Validate input arguments from user space in kernel-msm-mdp CVE-2014-4323 remote

Tracked by Jolla (In progress)

asked 2017-07-13 12:24:16 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-07-13 12:24:16 +0300

lpr gravatar image

The mdp_lut_hw_update function in drivers/video/msm/mdp.c in the MDP display driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain start and length values within an ioctl call, which allows attackers to gain privileges via a crafted application. CVSS v2 Base Score: 7.5 HIGH Access Vector: Network exploitable

Patch is available.

file affected: kernel-adaptation-sbj-3.4.108.20161101.1/drivers/video/msm/mdp.c lines 501-506

edit retag flag offensive close delete

Comments

released in SFOS 2.1.4 according to jovirkku's comment here.

lpr ( 2018-02-28 20:24:16 +0300 )edit

@jovirkku this issue was not addressed in SFOS 2.1.4.14 as you can see in kernel-adaptation-sbj-3.4.108.20171107.1/drivers/video/msm/mdp.c (lines 501-506)

lpr ( 2018-05-26 17:31:56 +0300 )edit

answer at recent mer-meeting (May31'18) topic: patches for CVE-2014-4323 and CVE-2016-5696 still not in kernel-adaptation-sbj:

Jaymzz> Yes we will provide fix for above CVE's for Jolla 1 in 2.2.1 release

lpr ( 2018-05-31 11:50:13 +0300 )edit