CVE-2017-11093

Vulnerability

In the Android kernel for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel, the display driver fails to validate the upper bound of the num_of_cea_blocks value read from an untrusted EDID (Extended Display Identification Data) source. This allows a buffer over-read condition. The EDID is typically provided by an external display device. The affected versions include all Android releases from CAF using the Linux kernel up to the November 2017 Pixel/Nexus Security Bulletin.

Exploitation

An attacker must be able to supply a malicious EDID to a device, which can occur when connecting a compromised or crafted external display. No additional authentication or user interaction is required beyond connecting the display. The driver reads the untrusted num_of_cea_blocks value without a proper upper bound check, causing the kernel to read beyond the intended buffer boundary.

Impact

A successful buffer over-read can expose kernel memory contents to an attacker, potentially leaking sensitive information. This is a confidentiality impact. The exact scope of leaked memory depends on the kernel layout at the time of the operation. Denial of service or code execution are not described in the available references.

Mitigation

Google addressed this issue in the Pixel/Nexus Security Bulletin dated November 2017 with the November 5, 2017 security patch level, as indicated in Reference [1]. Users should apply the Android security update of November 2017 or later. There is no known workaround other than keeping the device updated.