{
  "name" : "Qualcomm out of bounds camera",
  "CVE" : [["CVE-2013-6123","QCIR-2014-00001-1"]],
  "Coordinated_disclosure" : "true",
  "Categories" : ["kernel"],
  "Details" : [["Out of bounds array access in camera driver (CVE-2013-6123): The camera driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_ioctl_server, msm_server_send_ctrl, and msm_ctrl_cmd_done functions use a user-supplied value as an index to the server_queue array for read and write operations without any boundary checks. A local application with access to the camera device nodes can use this flaw to, e.g., elevate privileges.","QCIR-2014-00001-1"]],
  "Discovered_by" : [["alephzain <alephzain1@gmail.com>","QCIR-2014-00001-1"]],
  "Discovered_on" : [{"date":"2013-10-10","bound":"before","ref":"msm-camera-valid-patch"}],
  "Submission" : [{"by":"drt24","on":"2014-04-16"}],
  "Reported_on" : [["2014-01-10","QCIR-2014-00001-1"]],
  "Fixed_on" : [["2013-12-09","msm-camera-bounds-patch"],["2013-10-10","msm-camera-valid-patch"]],
  "Fix_released_on" : [],
  "Affected_versions" : [],
  "Affected_devices" : [],
  "Affected_versions_regexp" : [],
  "Affected_manufacturers" : [["Qualcomm","QCIR-2014-00001-1"]],
  "Fixed_versions" : [],
  "references" : {
    "QCIR-2014-00001-1" : {
      "url" : "https://www.codeaurora.org/projects/security-advisories/out-bounds-array-access-camera-driver-cve-2013-6123",
      "archiveurl" : "https://web.archive.org/web/20170322094648/https://www.codeaurora.org/projects/security-advisories/out-bounds-array-access-camera-driver-cve-2013-6123"
    },
    "msm-camera-bounds-patch" : {
      "url" : "https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=7beb04ea945a7178e61d935918d3cb152996b558",
      "commit" : "7beb04ea945a7178e61d935918d3cb152996b558",
      "component" : "quic/la/kernel/msm"
    },
    "msm-camera-valid-patch" : {
      "url" : "https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=60e4af06161d91d5aeaa04c7d6e9f4345a6acdd4",
      "commit" : "60e4af06161d91d5aeaa04c7d6e9f4345a6acdd4",
      "component" : "quic/la/kernel/msm"
    }
  },
  "Surface": ["local", "app", "system-call"],
  "Vector": ["memory-corruption"],
  "Target": ["driver"],
  "Channel": ["app-execution"],
  "Condition": ["affected-app-installed"],
  "Privilege": ["kernel"]
}