Memory corruption while Invoking IOCTL calls from user-space to validate FIPS encryption or decryption functionality.
Memory corruption may occour while generating test pattern due to negative indexing of display ID.
Memory corruption during voice activation, when sound model parameters are loaded from HLOS to ADSP.
Memory corruption while parsing sensor packets in camera driver, user-space variable is used while allocating memory in kernel and parsing which can lead to huge allocation or invalid memory access.
Memory corruption while invoking IOCTL command from user-space, when a user modifies the original packet size of the command after system properties have been already sent to the EVA driver.
Memory corruption when the payload received from firmware is not as per the expected protocol size.
Memory corruption while processing the event ring, the context read pointer is untrusted to HLOS and when it is passed with arbitrary values, may point to address in the middle of ring element.
Memory corruption in WLAN HAL while passing command parameters through WMI interfaces.
Arbitrary memory overwrite when VM gets compromised in TX write leading to Memory Corruption.
Memory corruption in video driver due to type confusion error during video playback
Memory corruption in modem due to use of out of range pointer offset while processing qmi msg
Memory corruption in Modem due to usage of Out-of-range pointer offset in UIM
Memory corruption in Audio due to use of out-of-range pointer offset while Initiating a voice call session from user space with invalid session id.
Memory corruption when malformed message payload is received from firmware.
Memory corruption in Audio while calling START command on host voice PCM multiple times for the same RX or TX tap points.
Memory corruption in Audio while running invalid audio recording from ADSP.
Memory corruption in Audio during playback with speaker protection.
The session index variable in PCM host voice audio driver initialized before PCM open, accessed during event callback from ADSP and reset during PCM close may lead to race condition between event callback - PCM close and reset session index causing memory corruption.
Memory corruption in Audio while processing RT proxy port register driver.
Memory corruption while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
Memory corruption can occur when TME processes addresses from TZ and MPSS requests without proper validation.
Memory corruption may occur during IO configuration processing when the IO port count is invalid.
Memory corruption when input parameter validation for number of fences is missing for fence frame IOCTL calls,
In function msm_pcm_playback_close() in all Android releases from CAF using the Linux kernel, prtd is assigned substream->runtime->private_data. Later, prtd is freed. However, prtd is not sanitized and set to NULL, resulting in a dangling pointer. There are other functions that access the same memory (substream->runtime->private_data) with a NULL check, such as msm_pcm_volume_ctl_put(), which means this freed memory could be used.
In all Android releases from CAF using the Linux kernel, while processing a voice SVC request which is nonstandard by specifying a payload size that will overflow its own declared size, an out of bounds memory copy occurs.
Memory corruption may occur while accessing a variable during extended back to back tests.
Memory corruption while operating the mailbox in Automotive.
Memory corruption may occur in keyboard virtual device due to guest VM interaction.
Memory corruption while doing Escape call when user provides valid kernel address in the place of valid user buffer address.
Memory corruption may occur while attaching VM when the HLOS retains access to VM.
Memory corruption while processing multiple IOCTL calls from HLOS to DSP.
Memory corruption in Camera due to unusually high number of nodes passed to AXI port.
Memory corruption during memory assignment to headless peripheral VM due to incorrect error code handling.
Memory corruption can occur in the camera when an invalid CID is used.
Memory corruption while processing IOCTL from user space to handle GPU AHB bus error.
Out of bound write in TZ while copying the secure dump structure on HLOS provided buffer as a part of memory dump in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8976, MSM8996, MSM8996AU, MSM8998, QCA8081, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, Snapdragon_High_Med_2016, SXR1130
Buffer overflow due to improper validation of buffer size while IPA driver processing to perform read operation in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
Memory Corruption in WLAN HOST while fetching TX status information.
Memory corruption while invoking IOCTL calls from userspace to camera kernel driver to dump request information.
Memory corruption may occur when invoking IOCTL calls from userspace to the camera kernel driver to dump request information, due to a missing memory requirement check.
Memory corruption while processing FIPS encryption or decryption IOCTL call invoked from user-space.
Memory corruption while handling schedule request in Camera Request Manager(CRM) due to invalid link count in the corresponding session.
Memory corruption while handling multiple IOCTL calls from userspace to operate DMA operations.
Memory corruption can occur when a compat IOCTL call is followed by a normal IOCTL call from userspace.
Memory corruption while handling multuple IOCTL calls from userspace for remote invocation.
Memory corruption when IOCTL call is invoked from user-space to read board data.
Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.
Memory corruption during voice activation, when sound model parameters are loaded from HLOS, and the received sound model list is empty in HLOS drive.
Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node.
Memory corruption occurs during the copying of read data from the EEPROM because the IO configuration is exposed as shared memory.