Out of bounds array access in camera driver (CVE-2013-6123)

Release Date: 
January 10, 2014
Advisory ID: 

The following security vulnerabilities have been identified in the camera driver.

The camera driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_ioctl_server, msm_server_send_ctrl, and msm_ctrl_cmd_done functions use a user-supplied value as an index to the server_queue array for read and write operations without any boundary checks. A local application with access to the camera device nodes can use this flaw to, e.g., elevate privileges.

Access Vector: local
Security Risk: high
Vulnerability: CWE-129 (improper validation of array index)

Affected versions:
All Android releases from CAF using the Linux kernel from the following heads:

  • jb_2.*
  • kk_2*
  • msm-3.0

We advise customers to apply the following patches:

Individual Patches


Qualcomm Innovation Center, Inc. (QuIC) thanks alephzain1@gmail.com for reporting the related issues and working with QuIC to help improve Android device security.


Initial revision