Headline
CVE-2021-35077: February 2022 Security Bulletin | Qualcomm
Possible use after free scenario in compute offloads to DSP while multiple calls spawn a dynamic process in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile
Version 1.1****Published: 02/09/2022
This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices…
Please reach out to [email protected] for any questions related to this bulletin.
Table of Contents****Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
CVE-2021-30317, CVE-2021-30309, CVE-2021-30322, CVE-2021-30323
Peter Park (peterpark)
CVE-2021-35069
Gengjia Chen ( @chengjia4574 ) from IceSword Lab
CVE-2021-35077
Seonung Jang (@IFdLRx4At1WFm74) of STEALIEN
CVE-2021-30324, CVE-2021-30325
Bodong Zhao of NISL Lab, Tsinghua University
Proprietary Software Issues****The tables below summarize security vulnerabilities that were addressed through proprietary software
This table lists high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
Public ID
Security Rating
CVSS Rating
Technology Area
Date Reported
CVE-2021-30317
Critical
Critical
KERNEL
04/08/2021
CVE-2021-30309
High
High
UTILS
03/01/2021
CVE-2021-30318
High
High
Automotive OS Platform Linux
Internal
CVE-2021-30322
High
High
MCS
05/09/2021
CVE-2021-30323
High
High
Multi-Mode Call Processor
05/10/2021
CVE-2021-30326
High
High
NR5G
Internal
CVE-2021-30317
CVE ID
CVE-2021-30317
Title
Improper Authentication in Kernel
Description
Improper validation of program headers containing ELF metadata can lead to image verification bypass
Technology Area
KERNEL
Vulnerability Type
CWE-287 Improper Authentication
Access Vector
Local
Security Rating
Critical
CVSS Rating
Critical
CVSS Score
9.3
CVSS String
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Date Reported
04/08/2021
Customer Notified Date
08/02/2021
Affected Chipsets*
AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, MDM9150, MDM9250, MDM9650, QCA6174A, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA8337, QCA9377, QCA9984, QCM2290, QCM4290, QCM6125, QCM6490, QCN7605, QCN7606, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, QCX315, SA415M, SA515M, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD 675, SD 8cx Gen2, SD460, SD480, SD660, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD7c, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX12, SDX24, SDX55, SDX55M, SDXR1, SDXR2 5G, SM6225, SM6250, SM6250P, SM6375, SM7250P, SM7315, SM7325P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
CVE-2021-30309
CVE ID
CVE-2021-30309
Title
Buffer Copy Without Checking Size of Input in Modem
Description
Improper size validation of QXDM commands can lead to memory corruption
Technology Area
UTILS
Vulnerability Type
CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector
Local
Security Rating
High
CVSS Rating
High
CVSS Score
7.8
CVSS String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Date Reported
03/01/2021
Customer Notified Date
08/02/2021
Affected Chipsets*
MDM9650, QCA6174A, QCA6390, QCA6391, QCA9377, QCM6125, QCS410, QCS603, QCS605, QCS610, QCS6125, SD660, SD665, SD690 5G, SD730, SD765, SD765G, SD768G, SD865 5G, SD870, SDX12, SDX55M, SDXR1, SM7250P, WCD9326, WCD9335, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6850, WCN6851, WSA8810, WSA8815, WSA8830, WSA8835
CVE-2021-30318
CVE ID
CVE-2021-30318
Title
Buffer Copy Without Checking Size of Input in Automotive Linux Platform
Description
Improper validation of input when provisioning the HDCP key can lead to memory corruption
Technology Area
Automotive OS Platform Linux
Vulnerability Type
CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector
Local
Security Rating
High
CVSS Rating
High
CVSS Score
8.4
CVSS String
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported
Internal
Customer Notified Date
10/04/2021
Affected Chipsets*
APQ8009W, APQ8017, APQ8096AU, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, FSM10055, FSM10056, MDM9150, MDM9206, MDM9250, MDM9607, MDM9628, MSM8909W, MSM8996AU, QCA6174A, QCA6390, QCA6391, QCA6426, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9367, QCA9377, QCM2290, QCM4290, QCM6125, QCM6490, QCN9011, QCN9012, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, QCS8155, QCX315, QRB5165, QRB5165M, QRB5165N, QSW8573, Qualcomm215, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD 8 Gen1 5G, SD205, SD210, SD429, SD439, SD460, SD480, SD660, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDM429W, SDW2500, SDX12, SDX20, SDX24, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM6225, SM6250, SM6250P, SM6375, SM7250P, SM7315, SM7325P, WCD9330, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3620, WCN3660B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835
CVE-2021-30322
CVE ID
CVE-2021-30322
Title
Stack-based Buffer Overflow in Modem
Description
Possible out of bounds write due to improper validation of number of GPIOs configured in an internal parameters array
Technology Area
MCS
Vulnerability Type
CWE-121 Stack-based Buffer Overflow
Access Vector
Local
Security Rating
High
CVSS Rating
High
CVSS Score
7.8
CVSS String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Date Reported
05/09/2021
Customer Notified Date
08/02/2021
Affected Chipsets*
AQT1000, AR8035, CSRB31024, FSM10055, FSM10056, MDM9150, MDM9250, MDM9650, MDM9655, QCA6174A, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9377, QCM6125, QCM6490, QCS410, QCS603, QCS605, QCS610, QCS6125, QCS6490, QCX315, SA415M, SA515M, SD 675, SD 8 Gen1 5G, SD 8cx Gen2, SD480, SD660, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD7c, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX12, SDX20, SDX24, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM6250, SM6250P, SM6375, SM7250P, SM7315, SM7325P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
CVE-2021-30323
CVE ID
CVE-2021-30323
Title
Buffer Copy Without Checking Size of Input in Modem
Description
Improper validation of maximum size of data write to EFS file can lead to memory corruption
Technology Area
Multi-Mode Call Processor
Vulnerability Type
CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector
Local
Security Rating
High
CVSS Rating
High
CVSS Score
7.8
CVSS String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Date Reported
05/10/2021
Customer Notified Date
08/02/2021
Affected Chipsets*
APQ8009W, APQ8017, APQ8053, APQ8096AU, AQT1000, CSRB31024, MDM8207, MDM9150, MDM9205, MDM9206, MDM9207, MDM9250, MDM9607, MDM9628, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8953, MSM8996AU, QCA4004, QCA6174A, QCA6420, QCA6430, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595AU, QCA6696, QCA9367, QCA9377, QCM2290, QCM4290, QCM6125, QCS2290, QCS410, QCS4290, QCS610, QCS6125, QET4101, QSW8573, Qualcomm215, SA415M, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD 675, SD 8cx Gen2, SD205, SD210, SD429, SD439, SD660, SD665, SD675, SD678, SD720G, SD730, SD7c, SD845, SD850, SD855, SDA429W, SDM429W, SDW2500, SDX12, SDX20, SDX24, SDXR1, SM6250, SM6250P, WCD9306, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WSA8810, WSA8815
CVE-2021-30326
CVE ID
CVE-2021-30326
Title
Reachable Assertion in Modem
Description
Possible assertion due to improper size validation while processing the DownlinkPreemption IE in an RRC Reconfiguration/RRC Setup message
Technology Area
NR5G
Vulnerability Type
CWE-617 Reachable Assertion
Access Vector
Remote
Security Rating
High
CVSS Rating
High
CVSS Score
7.5
CVSS String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported
Internal
Customer Notified Date
08/02/2021
Affected Chipsets*
AR8035, QCA6390, QCA6391, QCA6426, QCA6436, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCM6490, QCS6490, QCX315, SA515M, SD 8 Gen1 5G, SD480, SD690 5G, SD750G, SD765, SD765G, SD768G, SD778G, SD865 5G, SD870, SD888, SD888 5G, SDX55, SDX55M, SDX65, SDXR2 5G, SM6375, SM7250P, SM7315, SM7325P, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3988, WCN3991, WCN3998, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
*The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at www.qualcomm.com/support.
Open Source Software Issues****The tables below summarize security vulnerabilities that were addressed through open source software
This table lists high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
Public ID
Security Rating
CVSS Rating
Technology Area
Date Reported
CVE-2021-35068
High
High
Bluetooth HOST
Internal
CVE-2021-35069
High
High
WLAN Host Communication
07/16/2021
CVE-2021-35074
High
High
Kernel
Internal
CVE-2021-35075
High
High
Kernel
Internal
CVE-2021-35077
High
High
DSP Service
08/01/2021
This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
Public ID
Security Rating
CVSS Rating
Technology Area
Date Reported
CVE-2021-30324
Medium
Medium
Core Services
04/01/2021
CVE-2021-30325
Medium
Medium
Core Services
04/08/2021
CVE-2021-35068
CVE ID
CVE-2021-35068
Title
NULL Pointer Dereference in Bluetooth Host
Description
Lack of null check while freeing the device information buffer in the Bluetooth HFP protocol can lead to a NULL pointer dereference
Technology Area
Bluetooth HOST
Vulnerability Type
CWE-476 NULL Pointer Dereference
Access Vector
Remote
Security Rating
High
CVSS Rating
High
CVSS Score
8.4
CVSS String
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported
Internal
Customer Notified Date
10/04/2021
Affected Chipsets*
APQ8009W, AQT1000, AR8031, CSRA6620, CSRA6640, MSM8909W, QCA6174A, QCA6390, QCA6391, QCA6426, QCA6436, QCA6574, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA9377, QCM2290, QCM4290, QCM6125, QCN9011, QCN9012, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QRB5165, QRB5165M, QRB5165N, Qualcomm215, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD 8 Gen1 5G, SD429, SD460, SD480, SD660, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM429W, SDW2500, SDX20, SDX55M, SDXR1, SDXR2 5G, SM6225, SM6250, SM6250P, SM6375, SM7250P, SM7315, SM7325P, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3620, WCN3660B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835
Patch**
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/system/bt/commit/?id=ef43deea3f1408b249a59ba8a8bfafdaeec025fb
CVE-2021-35069
CVE ID
CVE-2021-35069
Title
Integer Overflow or Wraparound in WLAN
Description
Improper validation of data length received from DMA buffer can lead to memory corruption.
Technology Area
WLAN Host Communication
Vulnerability Type
CWE-190 Integer Overflow or Wraparound
Access Vector
Local
Security Rating
High
CVSS Rating
High
CVSS Score
7.8
CVSS String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Date Reported
07/16/2021
Customer Notified Date
11/01/2021
Affected Chipsets*
APQ8096AU, AQT1000, AR8031, AR8035, AR9380, CSR8811, CSRA6620, CSRA6640, CSRB31024, FSM10055, FSM10056, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, MSM8996AU, PMP8074, QCA4024, QCA6175A, QCA6390, QCA6391, QCA6426, QCA6428, QCA6436, QCA6438, QCA6554A, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA8337, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCM2290, QCM4290, QCM6125, QCM6490, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5550, QCN6023, QCN6024, QCN6100, QCN6102, QCN6112, QCN6122, QCN6132, QCN9000, QCN9011, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS2290, QCS405, QCS410, QCS4290, QCS610, QCS6125, QCS6490, QCX315, QRB5165, QRB5165M, QRB5165N, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD 8 Gen1 5G, SD460, SD480, SD660, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM6225, SM6250, SM6250P, SM6375, SM7250P, SM7315, SM7325P, WCD9326, WCD9335, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**
- https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=4fbee7311baa3fc198f320f01c469326312863c0
CVE-2021-35074
CVE ID
CVE-2021-35074
Title
Integer Overflow or Wraparound in Kernel
Description
Possible integer overflow due to improper fragment datatype while calculating number of fragments in a request message
Technology Area
Kernel
Vulnerability Type
CWE-190 Integer Overflow or Wraparound
Access Vector
Local
Security Rating
High
CVSS Rating
High
CVSS Score
8.4
CVSS String
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported
Internal
Customer Notified Date
11/01/2021
Affected Chipsets*
AR8035, QCA6174A, QCA6391, QCA6574AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9377, QCM6490, QCS6490, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD 8 Gen1 5G, SD480, SD888 5G, SDX12, SDX65, SM6375, WCD9335, WCD9370, WCD9375, WCD9380, WCD9385, WCN3988, WCN3991, WCN3998, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**
- https://source.codeaurora.org/quic/la/kernel/msm-5.4/commit/?id=b8f8e895b6b715360e79c51e2cd50b27ce2005b3
CVE-2021-35075
CVE ID
CVE-2021-35075
Title
NULL Pointer Dereference in Kernel
Description
Possible null pointer dereference due to lack of WDOG structure validation during registration
Technology Area
Kernel
Vulnerability Type
CWE-476 NULL Pointer Dereference
Access Vector
Local
Security Rating
High
CVSS Rating
High
CVSS Score
8.4
CVSS String
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported
Internal
Customer Notified Date
11/01/2021
Affected Chipsets*
AR8035, QCA6174A, QCA6391, QCA6574, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9377, QCM6490, QCS6490, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD 8 Gen1 5G, SD480, SD778G, SD780G, SD888, SD888 5G, SDX12, SDX65, SM6375, SM7315, SM7325P, WCD9335, WCD9370, WCD9375, WCD9380, WCD9385, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**
- https://source.codeaurora.org/quic/la/kernel/msm-5.4/commit/?id=8bbe418836192817143685077cfca76b92811a6f
CVE-2021-35077
CVE ID
CVE-2021-35077
Title
Use After Free in DSP Services
Description
Possible use after free scenario in compute offloads to DSP while multiple calls spawn a dynamic process
Technology Area
DSP Service
Vulnerability Type
CWE-416 Use After Free
Access Vector
Local
Security Rating
High
CVSS Rating
High
CVSS Score
8.4
CVSS String
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported
08/01/2021
Customer Notified Date
11/01/2021
Affected Chipsets*
AR8035, QCA6174A, QCA6390, QCA6391, QCA6574, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9377, QCM2290, QCM4290, QCM6490, QCS2290, QCS4290, QCS6490, QRB5165, QRB5165M, QRB5165N, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD 8 Gen1 5G, SD460, SD480, SD662, SD690 5G, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD865 5G, SD870, SD888, SD888 5G, SDX12, SDX55M, SDX65, SM6225, SM6375, SM7250P, SM7315, SM7325P, WCD9335, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**
- https://source.codeaurora.org/quic/la/kernel/msm-5.4/commit/?id=0250c674ae086eac6ab7432b8b0ace1b434ec2d2
CVE-2021-30324
CVE ID
CVE-2021-30324
Title
Buffer Copy Without Checking Size of Input in Core Services
Description
Possible out of bound write due to lack of boundary check for the maximum size of buffer when sending a DCI packet to remote process
Technology Area
Core Services
Vulnerability Type
CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector
Local
Security Rating
Medium
CVSS Rating
Medium
CVSS Score
6.7
CVSS String
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Date Reported
04/01/2021
Customer Notified Date
08/02/2021
Affected Chipsets*
APQ8096AU, AR8031, AR8035, AR9380, CSR8811, CSRA6620, CSRA6640, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, MDM9150, PMP8074, QCA4024, QCA6390, QCA6391, QCA6426, QCA6428, QCA6436, QCA6438, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA8337, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5550, QCN6023, QCN6024, QCN6122, QCN6132, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS405, QCS410, QCS603, QCS605, QCS610, QRB5165, QRB5165M, QRB5165N, Qualcomm215, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD205, SD210, SD460, SD662, SD665, SD690 5G, SD750G, SD765, SD765G, SD768G, SD865 5G, SD870, SDA429W, SDX55, SDX55M, SDXR2 5G, SM6225, SM7250P, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3620, WCN3660B, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6850, WCN6851, WSA8810, WSA8815, WSA8830, WSA8835
Patch**
- https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=4403ee907e7f3a50a559a3b2d57bf2eeed192968
CVE-2021-30325
CVE ID
CVE-2021-30325
Title
Improper Validation of Array Index in Core Services
Description
Possible out of bound access of DCI resources due to lack of validation process and resource allocation
Technology Area
Core Services
Vulnerability Type
CWE-129 Improper Validation of Array Index
Access Vector
Local
Security Rating
Medium
CVSS Rating
Medium
CVSS Score
6.7
CVSS String
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Date Reported
04/08/2021
Customer Notified Date
08/02/2021
Affected Chipsets*
APQ8096AU, AR8031, AR8035, AR9380, CSR8811, CSRA6620, CSRA6640, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6005, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, MDM9150, MDM9206, PMP8074, QCA4024, QCA6390, QCA6391, QCA6426, QCA6428, QCA6436, QCA6438, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA8337, QCA9367, QCA9377, QCA9531, QCA9558, QCA9563, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9985, QCA9986, QCA9988, QCA9990, QCA9992, QCA9994, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5121, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5502, QCN5550, QCN6023, QCN6024, QCN6122, QCN6132, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS405, QCS410, QCS603, QCS605, QCS610, QRB5165, QRB5165M, QRB5165N, Qualcomm215, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD205, SD210, SD460, SD662, SD665, SD765, SD765G, SD768G, SD865 5G, SD870, SDA429W, SDX55, SDX55M, SDXR2 5G, SM6225, SM7250P, WCD9330, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3620, WCN3660B, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6850, WCN6851, WSA8810, WSA8815
Patch**
- https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=2cbf5fb19a3cc9ccf7afb0e69e7add512046dad2
* The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at www.qualcomm.com/support.
** Data is generated only at the time of bulletin creation
Industry Coordination
Security ratings of issues included in Android security
bulletins and these bulletins match in the most common scenarios but may
differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific
scenarios that involves local denial of service or privilege escalation
vulnerabilities in the high level OS kernel
Version History
Version
Date
Comments
1.0
February 7, 2022
Bulletin Published
1.1
February 9, 2022
Revised credit for CVE-2021-35077
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.
Qualcomm Technologies, Inc.
5775 Morehouse Drive
San Diego, CA 92121
U.S.A.
© 2019 Qualcomm Technologies, Inc. and/or its subsidiaries. All rights reserved.