Android Security Bulletin Analysis (February 2022)


2022-02-01 security patch level vulnerability details

Framework

CVE-2021-39619

  • 如果某用户存在配置文件Owner,则在应用卸载时不要删除该应用的使用用量信息
  • 影响版本:11, 12
  • 致谢信息:无

CVE-2021-39663

  • In openFileAndEnforcePathPermissionsHelper of MediaProvider.java, there is a possible bypass of a permissions check due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-200682135
  • 截至发稿,该漏洞的代码更改细节暂未公开
  • 影响版本:10
  • 致谢信息:Dzmitry Lukyanenka

CVE-2021-39676

  • In writeThrowable of AndroidFuture.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-197228210
  • 截至发稿,该漏洞的代码更改细节暂未公开
  • 影响版本:11
  • 致谢信息:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team

CVE-2021-39664

  • androidfw中的越界读取
  std::unordered_set<uint32_t> finalized_ids;
  const auto lib_alias = child_chunk.header<ResTable_staged_alias_header>();
  if (!lib_alias) {
+   LOG(ERROR) << "RES_TABLE_STAGED_ALIAS_TYPE is too small.";
+   return {};
+ }
+ if ((child_chunk.data_size() / sizeof(ResTable_staged_alias_entry))
+     < dtohl(lib_alias->count)) {
+   LOG(ERROR) << "RES_TABLE_STAGED_ALIAS_TYPE is too small to hold entries.";
    return {};
  }
  const auto entry_begin = child_chunk.data_ptr().convert<ResTable_staged_alias_entry>();
  • 影响版本:12
  • 致谢信息:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team

Media Framework

CVE-2020-13112

  • An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes. This is different from CVE-2020-0093.
  • 截至发稿,该漏洞的代码更改细节暂未公开
  • 影响版本:10, 11
  • 致谢信息:Kris Alder of Google

CVE-2020-13113

  • An issue was discovered in libexif before 0.6.22. Use of uninitialized memory in EXIF Makernote handling could lead to crashes and potential use-after-free conditions.
  • 截至发稿,该漏洞的代码更改细节暂未公开
  • 影响版本:10, 11
  • 致谢信息:Kris Alder of Google

CVE-2021-39665

  • libstagefright中的越界读取
void AAVCAssembler::checkSpsUpdated(const sp<ABuffer> &buffer) {
+   if (buffer->size() == 0) {
+       android_errorWriteLog(0x534e4554, "204077881");
+       return;
+   }
    const uint8_t *data = buffer->data();
    unsigned nalType = data[0] & 0x1f;
  • 影响版本:12
  • 致谢信息:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team

CVE-2021-39666

  • libmediametrics中的越界读取
  template <> // static
   status_t extract(std::string *val, const char **bufferpptr, const char *bufferptrmax) {
       const char *ptr = *bufferpptr;
-      while (*ptr != 0) {
+      do {
           if (ptr >= bufferptrmax) {
               ALOGE("%s: buffer exceeded", __func__);
               return BAD_VALUE;
           }
-          ++ptr;
-      }
-      const size_t size = (ptr - *bufferpptr) + 1;
+      } while (*ptr++ != 0);
+      // ptr is terminator+1, == bufferptrmax if we finished entire buffer
       *val = *bufferpptr;
-      *bufferpptr += size;
+      *bufferpptr = ptr;
       return NO_ERROR;
   }
   template <> // static
  • 影响版本:11, 12
  • 致谢信息:Hongli Han(@hexb1n) and Guang Gong(@oldfresher) of Vulnerability Research Institute

System

CVE-2021-39675

  • NFC模块中NFA_SendRawFrame缺少长度上限,可能导致越界写入
 #include <android-base/stringprintf.h>
 #include <base/logging.h>
+#include <log/log.h>
 #include "gki_int.h"
 
 #if (GKI_NUM_TOTAL_BUF_POOLS > 16)
@@ -258,8 +259,9 @@
   FREE_QUEUE_T* Q;
 
 #if defined(DYN_ALLOC) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
-  if (size == 0) {
-    LOG(ERROR) << StringPrintf("getbuf: Size is zero");
+  if (size == 0 || size > (USHRT_MAX - 3)) {
+    LOG(ERROR) << StringPrintf("getbuf: Requested size(%d) is invalid", size);
+    android_errorWriteLog(0x534e4554, "205729183");
 #ifndef DYN_ALLOC
     abort();
 #else
  • 影响版本:12
  • 致谢信息:无

CVE-2021-39668

  • SystemUI中的一种PendingIntent漏洞新类型,待研究
  • 影响版本:11, 12
  • 致谢信息:无

CVE-2021-39669

  • 为安装CA证书警告界面InstallCaCertificateWarning添加SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS标记,防止悬浮窗点击劫持攻击
  • 影响版本:11, 12
  • 致谢信息:Tianyi Hu (胡天易) of Bytedance Wuheng Lab

CVE-2021-39671

  • 在AIDL文件编译时为char类型的变量增加默认值\0,这个问题看起来之前就提交过一次但是不知道为啥在Android 12又撤回了,这次又撤回了撤回的那次提交(禁止套娃)。
Revert "Revert "Add automatic default value for char-type field""

This reverts commit ac1cb3eb26525c868fd7dfeba90b6ee85161c9d8.

Original commit message:

Add automatic default value for char-type field

char type fields are auto-initialized with '\0' when not specified.

Ignore-AOSP-First: security fix
Bug: 206718630
Test: aidl_unittests

Reason for re-submit:
Conflicts resolved in the downstream branches.
  • 影响版本:12
  • 致谢信息:Jooyung Han of Google

CVE-2021-39674

  • btm_sec_connected和btm_sec_disconnected中的UAF漏洞
  • 影响版本:10, 11, 12
  • 致谢信息:Nguyễn Hoàng Thạch (d4rkn3ss) of STAR Labs

CVE-2021-0706

  • In startListening of PluginManagerImpl.java, there is a possible way to disable arbitrary app components due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-193444889
  • 截至发稿,该漏洞的代码更改细节暂未公开
  • 影响版本:10, 11
  • 致谢信息:Ryan Johnson and Mohamed Elsabagh of Kryptowire

2022-02-05 security patch level vulnerability details

System

CVE-2021-39631

  • 翻译问题也能成为漏洞,厉害了
-    <string name="clear_data_dlg_text" msgid="7870723948123690332">"系统会永久删除此应用的所有数据。删除的内容包括所有文件、设置、帐号、数据库等。"</string>
+    <string name="clear_data_dlg_text" msgid="1107610960337399006">"系统将永久删除此应用的数据,其中包括文件、设置、数据库和其他应用数据。"</string>
  • 影响版本:10, 11, 12
  • 致谢信息:Pustam Raut (पुस्तम राउत) from Sarlahi & IISc/RIT/NMC