Android Security Bulletin Analysis (January 2022)


2022-01-01 security patch level vulnerability details

Framework

CVE-2021-39630

  • 修复OverlayManagerService中的漏洞,屏蔽掉shell uid的overlays,并且在开机时清理掉所有创建者是shell uid的overlays,有待进一步研究。
  • 影响版本:12
  • 致谢信息:无

CVE-2021-39632

  • AOSP Recovery中的越界写入,可能不影响部分OEM的机型
-    pevent->name[pevent->len] = '\0';
-    if (strncmp(pevent->name, "event", 5)) {
+    std::string event_name(pevent->name, pevent->len);
+    if (!android::base::StartsWith(event_name, "event")) {
       continue;
     }
 
-    android::base::unique_fd dfd(openat(dirfd(dir.get()), pevent->name, O_RDONLY));
+    android::base::unique_fd dfd(openat(dirfd(dir.get()), event_name.c_str(), O_RDONLY));
  • 影响版本:11, 12
  • 致谢信息:Sam Schumacher of Google

CVE-2020-0338

  • AccountManagerService中存在逻辑问题,checkKeyIntent中没有判断ClipData中是否存在内容,导致后续会对ClipData中的URI授予权限,应该是后续有机会来编辑这个Intent
protected boolean checkKeyIntent(int authUid, Intent intent) {
+            // Explicitly set an empty ClipData to ensure that we don't offer to
+            // promote any Uris contained inside for granting purposes
+            if (intent.getClipData() == null) {
+                intent.setClipData(ClipData.newPlainText(null, null));
+            }
             intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
                     | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
                     | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
  • 影响版本:9, 10
  • 致谢信息:Dzmitry Lukyanenka

Media Framework

CVE-2021-39623

  • SimpleDecodingSource中的越界写入
                 if (mIsVorbis) {
                     int32_t numPageSamples;
                     if (!in_buf->meta_data().findInt32(kKeyValidSamples, &numPageSamples)) {
                         numPageSamples = -1;
                     }
-                    memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+                    if (cpLen + sizeof(numPageSamples) <= in_buffer->capacity()) {
+                        memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+                        cpLen += sizeof(numPageSamples);
+                    } else {
+                        ALOGW("Didn't have enough space to copy kKeyValidSamples");
+                    }
                 }
 
                 res = mCodec->queueInputBuffer(
-                        in_ix, 0 /* offset */, in_buf->range_length() + (mIsVorbis ? 4 : 0),
+                        in_ix, 0 /* offset */, cpLen,
                         timestampUs, 0 /* flags */);
  • 影响版本:9, 10, 11, 12
  • 致谢信息:Huinian Yang (@vmth6) and Qingyu Li (QQQ) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd.

System

CVE-2021-39618

  • 截至发稿前,该漏洞补丁细节尚未披露。 CVE漏洞描述:In multiple methods of EuiccNotificationManager.java, there is a possible way to install existing packages without user consent due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-196855999
  • 影响版本:9, 10, 11, 12
  • 致谢信息:无

CVE-2021-39620

  • 删除了Parcel错误处理中多余的释放对象操作
             // We should never receive other types (eg BINDER_TYPE_FDA) as long as we don't support
             // them in libbinder. If we do receive them, it probably means a kernel bug; try to
-            // recover gracefully by clearing out the objects, and releasing the objects we do
-            // know about.
+            // recover gracefully by clearing out the objects.
             android_errorWriteLog(0x534e4554, "135930648");
+            android_errorWriteLog(0x534e4554, "203847542");
             ALOGE("%s: unsupported type object (%" PRIu32 ") at offset %" PRIu64 "\n",
                   __func__, type, (uint64_t)offset);
-            releaseObjects();
+
+            // WARNING: callers of ipcSetDataReference need to make sure they
+            // don't rely on mObjectsSize in their release_func.
             mObjectsSize = 0;
             break;
  • 影响版本:11, 12
  • 致谢信息:Amit Nama of Google using Realtime Stability Insights (RTSI)

CVE-2021-39621

  • VoiceMail的LegacyModeSmsHandler中不安全的PendingIntent使用,增加FLAG_IMMUTABLE标志
  • 影响版本:9, 10, 11, 12
  • 致谢信息:无

CVE-2021-39622

  • 截至发稿前,该漏洞补丁细节尚未披露。 CVE漏洞描述:In GBoard, there is a possible way to bypass Factory Reset Protection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-192663648
  • 影响版本:10, 11, 12
  • 致谢信息:Vikram Singh

CVE-2021-39625

  • 截至发稿前,该漏洞补丁细节尚未披露。 CVE漏洞描述:In showCarrierAppInstallationNotification of EuiccNotificationManager.java, there is a possible way to gain an access to MediaProvider content due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-194695347
  • 影响版本:9, 10, 11, 12
  • 致谢信息:h0rd7

CVE-2021-39626

  • 修复第三方应用可无权限更改蓝牙可见性状态的问题,只允许Settings和SystemUI在进入到已连接的蓝牙设备界面时将蓝牙设置为可见,待后续实际测试影响
  • 影响版本:9, 10, 11, 12
  • 致谢信息:Yu-Cheng Lin (林禹成) (@AndroBugs)

CVE-2021-39627

  • VoiceMail的LegacyModeSmsHandler中不安全的PendingIntent使用,增加FLAG_IMMUTABLE标志,与CVE-2021-39621相同只不过是同一个类型中的另一处
  • 影响版本:9, 10, 11, 12
  • 致谢信息:无

CVE-2021-39629

  • NFC模块中phTmlNfc_TmlThread的UAF漏洞
   /* Clean up all the TML resources if any error */
   if (NFCSTATUS_SUCCESS != wInitStatus) {
     /* Clear all handles and memory locations initialized during init */
-    phTmlNfc_CleanUp();
+    phTmlNfc_Shutdown_CleanUp();
   }
  • 影响版本:9, 10, 11, 12
  • 致谢信息:无

CVE-2021-0643

  • SubscriptionManager.getAllActiveSubscriptionInfoList接口会泄漏设备ICCID信息,改为使用READ_PRIVILEGED_PHONE_STATE权限保护
  • 影响版本:10, 11, 12
  • 致谢信息:Aman Pandey of bugsmirror

CVE-2021-39628

  • StatusBar里面的信息泄漏。没看明白,有机会研究下,官方说明:
Allow forcing status bar state changes and do so during a cancelled screen off.

During screen off, we show the AOD UI without fully switching to the KEYGUARD state. When screen off is cancelled, we ask all components to reset to the SHADE state, which should also reset the UI components we changed to show AOD. However, since the StatusBarState was already SHADE, this is ignored.

This adds a force flag, which we use when cancelling screen off to make sure that all UI components are reset to the SHADE state regardless.
  • 影响版本:10, 11
  • 致谢信息:Atharav R. Hedage and Om Suryakant Koli

CVE-2021-39659

  • CreateConnectionProcessor在对重复的电话账户进行排序时存在整形溢出,会导致对紧急服务的拒绝访问
             // then by hashcode
-            return account1.hashCode() - account2.hashCode();
+            return Integer.compare(account1.hashCode(), account2.hashCode());
         });
  • 影响版本:10, 11, 12
  • 致谢信息:无

2022-01-05 security patch level vulnerability details