CVE-2015-9180

Vulnerability

In Android on Qualcomm Snapdragon Automobile, Mobile, and Wear platforms (MDM9206, MDM9650, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, and SD 850) before the 2018-04-05 security patch level, the SDMX_process function does not validate the response pointer passed from user space. If the caller provides a response buffer with a length smaller than 16 bytes, the function writes response values to memory outside the buffer, potentially into the secure memory area [1].

Exploitation

An attacker with the ability to invoke the SDMX_process system call can supply a crafted response buffer whose length is less than 16 bytes. No physical access or elevated permissions are needed; the user-space program merely passes an undersized buffer to the driver, triggering an out-of-bounds write. The vulnerability is reachable without any additional user interaction beyond executing the malicious program [1].

Impact

Successful exploitation results in an out-of-bounds write of up to 16 bytes of attacker-controlled data to memory outside the intended buffer. Because the write can land in secure memory areas, the attacker may be able to corrupt trusted execution environment (TEE) data or elevate privileges. The exact impact varies by platform, but it includes potential information disclosure, denial of service, or arbitrary code execution in a privileged context [1].

Mitigation

Google released an Android security patch level dated 2018-04-05 or later that addresses this issue. Qualcomm also published a closed-source fix. Users should apply the Android Security Bulletin—April 2018 update [1]. No workaround is available; updating to the patched build is the only mitigation.