CVE-2016-10474

Vulnerability

In Android versions prior to the 2018-04-05 security patch level on Qualcomm Snapdragon Automobile, Mobile, and Wear SoCs (IPQ4019, MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, and SD 850), the RIL interface contains a buffer size calculation overflow. If a buffer length passed to the interface is too large, the calculation may overflow, resulting in an undersized allocation for the buffer and subsequently a buffer overwrite [1].

Exploitation

An attacker with access to the RIL interface can exploit this vulnerability by providing an excessively large buffer length. This may require local access or specific system permissions, as the RIL interface is typically accessible to applications with telephony privileges. The attacker can trigger the overflow by sending a crafted input to the vulnerable function, causing the buffer size calculation to wrap around and allocate a smaller buffer than needed [1].

Impact

Successful exploitation leads to a buffer overwrite, which can corrupt memory. This may allow an attacker to execute arbitrary code, cause a denial of service (system crash), or potentially gain elevated privileges. The impact is limited to the context of the RIL process, but could affect telephony services and system stability [1].

Mitigation

The vulnerability is fixed in the Android security patch level dated 2018-04-05. Users should ensure their devices have received the latest OTA update from their manufacturer. No workarounds are mentioned in the reference [1]. Devices that have reached end-of-life may not receive patches.