Memory corruption while processing IOCTL calls.
Possible out of bounds access due to improper input validation during graphics profiling in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Possible out of bounds read due to improper typecasting while handling page fault for global memory in Snapdragon Connectivity, Snapdragon Mobile
Out of bound memory access while processing ese transmit command due to passing Response buffer received from user in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8098, IPQ6018, Kamorta, MDM9150, MDM9205, MDM9607, MDM9650, MSM8909, MSM8998, Nicobar, QCS404, QCS405, QCS605, Rennell, SA415M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Memory corruption in Graphics while importing a file.
Memory Corruption in Core due to incorrect type conversion or cast in secure_io_read/write function in TEE.
Memory corruption in Trusted Execution Environment while calling service API with invalid address.
Memory corruption in WLAN due to incorrect type cast while sending WMI_SCAN_SCH_PRIO_TBL_CMDID message.
Memory corruption due to incorrect type conversion or cast in audio while using audio playback/capture when crafted address is sent from AGM IPC to AGM.
Memory corruption in display driver due to incorrect type casting while accessing the fence structure fields
Memory corruption in multimedia due to incorrect type conversion while adding data in Snapdragon Auto
Incorrect pointer argument passed to trusted application TA could result in un-intended memory operations in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT
Memory corruption in Audio due to incorrect type cast during audio use-cases.
In function msm_pcm_playback_close() in all Android releases from CAF using the Linux kernel, prtd is assigned substream->runtime->private_data. Later, prtd is freed. However, prtd is not sanitized and set to NULL, resulting in a dangling pointer. There are other functions that access the same memory (substream->runtime->private_data) with a NULL check, such as msm_pcm_volume_ctl_put(), which means this freed memory could be used.
In all Android releases from CAF using the Linux kernel, while processing a voice SVC request which is nonstandard by specifying a payload size that will overflow its own declared size, an out of bounds memory copy occurs.
Memory corruption may occur while accessing a variable during extended back to back tests.
Memory corruption while operating the mailbox in Automotive.
Memory corruption may occur in keyboard virtual device due to guest VM interaction.
Memory corruption while doing Escape call when user provides valid kernel address in the place of valid user buffer address.
Memory corruption may occur while attaching VM when the HLOS retains access to VM.
Memory corruption while processing multiple IOCTL calls from HLOS to DSP.
Memory corruption in Camera due to unusually high number of nodes passed to AXI port.
Memory corruption while Invoking IOCTL calls from user-space to validate FIPS encryption or decryption functionality.
Memory corruption during memory assignment to headless peripheral VM due to incorrect error code handling.
Memory corruption can occur in the camera when an invalid CID is used.
Memory corruption while processing IOCTL from user space to handle GPU AHB bus error.
Out of bound write in TZ while copying the secure dump structure on HLOS provided buffer as a part of memory dump in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8976, MSM8996, MSM8996AU, MSM8998, QCA8081, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, Snapdragon_High_Med_2016, SXR1130
Buffer overflow due to improper validation of buffer size while IPA driver processing to perform read operation in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
Memory Corruption in WLAN HOST while fetching TX status information.
Memory corruption while invoking IOCTL calls from userspace to camera kernel driver to dump request information.
Memory corruption may occur when invoking IOCTL calls from userspace to the camera kernel driver to dump request information, due to a missing memory requirement check.
Memory corruption while processing FIPS encryption or decryption IOCTL call invoked from user-space.
Memory corruption may occour while generating test pattern due to negative indexing of display ID.
Memory corruption while handling schedule request in Camera Request Manager(CRM) due to invalid link count in the corresponding session.
Memory corruption while handling multiple IOCTL calls from userspace to operate DMA operations.
Memory corruption can occur when a compat IOCTL call is followed by a normal IOCTL call from userspace.
Memory corruption while handling multuple IOCTL calls from userspace for remote invocation.
Memory corruption when IOCTL call is invoked from user-space to read board data.
Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.
Memory corruption during voice activation, when sound model parameters are loaded from HLOS, and the received sound model list is empty in HLOS drive.
Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node.
Memory corruption occurs during the copying of read data from the EEPROM because the IO configuration is exposed as shared memory.
Memory corruption while processing API calls to NPU with invalid input.
Memory corruption when invalid input is passed to invoke GPU Headroom API call.
Buffer overwrite in the WLAN host driver by leveraging a compromised WLAN FW
Possible buffer overflow in voice service due to lack of input validation of parameters in QMI Voice API in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Memory corruption while maintaining memory maps of HLOS memory.
Memory corruption while invoking IOCTL calls from user space to issue factory test command inside WLAN driver.
Memory corruption while processing command in Glink linux.
Memory corruption while invoking IOCTL calls from user space to read WLAN target diagnostic information.