NULL pointer dereference in Google, Google Android

1) NULL pointer dereference

EUVDB-ID: #VU36642

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-11904

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, asynchronous callbacks received a pointer to a callers local variable. Should the caller return early (e.g., timeout), the callback will dereference an invalid pointer.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://www.securityfocus.com/bid/107770
http://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=0a755b400876ab4d58151e98462d3fa8fe099f61
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=00022c12e0cad8b735f94d6ee3785a557b4a3df2
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=3815e870ef906409af4a228f66d9400081227b75
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=667b3108d10e9580bf9f6d337c759dc88a1a0bdc
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=731ebf70a25ab2cdc32d2626dcebe60fe3b09481
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=85ea1c126b05f133206cd9c6d8d9fbf137d81d27
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=8ee65e3c9addab1d3c15ba013401f5698fb73594
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=9a8f1aeb8055de80137e769fae637cd480495509
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=a009a84d04bfac2a5c01101f38a70d216960fac0
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=a4b4267f94802e0a4d93999649710bbf340796d5
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=be70d02f12cb9a71a9b07b601f0efafc99718ec9
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=ebf1042efb9bd4517cd09a543bb4e3a164de8771
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=ec9896d0bc7521bbbe6dc28a198635dc281e7358
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=f9f86fd07af5606d0cb74c3eca5b2cbfda509345
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?h=wlan-cld2.driver.lnx.1.0.r21-rel&id=391d37818aaa8038a06662075dd8893501452931
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=106f5c62b01b5a212bb53d13e3a3e70db2baedee
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=174c053d1aa1bf5395647e3927d718255f3cbe75
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=17f6fbb4b52a6acdd831ebaffdac9bbc88d2f423
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=191f02a7ec2a4cccaebbdac8d36897e1ae125244
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=335ae3f8b353b6c7260eacb6aa706bb30f8a6bdc
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=3ea5197d268c6f4ed08fb866b587349f7049c6d5
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=4aa30844e28eb4b410f86d97e970a39fcdfd797d
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=4abed07fd2380b6073f5cc9f2a701773e914f86f
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=54e7d8fa44202a8528ef33d85381bca63d7749a5
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=57a5e1f62cd3230fd046b199eee902507100e18c
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=78a681f9d0d8e9843223dc42d02443e911b196a1
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=846f561170f0f4f6345d6b0ce1c35bf7059126cb
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=8dc81c98ed72c99983660d5b94c2c8283bc1ff7f
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=9048145ff167fb8f9f8d2a9845ee1d1b45c4884c
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=99c0ddb04e8de0b8139778c7fb77b1957d113769
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=9e040e43da5fe987747e16b305d7adf66977420f
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=a978afb1838273e0d7a7ec86dd8bc9db85dff49d
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=b98f8aafb23cbc8e883870bcc9dac165b3d75ae6
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=d42e72aa69a02531396b5a37cadebf927a757aa6
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=eb72224cc57092448663fecc2c9bfa0f775eb770
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=fb2f07b3b0d637a403bb891c57e76b6345a92cf0
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=002cb97a955832197f3ceebfa8b32bd12b946151
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=0c5a2ba407f23efd89cac6dc45e2ab9bdba3ada1
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=17275491f327909b32945ec1f465968021d22a7f
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=239aba9a1a4a474d86bde9cb67bfb1b2d6379a7c
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=7af334bfc3375c9f85a330b84db17c0db1d6dade
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=9ab5a5a0b63075cfd095ed6bcf506b4704c523e1
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=a544494791b6307a2fe52fa282768083deb8a317
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=a6ace5b9ea34f22b136a35248087efc2ceb35fd4
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=c13bdf105aa20559d2d783508051ad2dd3cfa65b
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=dd9ae2971b493909879cc2fd0fa97d12e1560762
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=dda167ca8104de77f46fd29c66f66f807c63b309
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ee9797fbefb45eee88c92420a24cda838cff6b45
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=f11eeadd214e081a824f30aec5cb52d390ef576c
http://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=f7ee321d5f31ce5bc6a4cbec72a965d272b3b77b
http://www.codeaurora.org/security-bulletin/2018/09/04/september-2018-code-aurora-security-bulletin

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.