Multiple integer overflows in the JPEG engine drivers in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service (system crash) via a large number of commands in an ioctl call, related to (1) camera_v1/gemini/msm_gemini_sync.c, (2) camera_v2/gemini/msm_gemini_sync.c, (3) camera_v2/jpeg_10/msm_jpeg_sync.c, (4) gemini/msm_gemini_sync.c, (5) jpeg_10/msm_jpeg_sync.c, and (6) mercury/msm_mercury_sync.c.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Android-msm | Codeaurora | 3.2.54 (including) | 3.2.54 (including) |
| Android-msm | Codeaurora | 3.4.72 (including) | 3.4.72 (including) |
| Android-msm | Codeaurora | 3.4.73 (including) | 3.4.73 (including) |
| Android-msm | Codeaurora | 3.4.74 (including) | 3.4.74 (including) |
| Android-msm | Codeaurora | 3.4.75 (including) | 3.4.75 (including) |
| Android-msm | Codeaurora | 3.4.76 (including) | 3.4.76 (including) |
| Android-msm | Codeaurora | 3.4.77 (including) | 3.4.77 (including) |
| Android-msm | Codeaurora | 3.4.78 (including) | 3.4.78 (including) |
| Android-msm | Codeaurora | 3.4.79 (including) | 3.4.79 (including) |
| Android-msm | Codeaurora | 3.10.22 (including) | 3.10.22 (including) |
| Android-msm | Codeaurora | 3.10.23 (including) | 3.10.23 (including) |
| Android-msm | Codeaurora | 3.10.24 (including) | 3.10.24 (including) |
| Android-msm | Codeaurora | 3.10.25 (including) | 3.10.25 (including) |
| Android-msm | Codeaurora | 3.10.26 (including) | 3.10.26 (including) |
| Android-msm | Codeaurora | 3.10.27 (including) | 3.10.27 (including) |
| Android-msm | Codeaurora | 3.10.28 (including) | 3.10.28 (including) |
| Android-msm | Codeaurora | 3.10.29 (including) | 3.10.29 (including) |
| Android-msm | Codeaurora | 3.12.3 (including) | 3.12.3 (including) |
| Android-msm | Codeaurora | 3.12.4 (including) | 3.12.4 (including) |
| Android-msm | Codeaurora | 3.12.5 (including) | 3.12.5 (including) |
| Android-msm | Codeaurora | 3.12.6 (including) | 3.12.6 (including) |
| Android-msm | Codeaurora | 3.12.7 (including) | 3.12.7 (including) |
| Android-msm | Codeaurora | 3.12.8 (including) | 3.12.8 (including) |
| Android-msm | Codeaurora | 3.12.9 (including) | 3.12.9 (including) |
| Android-msm | Codeaurora | 3.12.10 (including) | 3.12.10 (including) |
| Android-msm | Codeaurora | 3.13 (including) | 3.13 (including) |
| Android-msm | Codeaurora | 3.13-rc1 (including) | 3.13-rc1 (including) |
| Android-msm | Codeaurora | 3.13-rc2 (including) | 3.13-rc2 (including) |
| Android-msm | Codeaurora | 3.13-rc3 (including) | 3.13-rc3 (including) |
| Android-msm | Codeaurora | 3.13-rc4 (including) | 3.13-rc4 (including) |
| Android-msm | Codeaurora | 3.13-rc5 (including) | 3.13-rc5 (including) |
| Android-msm | Codeaurora | 3.13-rc6 (including) | 3.13-rc6 (including) |
| Android-msm | Codeaurora | 3.13-rc7 (including) | 3.13-rc7 (including) |
| Android-msm | Codeaurora | 3.13-rc8 (including) | 3.13-rc8 (including) |
| Android-msm | Codeaurora | 3.13.1 (including) | 3.13.1 (including) |
| Android-msm | Codeaurora | 3.13.2 (including) | 3.13.2 (including) |
| Android-msm | Codeaurora | 3.14-rc1 (including) | 3.14-rc1 (including) |
| Android-msm | Codeaurora | 3.14-rc2 (including) | 3.14-rc2 (including) |
| Linux-flo | Ubuntu | esm-apps/xenial | * |
| Linux-flo | Ubuntu | trusty | * |
| Linux-flo | Ubuntu | trusty/esm | * |
| Linux-flo | Ubuntu | utopic | * |
| Linux-flo | Ubuntu | vivid | * |
| Linux-flo | Ubuntu | vivid/stable-phone-overlay | * |
| Linux-flo | Ubuntu | wily | * |
| Linux-flo | Ubuntu | xenial | * |
| Linux-flo | Ubuntu | yakkety | * |
| Linux-fsl-imx51 | Ubuntu | lucid | * |
| Linux-goldfish | Ubuntu | saucy | * |
| Linux-grouper | Ubuntu | saucy | * |
| Linux-linaro-omap | Ubuntu | precise | * |
| Linux-linaro-omap | Ubuntu | quantal | * |
| Linux-linaro-shared | Ubuntu | precise | * |
| Linux-linaro-shared | Ubuntu | quantal | * |
| Linux-linaro-vexpress | Ubuntu | precise | * |
| Linux-linaro-vexpress | Ubuntu | quantal | * |
| Linux-maguro | Ubuntu | saucy | * |
| Linux-mako | Ubuntu | esm-apps/xenial | * |
| Linux-mako | Ubuntu | saucy | * |
| Linux-mako | Ubuntu | trusty | * |
| Linux-mako | Ubuntu | trusty/esm | * |
| Linux-mako | Ubuntu | utopic | * |
| Linux-mako | Ubuntu | vivid | * |
| Linux-mako | Ubuntu | vivid/stable-phone-overlay | * |
| Linux-mako | Ubuntu | wily | * |
| Linux-mako | Ubuntu | xenial | * |
| Linux-mako | Ubuntu | yakkety | * |
| Linux-manta | Ubuntu | saucy | * |
| Linux-mvl-dove | Ubuntu | lucid | * |
| Linux-qcm-msm | Ubuntu | lucid | * |
| Linux-qcm-msm | Ubuntu | precise | * |
| Linux-qcm-msm | Ubuntu | quantal | * |