Possible use after free when process shell memory is freed using IOCTL call and process initialization is in progress in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
Possible out of bound access due to lack of validation of page offset before page is inserted in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile
Possible out of bounds write due to improper validation of number of GPIOs configured in an internal parameters array in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile
Possible integer overflow in page alignment interface due to lack of address and size validation before alignment in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking
A stack-based buffer overflow exists in the initialization of the identification stage due to lack of check on the number of templates provided. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in APQ8096, APQ8096AU, MDM9205, MSM8996, MSM8996AU, Nicobar, QCS404, QCS405, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130
Certain unprivileged processes are able to perform IOCTL calls.
In function msm_pcm_playback_close() in all Android releases from CAF using the Linux kernel, prtd is assigned substream->runtime->private_data. Later, prtd is freed. However, prtd is not sanitized and set to NULL, resulting in a dangling pointer. There are other functions that access the same memory (substream->runtime->private_data) with a NULL check, such as msm_pcm_volume_ctl_put(), which means this freed memory could be used.
In all Android releases from CAF using the Linux kernel, while processing a voice SVC request which is nonstandard by specifying a payload size that will overflow its own declared size, an out of bounds memory copy occurs.
Improper permissions in XBL_SEC region enable user to update XBL_SEC code and data and divert the RAM dump path to normal cold boot path in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in Kamorta, MSM8998, QCS404, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM8150, SXR1130, SXR2130
u'Lack of check that the current received data fragment size of a particular packet that are read from shared memory are less than the actual packet size can lead to memory corruption and potential information leakage' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Memory corruption while IOCLT is called when device is in invalid state and the WMI command buffer may be freed twice.
Memory corruption while station LL statistic handling.
Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node.
Memory corruption while processing concurrent IOCTL calls.
Memory corruption while processing input parameters for any IOCTL call in the JPEG Encoder driver.
Memory corruption while invoking IOCTL calls from user-space to kernel-space to handle session errors.
Memory corruption while configuring a Hypervisor based input virtual device.
Memory corruption while processing frame packets.
Memory corruption while handling IOCTL calls in JPEG Encoder driver.
Memory corruption while processing voice packet with arbitrary data received from ADSP.
Memory corruption while parsing the memory map info in IOCTL calls.
Memory corruption while processing IOCTL call for getting group info.
Memory corruption while processing GPU page table switch.
Memory corruption while processing GPU commands.
Memory corruption while registering a buffer from user-space to kernel-space using IOCTL calls.
Memory corruption while allocating memory in HGSL driver.
Memory corruption can occur when arbitrary user-space app gains kernel level privilege to modify DDR memory by corrupting the GPU page table.
Memory corruption can occur if VBOs hold outdated or invalid GPU SMMU mappings, especially when the binding and reclaiming of memory buffers are performed at the same time.
Memory corruption during the handshake between the Primary Virtual Machine and Trusted Virtual Machine.
Memory corruption when two threads try to map and unmap a single node simultaneously.
Memory corruption when user provides data for FM HCI command control operations.
Memory corruption when Alternative Frequency offset value is set to 255.
Memory corruption while processing IOCTL calls to unmap the buffers.
Memory corruption while passing untrusted/corrupted pointers from DSP to EVA.
Memory corruption while creating a fence to wait on timeline events, and simultaneously signal timeline events.
Memory corruption while invoking IOCTL calls to unmap the DMA buffers.
Memory corruption when input parameter validation for number of fences is missing for fence frame IOCTL calls,
Memory corruption while taking snapshot when an offset variable is set by camera driver.
Memory corruption while processing IOCTL call to set metainfo.
Memory corruption as fence object may still be accessed in timeline destruct after isync fence is released.
Memory corruption while processing frame command IOCTL calls.
Memory corruption when BTFM client sends new messages over Slimbus to ADSP.
Memory corruption while Configuring the SMR/S2CR register in Bypass mode.
Memory corruption while running NPU, when NETWORK_UNLOAD and (NETWORK_UNLOAD or NETWORK_EXECUTE_V2) commands are submitted at the same time.
Memory corruption when there is failed unmap operation in GPU.
Memory corruption in Audio while running invalid audio recording from ADSP.
Memory corruption while invoking callback function of AFE from ADSP.
Memory corruption in Audio while processing the VOC packet data from ADSP.
Memory corruption in Trusted Execution Environment while deinitializing an object used for license validation.
Memory corruption while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.