Android Security Bulletin Analysis (April 2022)


2022-04-01 security patch level vulnerability details

Framework

CVE-2021-0694

  • 从后台启动的前台服务不再允许获得“仅在使用时允许”的权限,包括位置、相机和麦克风权限。
  • Updated AOSP versions: 11
  • 致谢:Makoto Onuki of Google

CVE-2021-39794

  • 限制下面三个ADBManager中的广播的权限为MANAGE_DEBUGGING签名权限
com.android.server.adb.WIRELESS_DEBUG_STATUS
com.android.server.adb.WIRELESS_DEBUG_PAIRED_DEVICES
com.android.server.adb.WIRELESS_DEBUG_PAIRING_RESULT
  • Updated AOSP versions: 11, 12, 12L
  • 致谢:hluwa

CVE-2021-39795

  • 不允许未适配分区存储的应用通过MediaProvider向其他应用的外置私有目录写入文件,也就是/sdcard/Android/data/<package_name>目录。
  • Updated AOSP versions: 11, 12, 12L
  • 致谢:Bo Zhang (张波) of Bytedance Wuheng Lab

CVE-2021-39796

  • 对有害应用警告页面HarmfulAppWarningActivity添加SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS,防止悬浮窗点击劫持和覆盖攻击。
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Hao Zhou, Xiapu Luo from the Hong Kong Polytechnique University, Haoyu Wang from the Huazhong University of Science and Technology, and Yajin Zhou from the Zhejiang University

CVE-2021-39797

  • 不再允许LauncherApps创建PendingIntent时指定任意的ActivityOptions
  • Updated AOSP versions: 12, 12L
  • 致谢:Michał Bednarski (michalbednarski)

CVE-2021-39798

  • Bitmap_createFromParcel中的问题,后续可以进一步研究一下。
  // In place callback
  [&](std::unique_ptr<int8_t[]> buffer, int32_t size) {
+     if (allocationSize > size) {
+         android_errorWriteLog(0x534e4554, "213169612");
+         return STATUS_BAD_VALUE;
+     }
      nativeBitmap = Bitmap::allocateHeapBitmap(allocationSize, imageInfo, rowBytes);
      if (nativeBitmap) {
-         memcpy(nativeBitmap->pixels(), buffer.get(), size);
+         memcpy(nativeBitmap->pixels(), buffer.get(), allocationSize);
+         return STATUS_OK;
      }
+     return STATUS_NO_MEMORY;
  }
  • allocationSize不能比size大,这里面size是readBlob过程中读取的大小,而allocationSize源于Bitmap::computeAllocationSize,这个可能是根据Bitmap里面其他的结构计算出来的,攻击者可控,详细分析后续会单独文章进行讲解。
  • Updated AOSP versions: 12, 12L
  • 致谢:lovepink

CVE-2021-39799

  • AttributionSource里面除了校验UID之外还要校验PID
  • Updated AOSP versions: 12, 12L
  • 致谢:Michał Bednarski (michalbednarski)

Media Framework

CVE-2021-39803

  • C2AllocatorIon中使用mutex锁保护mMappings
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:无

CVE-2021-39804

  • 解析HEIF中的METADATA_KEY_VIDEO_FRAME_COUNT时判断其是否为NULL,只能导致DoS
- mSequenceLength = atoi(mRetriever->extractMetadata(METADATA_KEY_VIDEO_FRAME_COUNT));
+ const char* frameCount = mRetriever->extractMetadata(METADATA_KEY_VIDEO_FRAME_COUNT);
+ if (frameCount == nullptr) {
+     android_errorWriteWithInfoLog(0x534e4554, "215002587", -1, NULL, 0);
+     ALOGD("No valid sequence information in metadata");
+     return false;
+ }
+ mSequenceLength = atoi(frameCount);
  • Updated AOSP versions: 11, 12, 12L
  • 致谢:Dawuge of Pangu Team

System

CVE-2021-39808

  • 应用可以将通知渠道设置为Blocked来绕过前台服务通知显示,实现用户无感知启动前台服务。
  • Updated AOSP versions: 10, 11, 12
  • 致谢:Aman Pandey of bugsmirror

CVE-2021-39805

  • 蓝牙L2CAP中的越界读取,超出了包长度末尾
  uint16_t result;
+ if (p + sizeof(uint16_t) > p_pkt_end) {
+   android_errorWriteLog(0x534e4554, "212694559");
+   LOG(ERROR) << "invalid read";
+   return;
+ }
  STREAM_TO_UINT16(result, p);
  • Updated AOSP versions: 12, 12L
  • 致谢:Lei Ai(艾磊) and Xianfeng Lu(卢先锋) of OPPO Amber Security Lab

CVE-2021-39809

  • 蓝牙AVRC中的越界读取
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_COMP_ID) {
+   android_errorWriteLog(0x534e4554, "205837191");
+   return AVRC_STS_INTERNAL_ERR;
+ }
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team

2022-04-05 security patch level vulnerability details

System

CVE-2021-39807

  • 不允许Guest用户禁用NFC
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Lei Ai(艾磊) and Xianfeng Lu(卢先锋) of OPPO Amber Security Lab