2022-01-01 security patch level vulnerability details
Framework
CVE-2021-39630
- 修复OverlayManagerService中的漏洞,屏蔽掉shell uid的overlays,并且在开机时清理掉所有创建者是shell uid的overlays,有待进一步研究。
- 影响版本:12
- 致谢信息:无
CVE-2021-39632
- AOSP Recovery中的越界写入,可能不影响部分OEM的机型
- pevent->name[pevent->len] = '\0';
- if (strncmp(pevent->name, "event", 5)) {
+ std::string event_name(pevent->name, pevent->len);
+ if (!android::base::StartsWith(event_name, "event")) {
continue;
}
- android::base::unique_fd dfd(openat(dirfd(dir.get()), pevent->name, O_RDONLY));
+ android::base::unique_fd dfd(openat(dirfd(dir.get()), event_name.c_str(), O_RDONLY));
- 影响版本:11, 12
- 致谢信息:Sam Schumacher of Google
CVE-2020-0338
- AccountManagerService中存在逻辑问题,checkKeyIntent中没有判断ClipData中是否存在内容,导致后续会对ClipData中的URI授予权限,应该是后续有机会来编辑这个Intent
protected boolean checkKeyIntent(int authUid, Intent intent) {
+ // Explicitly set an empty ClipData to ensure that we don't offer to
+ // promote any Uris contained inside for granting purposes
+ if (intent.getClipData() == null) {
+ intent.setClipData(ClipData.newPlainText(null, null));
+ }
intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
| Intent.FLAG_GRANT_WRITE_URI_PERMISSION
| Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
- 影响版本:9, 10
- 致谢信息:Dzmitry Lukyanenka
CVE-2021-39623
- SimpleDecodingSource中的越界写入
if (mIsVorbis) {
int32_t numPageSamples;
if (!in_buf->meta_data().findInt32(kKeyValidSamples, &numPageSamples)) {
numPageSamples = -1;
}
- memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+ if (cpLen + sizeof(numPageSamples) <= in_buffer->capacity()) {
+ memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+ cpLen += sizeof(numPageSamples);
+ } else {
+ ALOGW("Didn't have enough space to copy kKeyValidSamples");
+ }
}
res = mCodec->queueInputBuffer(
- in_ix, 0 /* offset */, in_buf->range_length() + (mIsVorbis ? 4 : 0),
+ in_ix, 0 /* offset */, cpLen,
timestampUs, 0 /* flags */);
- 影响版本:9, 10, 11, 12
- 致谢信息:Huinian Yang (@vmth6) and Qingyu Li (QQQ) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd.
System
CVE-2021-39618
- 截至发稿前,该漏洞补丁细节尚未披露。 CVE漏洞描述:In multiple methods of EuiccNotificationManager.java, there is a possible way to install existing packages without user consent due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-196855999
- 影响版本:9, 10, 11, 12
- 致谢信息:无
CVE-2021-39620
// We should never receive other types (eg BINDER_TYPE_FDA) as long as we don't support
// them in libbinder. If we do receive them, it probably means a kernel bug; try to
- // recover gracefully by clearing out the objects, and releasing the objects we do
- // know about.
+ // recover gracefully by clearing out the objects.
android_errorWriteLog(0x534e4554, "135930648");
+ android_errorWriteLog(0x534e4554, "203847542");
ALOGE("%s: unsupported type object (%" PRIu32 ") at offset %" PRIu64 "\n",
__func__, type, (uint64_t)offset);
- releaseObjects();
+
+ // WARNING: callers of ipcSetDataReference need to make sure they
+ // don't rely on mObjectsSize in their release_func.
mObjectsSize = 0;
break;
- 影响版本:11, 12
- 致谢信息:Amit Nama of Google using Realtime Stability Insights (RTSI)
CVE-2021-39621
- VoiceMail的LegacyModeSmsHandler中不安全的PendingIntent使用,增加FLAG_IMMUTABLE标志
- 影响版本:9, 10, 11, 12
- 致谢信息:无
CVE-2021-39622
- 截至发稿前,该漏洞补丁细节尚未披露。 CVE漏洞描述:In GBoard, there is a possible way to bypass Factory Reset Protection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-192663648
- 影响版本:10, 11, 12
- 致谢信息:Vikram Singh
CVE-2021-39625
- 截至发稿前,该漏洞补丁细节尚未披露。 CVE漏洞描述:In showCarrierAppInstallationNotification of EuiccNotificationManager.java, there is a possible way to gain an access to MediaProvider content due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-194695347
- 影响版本:9, 10, 11, 12
- 致谢信息:h0rd7
CVE-2021-39626
- 修复第三方应用可无权限更改蓝牙可见性状态的问题,只允许Settings和SystemUI在进入到已连接的蓝牙设备界面时将蓝牙设置为可见,待后续实际测试影响
- 影响版本:9, 10, 11, 12
- 致谢信息:Yu-Cheng Lin (林禹成) (@AndroBugs)
CVE-2021-39627
- VoiceMail的LegacyModeSmsHandler中不安全的PendingIntent使用,增加FLAG_IMMUTABLE标志,与CVE-2021-39621相同只不过是同一个类型中的另一处
- 影响版本:9, 10, 11, 12
- 致谢信息:无
CVE-2021-39629
- NFC模块中phTmlNfc_TmlThread的UAF漏洞
/* Clean up all the TML resources if any error */
if (NFCSTATUS_SUCCESS != wInitStatus) {
/* Clear all handles and memory locations initialized during init */
- phTmlNfc_CleanUp();
+ phTmlNfc_Shutdown_CleanUp();
}
CVE-2021-0643
SubscriptionManager.getAllActiveSubscriptionInfoList接口会泄漏设备ICCID信息,改为使用READ_PRIVILEGED_PHONE_STATE权限保护- 影响版本:10, 11, 12
- 致谢信息:Aman Pandey of bugsmirror
CVE-2021-39628
- StatusBar里面的信息泄漏。没看明白,有机会研究下,官方说明:
Allow forcing status bar state changes and do so during a cancelled screen off.
During screen off, we show the AOD UI without fully switching to the KEYGUARD state. When screen off is cancelled, we ask all components to reset to the SHADE state, which should also reset the UI components we changed to show AOD. However, since the StatusBarState was already SHADE, this is ignored.
This adds a force flag, which we use when cancelling screen off to make sure that all UI components are reset to the SHADE state regardless.
- 影响版本:10, 11
- 致谢信息:Atharav R. Hedage and Om Suryakant Koli
CVE-2021-39659
- CreateConnectionProcessor在对重复的电话账户进行排序时存在整形溢出,会导致对紧急服务的拒绝访问
// then by hashcode
- return account1.hashCode() - account2.hashCode();
+ return Integer.compare(account1.hashCode(), account2.hashCode());
});
2022-01-05 security patch level vulnerability details