Huawei Wkg-lx9 11.0.1.154 (C185e4r3p1) Software Release Notes

Product name Confidentiality level
WKG-LX9 CONFIDENTIAL
Commercial Name
Total 16 pages
HUAWEI Nova Y60
XXX Software Release Notes Vx.y
Prepared by WKG Team Date 2022-1-26

Reviewed by WKG Team Date 2022-1-26
Approved by WKG Team Date 2022-1-26
Huawei Technologies Co., Ltd.
All rights reserved

Table of Contents
1 Version Description..................................................................................................................4
2 New Features..........................................................................................................................4
3 Improvement from the Previous Version.................................................................................4
4 Known Limitations and Issue...................................................................................................4
5 Software Vulnerabilities Fixes..................................................................................................4
XXX Software Release Notes CONFIDENTIAL
Vx.y
XXX Software Release Notes Vx.y
1 Version Description
Model WKG-LX9
Build number 11.0.1.154(C185E4R3P1)
Previous released number 11.0.1.140(C185E4R3P1)

IMEI SV 07
OS version 10
EMUI version 11.0.1
CPU MediaTek MT6765
Security patch level 1 February 2022
MOLY.LR12A.R2.TC3.UNI.2020.SP.V1.P54,
Baseband version
MOLY.LR12A.R2.TC3.UNI.2020.SP.V1.P54
4.14.141+
Kernel Version android@localhost #1
Mon Jan 24 18:19:13 CST 2022
Version Type SMR
2 New Features
Index Feature Description
1 NA
3 Improvement from the Previous Version

Index Issue Description
Integrates security patches released in January&February 2022 for improved
1
system security
4 Known Limitations and Issue

Index Issue Description Remarks
1 NA
5 Software Vulnerabilities Fixes
2022#2 Third-party Security Patch：

Page 3
Software/ CV Vx.y
Vulnerability
Impac
t
Module Version E
Description Descri
name ID
ption
CV
E-
memory 20
managem NA 21 NA NA
ent driver -
04
89
CV
E-
memory 20
managem NA 21 NA NA
ent driver -
04
90
CV
E-
memory 20
managem NA 21 NA NA
ent driver -
04
91
CV
E-
memory 20
managem NA 21 NA NA
ent driver -
04
92
CV
E-
memory 20
managem NA 21 NA NA
ent driver -
04
93
CV
E-
memory 20
managem NA 21 NA NA
ent driver -
04
94
CV
E-
memory 20
managem NA 21 NA NA
ent driver -
04
95
memory NA CV NA NA
managem E-
ent driver 20
Page 4
21
-
Vx.y
04
96
CV
E-
memory 20
managem NA 21 NA NA
ent driver -
04
97
CV
E-
memory 20
managem NA 21 NA NA
ent driver -
04
98
In memory
management driver,
there is a possible out
CV of bounds write due to
E- uninitialized data. This
memory 20 could lead to local
managem NA 21 escalation of privilege NA
ent driver - with no additional
05 execution privileges
30 needed. User
interaction is not
needed for
exploitation.
In memory
management driver,
there is a possible
CV memory corruption
E- due to a use after free.
memory 20 This could lead to local
31 needed. User
interaction is not
needed for
exploitation.
In memory
management driver,
there is a possible
CV
memory corruption
E-
due to a race
memory 20
condition. This could
managem NA 21 NA
lead to local escalation
ent driver -
of privilege with no
05
additional execution
32
privileges needed.
User interaction is not
needed for
Page 5
Vx.y
exploitation.
In memory
management driver,
there is a possible
E- due to a race
memory 20 condition. This could
managem NA 21 lead to local escalation NA
ent driver - of privilege with no
05 additional execution
33 privileges needed.
needed for
exploitation.
In memory
management driver,
there is a possible
E- due to improper
memory 20 locking. This could
managem NA 21 lead to local escalation NA
ent driver - of privilege with no
needed for
exploitation.
In memory
management driver,
there is a possible
E- due to a double free.
28 needed. User
interaction is not
needed for
exploitation.
In memory
management driver,
there is a possible
E- due to a use after free.
27 needed. User
interaction is not
needed for
exploitation.
memory CV In memory
managem NA E- management driver, NA
ent driver 20 there is a possible out
Page 6
Vx.y
of bounds write due to
uninitialized data. This
could lead to local
21 escalation of privilege
- with no additional
26 needed. User
interaction is not
needed for
exploitation.
In memory
management driver,
there is a possible out
CV of bounds write due to
E- a use after free. This
memory 20 could lead to local
25 needed. User
interaction is not
needed for
exploitation.
CV
E-
20
Platform 12 21 NA NA
-
07
17
In quota_proc_write
of xt_quota2.c, there
is a possible way to
CV read kernel memory
E- due to uninitialized
20 data. This could lead
netfilter NA 21 to local information NA
- disclosure with System
61 needed. User
interaction is not
needed for
exploitation.
In alac decoder, there
is a possible out of
bounds write due to
CV
an incorrect bounds
E-
check. This could lead
20
alac to local escalation of
NA 21 NA
decoder privilege with no
-
06
privileges needed.
75
needed for
exploitation.
Platform 12 CV In NA
Page 7
ternal
Vx.y
enqueueNotificationIn
of
NotificationManagerS
ervice.java, there is a
possible way to run a
foreground service
E-
without showing a
20
notification due to
21
improper input
-
validation. This could
09
lead to local escalation
81
privileges needed.
needed for
exploitation.
In
setNotificationsShown
FromListener of
possible way to
determine whether an
CV app is installed,
E- without query
20 permissions, due to
Platform 12 21 side channel NA
- information
10 disclosure. This could
30 lead to local
information disclosure
with no additional
execution privileges
needed. User
interaction is not
needed for
exploitation.
In
cancelNotificationsFro
mListener of
possible way to
CV
E-
app is installed,
20
without query
Platform 12 21 NA
permissions, due to
-
side channel
10
information
31
disclosure. This could
lead to local
with no additional
needed. User
Page 8
Vx.y
interaction is not
needed for
exploitation.
In
getOffsetBeforeAfter
of TextLine.java, there
is a possible denial of
CV
service due to
E-
resource exhaustion.
20
This could lead to
Platform 12 21 NA
remote denial of
-
service with no
09
93
privileges needed.
User interaction is
needed for
exploitation.
In
phNxpNHal_DtaUpdat
e of
phNxpNciHal_dta.cc,
CV there is a possible out
E- of bounds write due to
20 an incorrect bounds
Platform 12 21 check. This could lead NA
- to local escalation of
09 privilege with System
needed. User
interaction is not
needed for
exploitation.
In onCreate of
UsbPermissionActivity.
java, there is a
possible way to grant
CV an app access to USB
E- without informed user
20 consent due to a
Platform 12 21 tapjacking/overlay NA
- attack. This could lead
10 to local escalation of
16 privilege with User
needed. User
interaction is needed
for exploitation.
In AdapterService and
CV GattService definition
E- of
20 AndroidManifest.xml,
Platform 12 21 there is a possible way NA
- to disable bluetooth
10 connection due to a
17 missing permission
check. This could lead
Page 9
Vx.y
to local escalation of
privilege with no
privileges needed.
User interaction is
needed for
exploitation.
In
ufshcd_eh_device_res
et_handler of ufshcd.c,
CV there is a possible out
E- of bounds read due to
20 a missing bounds
21 check. This could lead
Kernel NA NA
- to local information
39 disclosure with System
7 needed. User
interaction is not
needed for
exploitation.
In doRead of
SimpleDecodingSource
.cpp, there is a
CV possible out of bounds
E- write due to an
20 incorrect bounds
21 check. This could lead
Platform 9,10,11,12 NA
- to remote escalation
39 of privilege with no
needed for
exploitation.
In phTmlNfc_Init and
phTmlNfc_CleanUp of
phTmlNfc.cc, there is a
CV
possible use after free
E-
due to a race
20
condition. This could
21
Platform 9,10,11,12 lead to local escalation NA
-
39
62
privileges needed.
9
needed for
exploitation.
In getAllSubInfoList of
CV
SubscriptionController
E-
.java, there is a
20
possible way to
Platform 10,11,12 21 NA
retrieve a long term
-
identifier without the
06
correct permissions
43
due to a missing
Page 10
Vx.y
permission check. This
could lead to local
with User execution
privileges needed.
needed for
exploitation.
In
sortSimPhoneAccount
sForEmergency of
CreateConnectionProc
essor.java, there is a
CV
possible prevention of
E-
access to emergency
20
calling due to an
21
Platform 10,11,12 unhandled exception. NA
-
In rare instances, this
39
could lead to local
65
denial of service with
9
User execution
privileges needed.
needed for
exploitation.
In getSerialForPackage
of
DeviceIdentifiersPolicy
Service.java, there is a
possible way to
app is installed,
CV
without query
E-
permissions, due to
20
side channel
Platform 12 21 NA
information
-
09
lead to local
78
with no additional
needed. User
interaction is not
needed for
exploitation.
In WT_Interpolate of
eas_wtengine.c, there
CV is a possible out of
E- bounds read due to a
20 missing bounds check.
Platform 12 21 This could lead to NA
- remote information
10 disclosure with no
privileges needed.
Page 11
Vx.y
needed
exploitation.
for
CV
E-
20
EMUI/ 11.0.1,10.1.1,10
21 NA NA
Magic UI .1.0,
-
03
56
CV
E-
20
EMUI/ 11.0.1,10.1.1,10
21 NA NA
Magic UI .1.0,
-
03
59
CV
E-
20
EMUI/ 11.0.1,10.1.1,10
21 NA NA
Magic UI .1.0,
-
03
60
CV
E-
20
EMUI/ 11.0.1,10.1.1,10
21 NA NA
Magic UI .1.0,
-
03
58
CV
E-
20
EMUI/ 11.0.1,10.1.1,10
21 NA NA
Magic UI .1.0,
-
03
57
CV
E-
20
EMUI/ 11.0.1,11.0.0,10
21 NA NA
Magic UI .1.1,10.1.0,
-
37
60
2022#2 Huawei Security patch:
NA
2022#1 Third-party Security Patch：

Softwar Version C Vulnerability Imp
Page 12
e/ V Vx.y act
Desc
Module E Description
ripti
name ID
on
C
V
E-
2
0
Platfor
9,10,11 2 NA NA
m
1-
0
6
5
3
C
V
E-
2
0
Platfor
12 2 NA NA
m
1-
0
8
4
9
C
V
E-
2
0
Platfor
12 2 NA NA
m
1-
0
7
6
1
C
V
E-
2
0
Platfor
12 2 NA NA
m
1-
0
7
8
9
Platfor 12 C NA NA
m V
E-
2
0
2
1-
0
Page 13
5
6
Vx.y
0
C
V
E-
2
0
Platfor
12 2 NA NA
m
1-
0
8
0
5
C
V
E-
2
0
Platfor
12 2 NA NA
m
1-
0
7
7
9
C
V
E-
2
0
Platfor
12 2 NA NA
m
1-
0
7
9
1
C
V
E-
2
0
Platfor
12 2 NA NA
m
1-
0
7
9
5
Platfor 12 C NA NA
m V
E-
2
0
2
1-
0
8
Page 14
4
0
Vx.y
C
V
E-
2
0
Platfor
12 2 NA NA
m
1-
0
8
4
4
In createFromParcel
of
C GpsNavigationMessa
V ge.java, there is a
E- possible Parcel
2 serialization/deseriali
0 zation mismatch.
Platfor
9,10,11,12 2 This could lead to NA
m
1- local escalation of
0 privilege with no
0 User interaction is
not needed for
exploitation.
In
createNoCredentials
PermissionNotificatio
n and related
functions of
C AccountManagerServ
V ice.java, there is a
E- possible way to
2 retrieve accounts
0 from the device
Platfor
9,10,11 2 without permissions NA
m
1- due to a permissions
0 bypass. This could
7 lead to local
0 information
privileges needed.
User interaction is
not needed for
exploitation.
Platfor 10,11,12,9 C In NA
m V vorbis_book_decode
E- v_set of codebook.c,
2 there is a possible
0 out of bounds write
2 due to a missing
1- bounds check. This
Page 15
Vx.y
could lead to remote
information
needed for
exploitation.
In
C2SoftMP3::process(
) of
C
C2SoftMp3Dec.cpp,
V
there is a possible
E-
out of bounds write
2
due to a heap buffer
0
Platfor overflow. This could
9,10,11,12 2 NA
m lead to remote
1-
information
0
disclosure with no
9
6
privileges needed.
4
User interaction is
needed for
exploitation.
In osi_malloc and
osi_calloc of
C
allocator.cc, there is
V
a possible out of
E-
bounds write due to
2
an integer overflow.
0
Platfor This could lead to
9,10,11,12 2 NA
m remote code
1-
execution with no
0
9
privileges needed.
6
User interaction is
8
not needed for
exploitation.
In
NfcTag::discoverTech
nologies (activation)
C of NfcTag.cpp, there
V is a possible out of
E- bounds write due to
2 an incorrect bounds
0 check. This could
Platfor
11,12 2 lead to remote NA
m
1- escalation of
0 privilege with no
9 additionalSystem
6 needed. User
interaction is not
needed for
exploitation.
Page 16
C
Vx.y
In ResolverActivity,
there is a possible
V user interaction
E- bypass due to a
2 tapjacking/overlay
0 attack. This could
Platfor
10,11 2 lead to local NA
m
1- escalation of
5 needed. User
4 interaction is needed
for exploitation.
In onCreate of
KeyChainActivity.java
, there is a possible
C
way to use an app
V
certificate stored in
E-
keychain due to a
2
tapjacking/overlay
0
Platfor attack. This could
9,10,11,12 2 NA
m lead to local
1-
escalation of
0
privilege with no
9
6
privileges needed.
3
User interaction is
needed for
exploitation.
In
AndroidManifest.xml
of Settings, there is a
C possible pairing of a
V Bluetooth device
E- without user's
2 consent due to a
Platfor
9,10,11,12 2 check. This could NA
m
1- lead to local
0 escalation of
9 privilege with no
User interaction is
not needed for
exploitation.
C In doCropPhoto of
V PhotoSelectionHandl
E- er.java, there is a
2 possible permission
Platfor 0 bypass due to a
9,10,11,12 NA
m 2 confused deputy.
1- This could lead to
0 local information
9 disclosure of user's
5 contacts with no
Page 17
Vx.y
privileges needed.
needed for
exploitation.
In getTitle of
AccessPoint.java,
there is a possible
C
unhandled exception
V
due to a missing null
E-
check. This could
2
lead to remote
0
Platfor denial of service if a
10,11 2 NA
m proximal Wi-Fi AP
1-
provides invalid
0
information with no
9
6
privileges needed.
9
User interaction is
needed for
exploitation.
In
MPEG4Source::read
of
C
MPEG4Extractor.cpp,
V
there is a possible
E-
out of bounds write
2
due to a missing
0
Platfor bounds check. This
9,10,11,12 2 NA
m could lead to remote
1-
information
0
disclosure with no
9
7
privileges needed.
1
User interaction is
needed for
exploitation.
C drivers/usb/host/
V max3421-hcd.c in the
E- Linux kernel before
2 5.13.6 allows
0 physically proximate
2 attackers to cause a
USB NA NA
1- denial of service
3 (use-after-free and
8 panic) by removing a
2 MAX-3421 USB
0 device in certain
4 situations.
C In snoozeNotification
V of
E- NotificationListenerS
Platfor
12 2 ervice.java, there is a NA
m
0 possible permission
2 confusion due to a
1- misleading user
Page 18
Vx.y
consent dialog. This
could lead to local
1 escalation of
9 needed. User
interaction is needed
for exploitation.
In onEventReceived
of
C EventResultPersister.
V java, there is a
E- possible intent
2 redirection due to a
0 confused deputy.
Platfor
12 2 This could lead to NA
m
1- local escalation of
1 privilege with System
2 needed. User
4 interaction is not
needed for
exploitation.
In
isRequestPinItemSup
ported of
ShortcutService.java,
there is a possible
C
cross-user leak of
V
packages in which
E-
the default launcher
2
supports requests to
0
Platfor create pinned
12 2 NA
m shortcuts due to a
1-
permissions bypass.
0
This could lead to
9
local information
7
disclosure with no
9
privileges needed.
User interaction is
not needed for
exploitation.
In
C setApplicationCatego
V ryHint of
E- PackageManagerServ
2 ice.java, there is a
0 possible way to
Platfor
12 2 determine whether NA
m
1- an app is installed,
1 without query
0 permissions, due to
0 side channel
9 information
Page 19
Vx.y
lead
information
to local
disclosure with no
privileges needed.
User interaction is
not needed for
exploitation.
In getSigningKeySet
of
C
PackageManagerServ
V
ice.java, there is a
E-
missing permission
2
check. This could
0
Platfor lead to local
12 2 NA
m information
1-
disclosure with no
1
0
privileges needed.
1
User interaction is
0
not needed for
exploitation.
In
setPackageStoppedSt
C ate of
V PackageManagerServ
E- ice.java, there is a
0 check. This could
Platfor
12 2 lead to local NA
m
1- information
not needed for
exploitation.
In toBARK of floor0.c,
C there is a possible
V out of bounds read
E- due to a missing
2 bounds check. This
0 could lead to remote
Platfor
12 2 information NA
m
1- disclosure with no
6 needed for
exploitation.
Platfor 12 C In NA
m V 'ih264e_find_bskip_p
E- arams()' of
2 ih264e_me.c, there
0 is a possible out of
2 bounds read due to a
Page 20
Vx.y
heap buffer
overflow. This could
lead to local
1-
information
0
disclosure with no
9
9
privileges needed.
8
User interaction is
not needed for
exploitation.
In
PVInitVideoEncoder
C of mp4enc_api.cpp,
V there is a possible
E- out of bounds read
2 due to a heap buffer
0 overflow. This could
Platfor
12 2 lead to local NA
m
1- information
not needed for
exploitation.
In
adjustStreamVolume
of AudioService.java,
there is a possible
C way to determine
V whether an app is
E- installed, without
2 query permissions,
0 due to side channel
Platfor
12 2 information NA
m
1- disclosure. This could
1 lead to local
0 information
privileges needed.
User interaction is
not needed for
exploitation.
In onCreate of
C
AllowBindAppWidget
V
Activity.java, there is
E-
a possible bypass of
2
user interaction
0
Platfor requirements due to
12 2 NA
m unclear UI. This could
1-
lead to local
0
escalation of
7
privilege with no
6
9
privileges needed.
Page 21
Vx.y
User interaction is
needed for
exploitation.
In
phNxpNHal_DtaUpda
te of
C
phNxpNciHal_dta.cc,
V
there is a possible
E-
out of bounds write
2
due to an incorrect
0
Platfor bounds check. This
12 2 NA
m could lead to local
1-
escalation of
0
privilege with System
9
7
needed. User
7
interaction is not
needed for
exploitation.
In onCreate of
PaymentDefaultDialo
g.java, there is a
C possible way to
V change a default
E- payment app
2 without user consent
0 due to tapjack
Platfor
12 2 overlay. This could NA
m
1- lead to local
0 escalation of
9 privilege with no
User interaction is
needed for
exploitation.
In nfaHciCallback of
HciEventManager.cp
C p, there is a possible
V out of bounds read
E- due to a missing
2 bounds check. This
0 could lead to local
Platfor
12 2 information NA
m
1- disclosure over NFC
0 with System
9 needed. User
6 interaction is not
needed for
exploitation.
C In
V btu_hcif_process_ev
Platfor
12 E- ent of btu_hcif.cc, NA
m
0 out of bounds read
Page 22
Vx.y
due to an incorrect
bounds check. This
2 could lead to local
1- information
1 disclosure with
0 System execution
not needed for
exploitation.
In onCreate of
RequestIgnoreBatter
yOptimizations.java,
there is a possible
C way to determine
V whether an app is
E- installed, without
2 query permissions,
0 due to side channel
Platfor
12 2 information NA
m
1- disclosure. This could
1 lead to local
0 information
privileges needed.
User interaction is
needed for
exploitation.
In
hasNamedWallpaper
of
WallpaperManagerS
C
possible way to
V
determine whether
E-
an app is installed,
2
without query
0
Platfor permissions, due to a
12 2 NA
m missing permission
1-
check. This could
1
lead to local
0
information
2
disclosure with no
5
privileges needed.
User interaction is
not needed for
exploitation.
C In
V btif_in_hf_client_gen
E- eric_evt of
Platfor
12 2 btif_hf_client.cc, NA
m
2 Bluetooth service
1- crash due to a
Page 23
Vx.y
missing null check.
This could lead to
remote denial of
1
service with no
0
2
privileges needed.
2
User interaction is
not needed for
exploitation.
In
gadget_dev_desc_U
C DC_show of
V configfs.c, there is a
E- possible disclosure of
2 kernel heap memory
0 due to a race
2 condition. This could
Kernel NA NA
1- lead to local
3 information
9 disclosure with
6 System execution
not needed for
exploitation.
A flaw was found in
the Linux kernel's
implementation of
biovecs in versions
before 5.9-rc7. A
C zero-length biovec
V request issued by the
E- block subsystem
2 could cause the
0 kernel to enter an
EMUI/ 11.0.1,10.1.1,9.1.0,11
2 infinite loop, causing
Magic .0.0,10.1.0,10.0.0,9.1. NA
0- a denial of service.
UI 1
2 This flaw allows a
5 local attacker with
6 basic privileges to
4 issue requests to a
1 block device,
resulting in a denial
of service. The
highest threat from
this vulnerability is to
system availability.
C
V
E-
EMUI/ 2
11.0.1,11.0.0,10.1.1,1
Magic 0 NA NA
0.1.0,10.0.0,
UI 2
1-
2
0
Page 24
3
2
Vx.y
2
C
V
E-
2
EMUI/ 0
11.0.1,11.0.0,10.1.1,1
Magic 2 NA NA
0.1.0,10.0.0,
UI 1-
3
6
4
0
2022#1 Huawei Security patch:

Vulnerabilit
Software/Module Impact
Version CVE ID y
name Description
Description
CVE-
EMUI/Magic UI 11.0.1,10.1.1,10.1.0, 2021- NA NA
40035
CVE-
EMUI/Magic UI 11.0.1,10.1.1,10.1.0, 2021- NA NA
40029
Page 25

Huawei Wkg-lx9 11.0.1.154 (C185e4r3p1) Software Release Notes

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Huawei Wkg-lx9 11.0.1.154 (C185e4r3p1) Software Release Notes

Uploaded by

Copyright:

Available Formats

Product name Confidentiality level

XXX Software Release Notes Vx.y

Prepared by WKG Team Date 2022-1-26

Huawei Technologies Co., Ltd.

All rights reserved

Build number 11.0.1.154(C185E4R3P1)

Previous released number 11.0.1.140(C185E4R3P1)

3 Improvement from the Previous Version

4 Known Limitations and Issue

5 Software Vulnerabilities Fixes

2022#2 Third-party Security Patch：

2022#2 Huawei Security patch:

2022#1 Third-party Security Patch：

2022#1 Huawei Security patch:

You might also like