The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an โI/O vector array overrun.โ
This is a known issue in the upstream Linux kernel that was fixed in April 2014 but wasnโt called out as a security fix and assigned CVE-2015-1805 until February 2, 2015. On February 19, 2016, C0RE Team notified Google that the issue could be exploited on Android and a patch was developed to be included in an upcoming regularly scheduled monthly update. On March 15, 2016 Google received a report from Zimperium that this vulnerability had been abused on a Nexus 5 device. Google has confirmed the existence of a publicly available rooting application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide the device user with root privileges.
CPE | Name | Operator | Version |
---|---|---|---|
android | lt | 3.10 and 3.14 |
www.openwall.com/lists/oss-security/2015/06/06/2
android.googlesource.com/kernel/common/+/4a5a45669796c5b4617109182e25b321f9f00beb
android.googlesource.com/kernel/common/+/bf010e99c9bc48002f6bfa1ad801a59bf996270f
android.googlesource.com/kernel/common/+/f7ebfe91b806501808413c8473a300dff58ddbb5
bugzilla.redhat.com/show_bug.cgi?id=1202855
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805
source.android.com/security/advisory/2016-03-18.html