CVE-2017-18050

Vulnerability

An improper input validation vulnerability exists in the WLAN driver of Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel. The flaw resides in the wma_tbttoffset_update_event_handler() function, which processes a vdev_map field received from firmware. Insufficient validation of this field can lead to a buffer overwrite and out-of-bounds memory read. Affected versions include all Android releases from CAF using the Linux kernel, as referenced in the March 2018 Pixel/Nexus Security Bulletin [1].

Exploitation

An attacker with the ability to control or inject firmware messages (e.g., via a compromised baseband or malicious firmware) can send a crafted wma_tbttoffset_update_event containing an invalid vdev_map value. No additional authentication or user interaction is required beyond the ability to deliver the event to the WLAN driver. The handler fails to properly validate the size or bounds of vdev_map, leading to the memory corruption.

Impact

Successful exploitation results in a buffer overwrite and out-of-bounds memory read within the kernel context. This could allow an attacker to corrupt kernel memory, potentially leading to arbitrary code execution or sensitive information disclosure. The impact is at the kernel privilege level, compromising the confidentiality, integrity, and availability of the system.

Mitigation

Google addressed this vulnerability in the March 2018 Pixel/Nexus Security Bulletin with a security patch level of 2018-03-05 or later [1]. Devices that have installed this patch level are no longer vulnerable. For other Android devices using CAF kernels, OEMs must incorporate the fix from the CAF source tree. No workaround is available; updating to the patched version is the only mitigation.