVE ID | CVE-2019-14063 |
| Title | Buffer Over-read Issue in Audio |
| Description | Out of bound access due to Invalid inputs to dapm mux settings which results into kernel failure |
| Technology Area | Audio |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9607, Nicobar, QCS405, Rennell, SA6155P, Saipan, SC8180X, SDM630, SDM636, SDM660, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
| CVE ID | CVE-2019-14088 |
| Title | Use After Free Issue in Camera |
| Description | Possible use after free issue while CRM is accessing the link pointer from device private data due to lack of resource protection |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 10/18/2019 |
| Customer Notified Date | 12/02/2019 |
| Affected Chipsets* | APQ8009, MDM9206, MDM9207C, MDM9607, QCS605, SDM429W, SDX24, SM8150, SXR1130 |
| Patch* |
* Data is generated only at the time of bulletin creation
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
| Version | Date | Comments |
| 1.0 | February 3, 2020 | Bulletin Published |
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.