Due to missing input validation, a user-controlled data passed in a QMI command can trigger a buffer overflow in the QMI voice service API exposed by the Modem to HLOS.

The qmi_voicei_srvcc_call_config_req handler of the QMI voice service parses the TLV payload of a QMI message received from Android.
If the type of a TLV packet is equal 1, the value is interpreted as:

  • number of calls (1 byte size)
  • array of call contexts (0x160 bytes per call)

To process this packet, the handler allocates 0x5B90 bytes on the modem heap, extracts the number of calls from the payload into the allocated buffer at offset 0x10, and then loops to fetch all call contexts into the buffer starting at offset 0x12.
Due to the lack of checking for the maximum number of calls, it’s possible to pass the value 0xFF in the number of calls field and thus overwrite the modem heap up to 0x10322 bytes.