September 2019

September 2019 Qualcomm Technologies, Inc. Security Bulletin

Version 1.0

Published: 09/03/2019

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

We have discontinued publication of the open source public bulletin at https://www.codeaurora.org/security-advisories/security-bulletins. Starting from September 2019, we will have one single monthly bulletin listing both open-source and closed-source vulnerabilities

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2019-10502 Pengfei Ding(丁鹏飞) of Huawei Mobile Security Lab

CVE-2019-10504

Mathieu Cunche, Célestin Matte, Mathy Vanhoef

CVE-2019-10519

Researchers At Trend Micro

CVE-2019-10521,
CVE-2019-10530

Reported to us through Google Android Security team; please see Android Security Bulletins for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2019-10529 Jann Horn of Google Project Zero
CVE-2019-10542 Gengjia Chen ( @chengjia4574 ), pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2019-2258 heidada (heiheidada)

CVE-2019-2324,
CVE-2019-2325

Peter Pi of Tencent

This table summarizes security vulnerabilities that were addressed through proprietary software

Table of vulnerabilities

Public ID

Security Rating

Technology Area

Date Reported

CVE-2019-10488

High

Video

Internal

CVE-2019-10495

High

Video

Internal

CVE-2019-10496

High

Video

Internal

CVE-2019-10504

High

WLAN Firmware

02/22/2017

CVE-2019-10522

High

Video

Internal

CVE-2019-10533

Critical

Video

Internal

CVE-2019-10534

High

Video

Internal

CVE-2019-10541

High

Video

Internal

CVE-2019-2246

High

KERNEL

Internal

CVE-2019-2249

High

KERNEL

Internal

CVE-2019-2258

Critical

1x

09/04/2018

CVE-2019-2275

High

HLOS

Internal

CVE-2019-2285

High

Video

Internal

CVE-2019-10488

CVE ID

CVE-2019-10488

Title

Null Pointer Dereference Issue in Video

Description

Null pointer dereference can occur while parsing invalid chunks while playing the nonstandard clip

Technology Area

Video

Vulnerability Type

CWE-476 NULL Pointer Dereference

Access Vector

Remote

Security Rating

High

Date Reported

Internal

Customer Notified Date

05/06/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20

CVE-2019-10495

CVE ID

CVE-2019-10495

Title

Improper Input Validation issue in Video

Description

Arbitrary buffer write issue while processing sequence header during HEVC or AVC encoding.

Technology Area

Video

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

05/06/2019

Affected Chipsets

MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130

CVE-2019-10496

CVE ID

CVE-2019-10496

Title

Integer Overflow to Buffer Overflow Issue in Video

Description

Lack of checking a variable received from driver and populating in Firmware data structure leads to buffer overflow

Technology Area

Video

Vulnerability Type

CWE-680 Integer Overflow to Buffer Overflow

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

05/06/2019

Affected Chipsets

MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130

CVE-2019-10504

CVE ID

CVE-2019-10504

Title

Uncontrolled Resource Consumption Issue in WLAN Module

Description

Firmware not able to send EXT scan response to host within 1 sec due to resource consumption issue

Technology Area

WLAN Firmware

Vulnerability Type

CWE-310 Cryptographic Issues, CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

Access Vector

Remote

Security Rating

High

Date Reported

02/22/2017

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9206, MDM9607, MSM8909W, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 665, SD 845 / SD 850, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016

CVE-2019-10522

CVE ID

CVE-2019-10522

Title

Buffer Copy Without Checking Size of Input issue in Video

Description

While playing the clip which is nonstandard buffer overflow can occur while parsing

Technology Area

Video

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')

Access Vector

Remote

Security Rating

High

Date Reported

Internal

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20

CVE-2019-10533

CVE ID

CVE-2019-10533

Title

Improper Validation of Array Index in Video

Description

Out of bound access due to improper validation of array index cause the index table entry to get corrupt

Technology Area

Video

Vulnerability Type

CWE-129 Improper Validation of Array Index

Access Vector

Remote

Security Rating

Critical

Date Reported

Internal

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20

CVE-2019-10534

CVE ID

CVE-2019-10534

Title

Null Pointer Dereference Issue in Video

Description

Null-pointer dereference can occur while accessing the super index entry when it is not been allocated

Technology Area

Video

Vulnerability Type

CWE-476 NULL Pointer Dereference

Access Vector

Remote

Security Rating

High

Date Reported

Internal

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20

CVE-2019-10541

CVE ID

CVE-2019-10541

Title

Use of Uninitialized Variable in Video

Description

Dereference on uninitialized buffer can happen when parsing FLV clip with corrupted codec specific data

Technology Area

Video

Vulnerability Type

CWE-457 Use of Uninitialized Variable

Access Vector

Remote

Security Rating

High

Date Reported

Internal

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 600, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20

CVE-2019-2246

CVE ID

CVE-2019-2246

Title

Improper Input Validation in Kernel

Description

Thread start can cause invalid memory writes to arbitrary memory location since the argument is passed by user to kernel

Technology Area

KERNEL

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

03/04/2019

Affected Chipsets

MDM9205, MDM9640, MSM8996AU, QCA6574, QCS605, Qualcomm 215, SD 425, SD 427, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016, SXR1130

CVE-2019-2249

CVE ID

CVE-2019-2249

Title

Improper Input Validation in Kernel

Description

Kernel can do a memory read from arbitrary address passed by user during execution of a syscall

Technology Area

KERNEL

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

05/06/2019

Affected Chipsets

IPQ8074, MDM9205, MDM9650, QCA8081, QCS605, SD 427, SD 435, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SDX20, Snapdragon_High_Med_2016, SXR1130

CVE-2019-2258

CVE ID

CVE-2019-2258

Title

Improper Validation of Array Index in MMCP

Description

Improper validation of array index causes OOB write and then leads to memory corruption in MMCP

Technology Area

1x

Vulnerability Type

CWE-129 Improper Validation of Array Index

Access Vector

Remote

Security Rating

Critical

Date Reported

09/04/2018

Customer Notified Date

02/04/2019

Affected Chipsets

MDM9150, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, Snapdragon_High_Med_2016, SXR1130

CVE-2019-2275

CVE ID

CVE-2019-2275

Title

Possible Buffer Overflow in Keymaster Key Deserialization

Description

While deserializing any key blob during key operations, buffer overflow could occur exposing partial key information if any key operations are invoked(Depends on CVE-2018-13907)

Technology Area

HLOS

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

03/04/2019

Affected Chipsets

MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS404, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130

CVE-2019-2285

CVE ID

CVE-2019-2285

Title

Improper Restriction of Operation Within the Bounds of a memory Buffer in Video

Description

Out of bound write issue is observed while giving information about properties that have been set so far for playing video

Technology Area

Video

Vulnerability Type

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

05/06/2019

Affected Chipsets

MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130

This table summarizes security vulnerabilities that were addressed through open source software located at the corresponding open source project links

Table of Vulnerabilities

Public ID

Security Rating

Technology Area

Date Reported

CVE-2019-10491

High

Audio

Internal

CVE-2019-10502

Medium

Multimedia

02/13/2019

CVE-2019-10505

High

WLAN HOST, IoT Platform

Internal

CVE-2019-10512

High

Audio

Internal

CVE-2019-10515

High

Core Services

Internal

CVE-2019-10519

Medium

Graphics

02/20/2019

CVE-2019-10520

Medium

Kernel

02/20/2019

CVE-2019-10521

Medium

GPS HLOS Driver

03/07/2019

CVE-2019-10524

High

Multimedia

Internal

CVE-2019-10528

Medium

Core Services

Internal

CVE-2019-10529

High

Graphics

04/24/2019

CVE-2019-10530

Medium

Kernel

01/03/2019

CVE-2019-10531

High

HLOS

Internal

CVE-2019-10542

Medium

WLAN HOST

08/23/2018

CVE-2019-2283

High

Qualcomm IPC

Internal

CVE-2019-2323

High

HLOS

Internal

CVE-2019-2324

High

Audio

12/04/2018

CVE-2019-2325

High

Audio

12/04/2018

CVE-2019-2331

High

Audio

Internal

CVE-2019-2332

High

Audio

Internal

CVE-2019-10491

CVE ID

CVE-2019-10491

Title

Buffer Copy Without Checking Size of Input in Audio

Description

ADSP can be compromised since it`s a general-purpose CPU processing untrusted data

Technology Area

Audio

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

05/06/2019

Affected Chipsets

IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/platform/vendor/opensource/audio-kernel/commit/?id=f73dd9aa49a272391de235c238acd8b98392c22c

https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=8961e92e63050918263578740e28e18d1a6ca8f7

CVE-2019-10502

CVE ID

CVE-2019-10502

Title

Use of Out-of-range Pointer Offset in Automotive Multimedia

Description

Possible stack overflow when an index equal to io buffer size is accessed in camera module

Technology Area

Multimedia

Vulnerability Type

CWE-823 Use of Out-of-range Pointer Offset

Access Vector

Local

Security Rating

Medium

Date Reported

02/13/2019

Customer Notified Date

06/03/2019

Affected Chipsets

MSM8909W, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855, SDM439, SDX24

Patch

https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=95b4242bcec4d2bee21a4e0f9c94df1f9485f8e3

https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=fd254315a60cf76339f71f7a5a95099c92f70d38

https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=e3e8d54d03019e11efdd208f0e0e5aeddc436d42

CVE-2019-10505

CVE ID

CVE-2019-10505

Title

Buffer Over-read in WLAN

Description

Out of bound access while processing a non-standard IE measurement request with length crossing past the size of frame

Technology Area

WLAN HOST, IoT Platform

Vulnerability Type

CWE-126 Buffer Over-read

Access Vector

Remote

Security Rating

High

Date Reported

Internal

Customer Notified Date

05/06/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=64398f99a27f69ad02b70881b028e179c5a5dbbb

https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=97e31543ad58816d5178be1e9244c47b05893e79

https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=eb8bba6b4c2b9261a40a7d3769d1175e4c4db87e

https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=38934e6bfb2f8146a567870ae83cea6783feb938

https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=c7104ad185a967c15e530e4e124cb0194fd54a47

CVE-2019-10512

CVE ID

CVE-2019-10512

Title

Improper Validation of Array Index in Audio

Description

Payload size is not checked before using it as array index in audio

Technology Area

Audio

Vulnerability Type

CWE-129 Improper Validation of Array Index

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

06/03/2019

Affected Chipsets

IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130

Patch

https://source.codeaurora.org/quic/la/platform/vendor/opensource/audio-kernel/commit/?id=e336f752f508c69442c53ee5e5f83265062278fd

https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e8e2f3835f362fc06dbc1222354bba8ab073ba46

CVE-2019-10515

CVE ID

CVE-2019-10515

Title

Use After Free Issue in DIAG Services

Description

DCI client which might be preemptively freed up might be accessed for transferring packets leading to kernel error

Technology Area

Core Services

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=344b745a9dd3e5e0cc0459645a0f28ac35e057b4

https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=4d29940d79cead5fe2f1974308a517aa62a681ed

CVE-2019-10519

CVE ID

CVE-2019-10519

Title

Use of Out-of-range Pointer Offset in Graphics

Description

Integer truncation issue leads to kernel error in kernel memory allocation when receiving large size without bound check

Technology Area

Graphics

Vulnerability Type

CWE-823 Use of Out-of-range Pointer Offset

Access Vector

Local

Security Rating

Medium

Date Reported

02/20/2019

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9640, SD 210/SD 212/SD 205, SD 615/16/SD 415, SD 820A

Patch

https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=95599020931debc4da215f6cc173b01c0f75c4ee

CVE-2019-10520

CVE ID

CVE-2019-10520

Title

Uncontrolled Resource Consumption in Kernel Memory

Description

An unprivileged application can allocate GPU memory by calling memory allocation ioctl function and can exhaust all the memory which results in out of memory

Technology Area

Kernel

Vulnerability Type

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

Access Vector

Local

Security Rating

Medium

Date Reported

02/20/2019

Customer Notified Date

06/03/2019

Affected Chipsets

QCS405, SD 210/SD 212/SD 205, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855

Patch

https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=50d485b06f838245bbe2480c89d4146630195e21

CVE-2019-10521

CVE ID

CVE-2019-10521

Title

Integer Overflow To Buffer Overflow Issue in GPS

Description

By passing an APN name that is INT_MAX in size to int will lead to integer overflow and then to buffer overflow

Technology Area

GPS HLOS Driver

Vulnerability Type

CWE-680 Integer Overflow to Buffer Overflow

Access Vector

Local

Security Rating

Medium

Date Reported

03/07/2019

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX24

Patch

https://source.codeaurora.org/quic/le/platform/hardware/qcom/gps/commit/?id=4788c8a1ee32619f59752d9068df2f5d316819eb

CVE-2019-10524

CVE ID

CVE-2019-10524

Title

Use After Free Issue in Camera

Description

Lack of check for a negative value returned for get_clk is wrongly interpreted as valid pointer and lead to use after free in clk driver

Technology Area

Multimedia

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=73e75fbec9c1e47e41c5c0fe8ee588f1d4bd4167

https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=33f8c059342eb2c0c9821117cf0b46d3d3b285c5

https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=df1d638efbee41ef51eb591ddcadc42e4f01b73c

CVE-2019-10528

CVE ID

CVE-2019-10528

Title

Use After Free Issue in Diag Services

Description

Use after free issue in kernel while accessing freed mdlog session info and its attributes after closing the session

Technology Area

Core Services

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

Medium

Date Reported

Internal

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 675, SD 730, SD 820, SD 820A, SD 835, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=d08da0b59f0e738000fa67e100b27c03edccf544

https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=f4c3c5194792a64f52e0cbd9aad0916bb59170e7

CVE-2019-10529

CVE ID

CVE-2019-10529

Title

Use After Free Issue in Graphics

Description

Possible use after free issue due to race condition while attempting to mark the entry pages as dirty using function set_page_dirty()

Technology Area

Graphics

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

04/24/2019

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=7a606e2b63e3168e5c1190076b974074c114c309

CVE-2019-10530

CVE ID

CVE-2019-10530

Title

Integer Overflow to Buffer Overflow Issue in Kernel

Description

Lack of check of data truncation on user supplied data in kernel leads to buffer overflow

Technology Area

Kernel

Vulnerability Type

CWE-680 Integer Overflow to Buffer Overflow

Access Vector

Local

Security Rating

Medium

Date Reported

01/03/2019

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=6217aae69f794d3220d1e1cb5a4733282931361a

CVE-2019-10531

CVE ID

CVE-2019-10531

Title

Improper Input Validation in HLOS

Description

Incorrect reading of system image resulting in buffer overflow when size of system image is increased

Technology Area

HLOS

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9607, MSM8909W, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SDM439

Patch

https://source.codeaurora.org/quic/le/kernel/lk/commit/?id=3b25c436f664c8a48be09c595690055ac9dc74d2

https://source.codeaurora.org/quic/le/kernel/lk/commit/?id=5c317dc1ff2d6f305398bfa4c4e5078984a73215

CVE-2019-10542

CVE ID

CVE-2019-10542

Title

Buffer Copy Without Checking Size of Input in WLAN HOST

Description

Buffer over-read may occur when downloading a corrupted firmware file that has chunk length in header which doesn`t match the contents

Technology Area

WLAN HOST

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')

Access Vector

Local

Security Rating

Medium

Date Reported

08/23/2018

Customer Notified Date

06/03/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 845 / SD 850, SDX20

Patch

https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=20b956dbc8b19d719dbe6ca3bfde781e6f64be49

CVE-2019-2283

CVE ID

CVE-2019-2283

Title

Improper Input Validation in KERNEL

Description

Improper validation of read and write index of tx and rx fifo`s before calculating pointer can lead to out-of-bound access

Technology Area

Qualcomm IPC

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

03/04/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=477409de280b9c3cb6a7a16be22b415b03f45a74

CVE-2019-2323

CVE ID

CVE-2019-2323

Title

Improper Input Validation Issue in HLOS

Description

Lack of check to ensure crypto engine data passed by user is initialized can result in bus error.

Technology Area

HLOS

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

05/06/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=8ae699e72e3933d4022d973977f093c7098cf91b

CVE-2019-2324

CVE ID

CVE-2019-2324

Title

Improper Validation of Array Index in Audio

Description

When ADSP is compromised, the audio port index that`s returned from ADSP might be out of the valid range and leads to out of boundary access

Technology Area

Audio

Vulnerability Type

CWE-129 Improper Validation of Array Index

Access Vector

Local

Security Rating

High

Date Reported

12/04/2018

Customer Notified Date

05/06/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 845 / SD 850, SD 855, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=eec4580e5f47efd9a166dc140fa3e62e8bbd0b06

CVE-2019-2325

 

CVE ID

CVE-2019-2325

Title

Improper Validation of Array Index in Audio Driver

Description

Out of boundary access due to token received from ADSP and is used without validation as an index into the array

Technology Area

Audio

Vulnerability Type

CWE-129 Improper Validation of Array Index

Access Vector

Local

Security Rating

High

Date Reported

12/04/2018

Customer Notified Date

05/06/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=af09cb8b39a33bf506aa650ee80170025aa8f9f8

https://source.codeaurora.org/quic/la/platform/vendor/opensource/audio-kernel/commit/?id=14487053842c6885711d1e5ef9a8d3928d39f0ad

CVE-2019-2331

CVE ID

CVE-2019-2331

Title

Integer Overflow or Wraparound Issue in Audio

Description

Possible Integer overflow because of subtracting two integers without checking if the result would overflow or not

Technology Area

Audio

Vulnerability Type

CWE-190 Integer Overflow or Wraparound

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

05/06/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=165fffbf94f706d0fd4b5bbb3675016b39e6c744

https://source.codeaurora.org/quic/la/platform/vendor/opensource/audio-kernel/commit/?id=4e2885680f993acb4fdb5bef725109cfca552df7

CVE-2019-2332

CVE ID

CVE-2019-2332

Title

Improper Validation of Array Index in Audio

Description

Memory corruption while accessing the memory as payload size is not validated before access

Technology Area

Audio

Vulnerability Type

CWE-129 Improper Validation of Array Index

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

05/06/2019

Affected Chipsets

MDM9150, MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

Patch

https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=bf4c2c02be579810941dfb6f7df01fc82f50801e

https://source.codeaurora.org/quic/la/platform/vendor/opensource/audio-kernel/commit/?id=9d0aa1ffdffca51ba087bba6a471f90bc5178b70

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version

Date

Comments

1.0

September 3, 2019

Bulletin Published

 

 

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

See all of our security bulletins