CVE-2017-17766

Vulnerability

In wma_peer_info_event_handler() for Android for MSM, Firefox OS for MSM, and QRD Android before 2017-10-03, the value of num_peers received from firmware is not properly validated. This integer overflow vulnerability in the size of a buffer allocation may potentially lead to a buffer overflow [1]. Affected platforms include devices using Qualcomm components, as described in the Pixel/Nexus Security Bulletin—February 2018 [1].

Exploitation

An attacker needs the ability to send a crafted firmware message with a large num_peers value to the vulnerable handler. This would trigger an integer overflow during buffer size calculation, causing a heap buffer overflow. The attack requires the attacker to have local access and the ability to interact with the firmware interface [1]. No additional authentication or user interaction beyond normal device operation is specified.

Impact

Successful exploitation can lead to privilege escalation, potentially allowing an attacker to execute arbitrary code in the context of the kernel or gain elevated system privileges. The overflow can corrupt adjacent heap memory, leading to code execution or denial of service [1].

Mitigation

The issue was fixed in the Android for MSM, Firefox OS for MSM, and QRD Android code bases before 2017-10-03 [1]. Mitigation is included in the Android security patch level of 2018-02-05 for Pixel and Nexus devices [1]. Users should apply the latest security updates from their device manufacturer.