CVE-2017-18127

Vulnerability

The vulnerability resides in the VR service on Android devices using Qualcomm Snapdragon Mobile and Snapdragon Wear chipsets: MSM8909W, SD 210/SD 212/SD 205, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 835, SD 845. When processing a SetParam command packet, the VR service extracts name_len and value_len fields from the packet without checking them. These unchecked lengths are then used in subsequent memcpy() calls, which can lead to a buffer overflow. The issue affects Android security patch levels before 2018-04-05 [1].

Exploitation

An attacker requires the ability to send a crafted SetParam command packet to the VR service. The attacker must control the packet content to provide malicious name_len and value_len values. No authentication or special privileges are mentioned in the references, but the attacker likely needs to be able to communicate with the VR service, possibly through an Android application or via ADB. The exploitation does not require user interaction beyond the attacker delivering the malicious packet [1].

Impact

Successful exploitation results in a buffer overflow in memcpy(), which can corrupt adjacent memory. This can lead to arbitrary code execution or a denial of service, depending on what memory is overwritten. The impact is at the privilege level of the VR service, which runs on the device and can affect system stability or allow an attacker to execute code with the service's permissions [1].

Mitigation

Google fixed this issue in the Android security bulletin for April 2018, with a security patch level of 2018-04-05. Users should ensure their devices receive this security update. The fix addresses the missing length checks for name_len and value_len in the SetParam command processing. There are no known workarounds; applying the patch is the recommended mitigation [1].