CVE-2018-5848

Description

In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.

CVSS Metrics

• v3.0•HIGH•Score: 7.8CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 4.6AV:L/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.15%• Percentile: 36%

Techniques & Countermeasures

• CWE-119•Improper Restriction of Operations within the Bounds of a Memory Buffer

  The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

• CWE-190•Integer Overflow or Wraparound

  The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Affected Systems

• debian•debian_linux

  8.0

• google•android

  na

• qualcomm, inc.•android for msm, firefox os for msm, qrd android

  All Android releases from CAF using the Linux kernel

• redhat•enterprise_linux_desktop

  7.0

• redhat•enterprise_linux_server

  7.0

• redhat•enterprise_linux_workstation

  7.0

• redhat•virtualization_host

  4.0

References (8)

• https://access.redhat.com/errata/RHSA-2018:3083
• https://access.redhat.com/errata/RHSA-2018:2948
• https://www.codeaurora.org/security-bulletin/2018/05/11/may-2018-code-aurora-security-bulletin-2
• https://access.redhat.com/errata/RHSA-2018:3096
• https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html
• https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html
• https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html
• https://source.android.com/security/bulletin/pixel/2018-05-01