Details: A vulnerability in the kernel allows local users to gain privileges due to function pointers not being initialised. [vulmon]
According to one source, Android versions up to 3.2.6 are vulnerable [android-paper]
Discovered by: Tavis Ormandy and Julien Tinnes [cr0][archived] on: Unknown
Affected versions: Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4 [cve-mitre-sock-sendpage], Android up to 2.1 [cve-mitre-sock-sendpage] regex: (1.[0-9].[0-9])|(2.[0-1].[0-9])
Details: Android before 2.3 does not properly restrict access to the system property space, which allows local applications to bypass the application sandbox and gain privileges [citation-needed]
Details: udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space. [CVE-2009-1185]
Details: Improper bounds checking in the PowerVR driver as used in versions of Android prior to 2.3.6 when copying user data to kernel memory allows a malicious local application to write to the same area of memory referenced in CVE-2011-1350, potentially allowing for arbitrary code execution and privilege escalation. [citation-needed]
Details: QCIR-2012-00001-1: Multiple security vulnerabilities have been discovered in the handling of the diagchar_ioctl() and kgsl_ioctl() system call parameters for the diagnostics (DIAG) and KGSL graphics kernel drivers for Android. [QCIR-2012-00001-1][archived]
Details: Missing access checks in put_user/get_user kernel API (CVE-2013-6282 QCIR-2013-00010-1): The get_user and put_user API functions of the Linux kernel fail to validate the target address when being used on ARM v6k/v7 platforms. This functionality was originally implemented and controlled by the domain switching feature (CONFIG_CPU_USE_DOMAINS), which has been deprecated due to architectural changes. As a result, any kernel code using these API functions may introduce a security issue where none existed before. This allows an application to read and write kernel memory to, e.g., escalated privileges. [QCIR-2013-00010-1][archived]
Details: The camera driver provides several interfaces to user space clients. The user space clients communicate to the kernel via syscalls such as ioctl or mmap. The camera driver provides an uncontrolled mmap interface that allows an application with access to the device file to map physical memory exceeding the camera driver's memory into user space. A locally installed, unprivileged application can use this flaw to escalate privileges. [QCIR-2013-00001-1][archived]
Details: The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call. [cve-mitre-libperf-event]
Discovered by: Hiroyuki Ikezoe [android-paper] on: Unknown
Details: The acdb audio driver provides an ioctl system call interface to user space clients for communication. When processing arguments passed to the ioctl handler, a user space supplied size is used to copy as many bytes from user space to a local stack buffer without proper bounds checking. An application with access to the /dev/msm_acdb device file (audio or system group) can use this flaw to, e.g., elevate privileges. QCIR-2013-00002-1 [QCIR-2013-00002-1][archived]
Details: Integer overflow and signedness issue in camera JPEG engines (CVE-2013-4736) QCIR-2013-00005-1: The JPEG engines that are part of the camera driver provide an ioctl system call interface to user space clients for communication. When processing hardware commands ioctl calls, the drivers are incorrectly handling the number of commands included in the user space payload. This can lead to an integer overflow which subsequently results in the driver attempting to process hardware commands from out-of-bounds memory which can cause the kernel to crash. The same code also suffered from incorrectly treating the number of hardware commands as signed. [QCIR-2013-00005-1]
Gemini JPEG encoder, Mercury JPEG decoder, and Jpeg1.0 common encoder/decoder contain an unspecified integer overflow condition during the handling of hardware command IOCTL calls that may allow a local attacker to cause a denial of service or potentially execute of arbitrary code. [osvdb-96924]
Details: Stack-based buffer overflow and memory disclosure in camera driver QCIR-2013-00008-1: A stack-based buffer overflow and a kernel memory disclosure vulnerability have been discovered in the system call handlers of the camera driver. [QCIR-2013-00008-1][archived]
Discovered by: Jonathan Salwan of the Sysdream Security Lab [QCIR-2013-00008-1][archived] on: Unknown
Details: Multiple memory corruption issues and race condition in Goodix gt915 touchscreen driver procfs handler (CVE-2013-4740 CVE-2013-6122) QCIR-2013-00009-1: Multiple issues have been identified in the Goodix gt915 touchscreen driver for Android. The issues were found in the write handler of the procfs entry created by the driver, which by default is readable and writeable to users without any specific privileges. [QCIR-2013-00009-1][archived]
Discovered by: Jonathan Salwan of the Sysdream Security Lab [QCIR-2013-00009-1][archived] on: Unknown
Details: Out of bounds array access in camera driver (CVE-2013-6123): The camera driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_ioctl_server, msm_server_send_ctrl, and msm_ctrl_cmd_done functions use a user-supplied value as an index to the server_queue array for read and write operations without any boundary checks. A local application with access to the camera device nodes can use this flaw to, e.g., elevate privileges. [QCIR-2014-00001-1][archived]
Details: The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. [nvd-CVE-2014-0196]
Taking a look at the git history of the Linux kernel it turns out that all kernels between c56a00a165712fd73081f40044b1e64407bb1875 (march 2012) and 64325a3be08d364a62ee8f84b2cf86934bc2544a (january 2013) are not affected by this vuln as tty_insert_flip_string_fixed_flag() was internally locked there. [includesecurity-pty-race]
Fixed from 4291086b1f081b869c6d79e5b7441633dc3ace00 and present from d945cb9cce20ac7143c2de8d88b187f62db99bdc [pty-race-patch]
Details: The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification. [CVE-2014-3153]
Details: An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel [prctl-vma-bulletin]
Discovered by: Edward Huang [android-paper] on: Unknown
Details: A vulnerability in a modified kernel means that a series of exploits can be used to obtain access to the Trusted Execution Environment [msm8974-pt1][archived]
Discovered by: Gal Beniamini (laginimaineb) [msm8974-pt3][archived] on: Unknown
Details: The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an 'I/O vector array overrun.' [CVE-2015-1805]
This is a known issue in the upstream Linux kernel that was fixed in April 2014 but wasn’t called out as a security fix and assigned CVE-2015-1805 until February 2, 2015. On February 19, 2016, C0RE Team notified Google that the issue could be exploited on Android and a patch was developed to be included in an upcoming regularly scheduled monthly update. On March 15, 2016 Google received a report from Zimperium that this vulnerability had been abused on a Nexus 5 device. Google has confirmed the existence of a publicly available rooting application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide the device user with root privileges. [android-advisory-2016-03-18]
Details: An exploit which allows code execution within the TrustZone kernel. This may allow capturing of secret keys, disabling of hardware protection and unlocking locked bootloaders [trustzone-blog][archived]
Details: A race condition in the Linux kernel's handling of copy-on-write (COW) operations means that users can gain write access to otherwise read-only areas of memory and gain permissions [dirtyc0w-redhat]
