Android Security Bulletin Analysis (July 2022)


2022-07-01 security patch level vulnerability details

Framework

CVE-2022-20219

  • StorageManagerService在加密用户文件的时候如果出现异常,需要重新抛出异常给调用者表示加密操作失败,不能静默处理之后使得部分文件还处于未加密状态。
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Eric Biggers of Google

CVE-2022-20228

  • C2DmaBufAllocator内存映射的条件竞争问题
  • Updated AOSP versions: 12, 12L
  • 致谢:无

System

CVE-2022-20222

  • 蓝牙进程gatt_db中的越界写入漏洞
     uint16_t char_ext_prop =
         attr16.p_value ? attr16.p_value->char_ext_prop : 0x0000;
     *p_len = 2;
++    if (mtu < *p_len) {+      android_errorWriteWithInfoLog(0x534e4554, "228078096", -1, NULL, 0);+      return GATT_NO_RESOURCES;+    }+
     UINT16_TO_STREAM(p, char_ext_prop);
     *p_data = p;
     return GATT_SUCCESS;
  • Updated AOSP versions: 12, 12L
  • 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab

CVE-2022-20229

  • 蓝牙进程HFP Client的越界写入漏洞
   APPL_TRACE_DEBUG("%s: %lu.%s <%lu:%lu>", __func__, index, name, min, max);
 
+  if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) {+    return;+  }+
   /* look for a matching indicator on list of supported ones */
   for (i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++) {
     if (strcmp(name, BTA_HF_CLIENT_INDICATOR_SERVICE) == 0) {
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab

CVE-2021-0981

  • 对于无法通过fixNotification修复的通知,如果是前台服务通知,则需要杀死对应的前台服务,Android 12上没有这个问题
         // Fix the notification as best we can.
         try {
             fixNotification(notification, pkg, tag, id, userId);
-
         } catch (Exception e) {
+            if (notification.isForegroundService()) {+                throw new SecurityException("Invalid FGS notification", e);+            }
             Slog.e(TAG, "Cannot fix notification", e);
             return;
         }
  • Updated AOSP versions: 10, 11
  • 致谢:无

CVE-2022-20223

  • AppRestrictionsFragment中判断传入的Intent的package是否满足同应用的要求,但是这个判断存在漏洞。因为如果组件名被设置,那么包名字段就会被忽略。修复则是删除了这一段多余的判断。
         private void assertSafeToStartCustomActivity(Intent intent) {
-            // Activity can be started if it belongs to the same app-            if (intent.getPackage() != null && intent.getPackage().equals(packageName)) {-                return;-            }+            EventLog.writeEvent(0x534e4554, "223578534", -1 /* UID */, "");
             ResolveInfo resolveInfo = mPackageManager.resolveActivity(
                     intent, PackageManager.MATCH_DEFAULT_ONLY);
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Tianyi Hu (胡天易) of Bytedance Wuheng Lab

CVE-2022-20226

  • 待分析
  • Updated AOSP versions: 12, 12L
  • 致谢:Rob Carr of Google

CVE-2022-20221

  • 蓝牙进程在处理Avrcp报文时的越界读取漏洞
   tAVRC_STS status = AVRC_STS_NO_ERROR;
 
+  if (p_msg->vendor_len < 4) {  // 4 == pdu + reserved byte + len as uint16+    AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",+                       __func__, p_msg->vendor_len);+    android_errorWriteLog(0x534e4554, "205571133");+    return AVRC_STS_INTERNAL_ERR;+  }
   uint8_t* p = p_msg->p_vendor_data;
   p_result->pdu = *p++;
   AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab

CVE-2022-20224

  • 蓝牙进程HFP Client中的越界读取漏洞
 /* skip rest of AT string up to <cr> */
-#define AT_SKIP_REST(buf)           \-  do {                              \-    while (*(buf) != '\r') (buf)++; \+#define AT_SKIP_REST(buf)                             \+  do {                                                \+    while (*(buf) != '\r' && *(buf) != '\0') (buf)++; \
   } while (0)
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab

CVE-2022-20225

  • getSubscriptionProperty(GROUP_UUID)接口未被READ_PRIVILEGED_PHONE_STATE权限保护,造成信息泄漏。
     public String getSubscriptionProperty(int subId, String propKey, String callingPackage,
             String callingFeatureId) {
-        if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState(mContext, subId, callingPackage,-                callingFeatureId, "getSubscriptionProperty")) {-            return null;+        switch (propKey) {+            case SubscriptionManager.GROUP_UUID:+                if (mContext.checkCallingOrSelfPermission(+                        Manifest.permission.READ_PRIVILEGED_PHONE_STATE) != PERMISSION_GRANTED) {+                    EventLog.writeEvent(0x534e4554, "213457638", Binder.getCallingUid());+                    return null;+                }+                break;+            default:+                if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState(mContext, subId,+                        callingPackage, callingFeatureId, "getSubscriptionProperty")) {+                    return null;+                }
         }
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Aman Pandey of bugsmirror

CVE-2022-20230

  • KeyChain显示URI Authority的时候进行URL编码
         Uri uri = getIntent().getParcelableExtra(KeyChain.EXTRA_URI);
         if (uri != null) {
             String hostMessage = String.format(res.getString(R.string.requesting_server),
-                                               uri.getAuthority());+                    Uri.encode(uri.getAuthority(), "$,;:@&=+"));
             if (contextMessage == null) {
                 contextMessage = hostMessage;
             } else {
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:无

2022-07-05 security patch level vulnerability details

Framework

CVE-2022-20220

  • ContactsProvider防止打开、删除、同步或插入文件到Call Composer文件夹以外的地方。
/**
 *  Enforces a stricter check on what files the CallLogProvider can perform file operations on.
 * @param rootPath where all valid new/existing paths should pass through.
 * @param pathToCheck newly created path that is requesting a file op. (open, delete, etc.)
 * @param callingMethod the calling method.  Used only for debugging purposes.
 */privatevoidenforceValidCallLogPath(Path rootPath, Path pathToCheck, String callingMethod){
    if (!FileUtilities.isSameOrSubDirectory(rootPath.toFile(), pathToCheck.toFile())) {
        EventLog.writeEvent(0x534e4554, "219015884", Binder.getCallingUid(),
                (callingMethod + ": invalid uri passed"));
        thrownewSecurityException(
                FileUtilities.INVALID_CALL_LOG_PATH_EXCEPTION_MESSAGE + pathToCheck);
    }
}
package com.android.providers.contacts.util;

import android.util.Log;

import java.io.File;
import java.io.IOException;

publicfinalclassFileUtilities {

    publicstaticfinalStringTAG= FileUtilities.class.getSimpleName();
    publicstaticfinalStringINVALID_CALL_LOG_PATH_EXCEPTION_MESSAGE="Invalid [Call Log] path. Cannot operate on file:";

    /**
     * Checks, whether the child directory is the same as, or a sub-directory of the base
     * directory.
     */publicstaticbooleanisSameOrSubDirectory(File base, File child) {
        try {
            FilebasePath= base.getCanonicalFile();
            FilecurrPath= child.getCanonicalFile();
            while (currPath != null) {
                if (basePath.equals(currPath)) {
                    returntrue;
                }
                currPath = currPath.getParentFile(); // pops sub-dir
            }
            returnfalse;
        } catch (IOException ex) {
            Log.e(TAG, "Error while accessing file", ex);
            returnfalse;
        }
    }
}
  • Updated Android versions: 12, 12L

评论已关闭。