In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use, another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
qualcomm fastconnect_6800_firmware - |
||
qualcomm fastconnect_6900_firmware - |
||
qualcomm fastconnect_7800_firmware - |
||
qualcomm qca6391_firmware - |
||
qualcomm qca6426_firmware - |
||
qualcomm qca6436_firmware - |
||
qualcomm qcn9074_firmware - |
||
qualcomm qcs410_firmware - |
||
qualcomm qcs610_firmware - |
||
qualcomm sd865_5g_firmware - |
||
qualcomm snapdragon_8_gen_1_firmware - |
||
qualcomm snapdragon_865_5g_firmware - |
||
qualcomm snapdragon_865\\+_5g_firmware - |
||
qualcomm snapdragon_870_5g_firmware - |
||
qualcomm snapdragon_x55_5g_firmware - |
||
qualcomm snapdragon_xr2_5g_firmware - |
||
qualcomm sw5100_firmware - |
||
qualcomm sw5100p_firmware - |
||
qualcomm sxr2130_firmware - |
||
qualcomm wcd9341_firmware - |
||
qualcomm wcd9370_firmware - |
||
qualcomm wcd9380_firmware - |
||
qualcomm wcn3660b_firmware - |
||
qualcomm wcn3680b_firmware - |
||
qualcomm wcn3950_firmware - |
||
qualcomm wcn3980_firmware - |
||
qualcomm wcn3988_firmware - |
||
qualcomm wsa8810_firmware - |
||
qualcomm wsa8815_firmware - |
||
qualcomm wsa8830_firmware - |
||
qualcomm wsa8835_firmware - |
Vulmon