CVE Vulnerabilities

CVE-2020-11149

Improper Restriction of Operations within the Bounds of a Memory Buffer

Published: Jan 21, 2021 | Modified: Jan 29, 2021
CVSS 3.x
6.7
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.2 HIGH
AV:L/AC:L/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
Ubuntu

Out of bound access due to usage of an out-of-range pointer offset in the camera driver. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

Weakness

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Affected Software

Name Vendor Start Version End Version
Mdm9650 Qualcomm - -
Sdx20 Qualcomm - -
Qca6174a Qualcomm - -
Qca6574au Qualcomm - -
Qca6584au Qualcomm - -
Qca9377 Qualcomm - -
Qca9379 Qualcomm - -
Apq8096au Qualcomm - -
Qca6574 Qualcomm - -
Qca6564 Qualcomm - -
Sd210 Qualcomm - -
Sd205 Qualcomm - -
Sdx24 Qualcomm - -
Qcs605 Qualcomm - -
Sd855 Qualcomm - -
Qca4020 Qualcomm - -
Qcs405 Qualcomm - -
Apq8053 Qualcomm - -
Sdx55 Qualcomm - -
Sa6155p Qualcomm - -
Qca6390 Qualcomm - -
Sdm429w Qualcomm - -
Sa8155p Qualcomm - -
Qcm4290 Qualcomm - -
Qcs4290 Qualcomm - -
Qcs603 Qualcomm - -
Sa6145p Qualcomm - -
Sa8155 Qualcomm - -
Sda429w Qualcomm - -
Sdx55m Qualcomm - -
Sm7250p Qualcomm - -
Sd429 Qualcomm - -
Sd675 Qualcomm - -
Sdm830 Qualcomm - -
Sdx20m Qualcomm - -
Aqt1000 Qualcomm - -
Ar8031 Qualcomm - -
Ar8035 Qualcomm - -
Csra6620 Qualcomm - -
Csra6640 Qualcomm - -
Pm3003a Qualcomm - -
Pm6125 Qualcomm - -
Pm6150 Qualcomm - -
Pm6150a Qualcomm - -
Pm6150l Qualcomm - -
Pm6350 Qualcomm - -
Pm640a Qualcomm - -
Pm640l Qualcomm - -
Pm640p Qualcomm - -
Pm660 Qualcomm - -
Pm660l Qualcomm - -
Pm670 Qualcomm - -
Pm670a Qualcomm - -
Pm670l Qualcomm - -
Pm7150a Qualcomm - -
Pm7150l Qualcomm - -
Pm7250 Qualcomm - -
Pm7250b Qualcomm - -
Pm8004 Qualcomm - -
Pm8005 Qualcomm - -
Pm8008 Qualcomm - -
Pm8009 Qualcomm - -
Pm8150 Qualcomm - -
Pm8150a Qualcomm - -
Pm8150b Qualcomm - -
Pm8150c Qualcomm - -
Pm8150l Qualcomm - -
Pm8250 Qualcomm - -
Pm8350 Qualcomm - -
Pm8350b Qualcomm - -
Pm8350bh Qualcomm - -
Pm8350c Qualcomm - -
Pm855 Qualcomm - -
Pm855a Qualcomm - -
Pm855b Qualcomm - -
Pm855l Qualcomm - -
Pm855p Qualcomm - -
Pm8909 Qualcomm - -
Pm8916 Qualcomm - -
Pm8953 Qualcomm - -
Pm8998 Qualcomm - -
Pmc1000h Qualcomm - -
Pmd9655 Qualcomm - -
Pme605 Qualcomm - -
Pmi632 Qualcomm - -
Pmi8952 Qualcomm - -
Pmi8998 Qualcomm - -
Pmk8002 Qualcomm - -
Pmk8003 Qualcomm - -
Pmk8350 Qualcomm - -
Pmm6155au Qualcomm - -
Pmm8155au Qualcomm - -
Pmm855au Qualcomm - -
Pmm8996au Qualcomm - -
Pmr525 Qualcomm - -
Pmr735a Qualcomm - -
Pmr735b Qualcomm - -
Pmx20 Qualcomm - -
Pmx24 Qualcomm - -
Pmx55 Qualcomm - -
Qat3514 Qualcomm - -
Qat3516 Qualcomm - -
Qat3518 Qualcomm - -
Qat3519 Qualcomm - -
Qat3522 Qualcomm - -
Qat3550 Qualcomm - -
Qat3555 Qualcomm - -
Qat5515 Qualcomm - -
Qat5516 Qualcomm - -
Qat5522 Qualcomm - -
Qat5533 Qualcomm - -
Qat5568 Qualcomm - -
Qbt1500 Qualcomm - -
Qbt2000 Qualcomm - -
Qca6391 Qualcomm - -
Qca6420 Qualcomm - -
Qca6421 Qualcomm - -
Qca6426 Qualcomm - -
Qca6430 Qualcomm - -
Qca6431 Qualcomm - -
Qca6436 Qualcomm - -
Qca6564a Qualcomm - -
Qca6564au Qualcomm - -
Qca6574a Qualcomm - -
Qca6595au Qualcomm - -
Qca6696 Qualcomm - -
Qca8337 Qualcomm - -
Qdm2301 Qualcomm - -
Qdm2302 Qualcomm - -
Qdm2305 Qualcomm - -
Qdm2307 Qualcomm - -
Qdm2308 Qualcomm - -
Qdm2310 Qualcomm - -
Qdm3301 Qualcomm - -
Qdm4643 Qualcomm - -
Qdm4650 Qualcomm - -
Qdm5620 Qualcomm - -
Qdm5621 Qualcomm - -
Qdm5650 Qualcomm - -
Qdm5652 Qualcomm - -
Qdm5670 Qualcomm - -
Qdm5671 Qualcomm - -
Qdm5677 Qualcomm - -
Qdm5679 Qualcomm - -
Qet4100 Qualcomm - -
Qet4101 Qualcomm - -
Qet5100 Qualcomm - -
Qet5100m Qualcomm - -
Qet6100 Qualcomm - -
Qet6110 Qualcomm - -
Qfs2530 Qualcomm - -
Qfs2580 Qualcomm - -
Qfs2608 Qualcomm - -
Qfs2630 Qualcomm - -
Qln1030 Qualcomm - -
Qln4642 Qualcomm - -
Qln4650 Qualcomm - -
Qln5020 Qualcomm - -
Qln5030 Qualcomm - -
Qln5040 Qualcomm - -
Qpa2625 Qualcomm - -
Qpa4360 Qualcomm - -
Qpa4361 Qualcomm - -
Qpa5460 Qualcomm - -
Qpa5461 Qualcomm - -
Qpa5580 Qualcomm - -
Qpa5581 Qualcomm - -
Qpa6560 Qualcomm - -
Qpa8673 Qualcomm - -
Qpa8686 Qualcomm - -
Qpa8801 Qualcomm - -
Qpa8802 Qualcomm - -
Qpa8803 Qualcomm - -
Qpa8821 Qualcomm - -
Qpa8842 Qualcomm - -
Qpm4621 Qualcomm - -
Qpm4630 Qualcomm - -
Qpm4640 Qualcomm - -
Qpm4641 Qualcomm - -
Qpm4650 Qualcomm - -
Qpm5541 Qualcomm - -
Qpm5577 Qualcomm - -
Qpm5579 Qualcomm - -
Qpm5621 Qualcomm - -
Qpm5641 Qualcomm - -
Qpm5658 Qualcomm - -
Qpm5670 Qualcomm - -
Qpm5677 Qualcomm - -
Qpm5679 Qualcomm - -
Qpm5870 Qualcomm - -
Qpm5875 Qualcomm - -
Qpm6325 Qualcomm - -
Qpm6375 Qualcomm - -
Qpm6582 Qualcomm - -
Qpm6585 Qualcomm - -
Qpm6621 Qualcomm - -
Qpm6670 Qualcomm - -
Qpm8820 Qualcomm - -
Qpm8830 Qualcomm - -
Qpm8870 Qualcomm - -
Qpm8895 Qualcomm - -
Qsm7250 Qualcomm - -
Qsw6310 Qualcomm - -
Qsw8573 Qualcomm - -
Qsw8574 Qualcomm - -
Qtc410s Qualcomm - -
Qtc800h Qualcomm - -
Qtc800s Qualcomm - -
Qtc801s Qualcomm - -
Qtm525 Qualcomm - -
Qtm527 Qualcomm - -
Sd460 Qualcomm - -
Sd662 Qualcomm - -
Sd665 Qualcomm - -
Sd750g Qualcomm - -
Sd765 Qualcomm - -
Sd765g Qualcomm - -
Sd768g Qualcomm - -
Sdr425 Qualcomm - -
Sdr660 Qualcomm - -
Sdr660g Qualcomm - -
Sdr735 Qualcomm - -
Sdr735g Qualcomm - -
Sdr8150 Qualcomm - -
Sdr8250 Qualcomm - -
Sdr865 Qualcomm - -
Sdxr1 Qualcomm - -
Smb1350 Qualcomm - -
Smb1351 Qualcomm - -
Smb1354 Qualcomm - -
Smb1355 Qualcomm - -
Smb1357 Qualcomm - -
Smb1381 Qualcomm - -
Smb1390 Qualcomm - -
Smb1395 Qualcomm - -
Smb1396 Qualcomm - -
Smb1398 Qualcomm - -
Smb2351 Qualcomm - -
Smr525 Qualcomm - -
Smr526 Qualcomm - -
Smr545 Qualcomm - -
Smr546 Qualcomm - -
Wcd9326 Qualcomm - -
Wcd9335 Qualcomm - -
Wcd9340 Qualcomm - -
Wcd9341 Qualcomm - -
Wcd9370 Qualcomm - -
Wcd9375 Qualcomm - -
Wcd9380 Qualcomm - -
Wcd9385 Qualcomm - -
Wcn3610 Qualcomm - -
Wcn3615 Qualcomm - -
Wcn3660b Qualcomm - -
Wcn3680b Qualcomm - -
Wcn3950 Qualcomm - -
Wcn3980 Qualcomm - -
Wcn3988 Qualcomm - -
Wcn3990 Qualcomm - -
Wcn3991 Qualcomm - -
Wcn3998 Qualcomm - -
Wcn3999 Qualcomm - -
Wcn6750 Qualcomm - -
Wcn6850 Qualcomm - -
Wcn6851 Qualcomm - -
Wcn6856 Qualcomm - -
Wgr7640 Qualcomm - -
Wsa8810 Qualcomm - -
Wsa8815 Qualcomm - -
Wsa8830 Qualcomm - -
Wsa8835 Qualcomm - -
Wtr2965 Qualcomm - -
Wtr3925 Qualcomm - -
Wtr4905 Qualcomm - -
Wtr5975 Qualcomm - -
Pm215 Qualcomm - -
Pm7350c Qualcomm - -
Pm8350bhs Qualcomm - -
Pmk7350 Qualcomm - -
Pmw3100 Qualcomm - -
Qdm3302 Qualcomm - -
Qdm5579 Qualcomm - -
Qualcomm215 Qualcomm - -
Sm7350 Qualcomm - -
Smb1394 Qualcomm - -
Wcn3620 Qualcomm - -
Wcn3680 Qualcomm - -
Wcn6740 Qualcomm - -
Sd8c Qualcomm - -
Sd8cx Qualcomm - -
Sd6905g Qualcomm - -
Sd8655g Qualcomm - -
Sd8885g Qualcomm - -
Sdxr25g Qualcomm - -

Extended Description

Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are valid for the memory buffer that is being referenced. This can cause read or write operations to be performed on memory locations that may be associated with other variables, data structures, or internal program data. As a result, an attacker may be able to execute arbitrary code, alter the intended control flow, read sensitive information, or cause the system to crash.

Potential Mitigations

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

  • For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.

  • Be wary that a language’s interface to native code may still be subject to overflows, even if the language itself is theoretically safe.

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

  • Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.

  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.

  • Consider adhering to the following rules when allocating and managing an application’s memory:

  • Run or compile the software using features or extensions that randomly arrange the positions of a program’s executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.

  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as “rebasing” (for Windows) and “prelinking” (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.

  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].

  • Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.

  • For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].

References