2022-03-01 security patch level vulnerability details
Android runtime
Framework
CVE-2021-39692
- ManagedProvisioning个人资料授权界面添加SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS标志,防止悬浮窗攻击。
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:Hao Zhou, Xiapu Luo from the Hong Kong Polytechnique University, Haoyu Wang from the Beijing University of Posts and Telecommunications, and Yajin Zhou from the Zhejiang University
CVE-2021-39693
- 在AppOpsService的onUidStateChanged函数存在条件竞争问题,具体影响待进一步研究。
/**
* Notify that the state of the uid changed
*
* @param newState The new state
*/
public void onUidStateChanged(@AppOpsManager.UidState int newState) {
if (!isPaused() && !isRunning()) {
return;
}
boolean isRunning = isRunning();
ArrayMap<IBinder, AppOpsService.InProgressStartOpEvent> events =
isRunning ? mInProgressEvents : mPausedInProgressEvents;
int numInProgressEvents = events.size();
List<IBinder> binders = new ArrayList<>(events.keySet());
for (int i = 0; i < numInProgressEvents; i++) {
InProgressStartOpEvent event = events.get(binders.get(i));
if (event != null && event.getUidState() != newState) {
try {
// Remove all but one unfinished start count and then call finished() to
// remove start event object
int numPreviousUnfinishedStarts = event.numUnfinishedStarts;
event.numUnfinishedStarts = 1;
OpEventProxyInfo proxy = event.getProxy();
finished(event.getClientId(), false);
// Call started() to add a new start event object and then add the
// previously removed unfinished start counts back
if (proxy != null) {
startedOrPaused(event.getClientId(), proxy.getUid(),
proxy.getPackageName(), proxy.getAttributionTag(), newState,
event.getFlags(), false, isRunning,
event.getAttributionFlags(), event.getAttributionChainId());
} else {
startedOrPaused(event.getClientId(), Process.INVALID_UID, null, null,
newState, event.getFlags(), false, isRunning,
event.getAttributionFlags(), event.getAttributionChainId());
}
+ events = isRunning ? mInProgressEvents : mPausedInProgressEvents;
InProgressStartOpEvent newEvent = events.get(binders.get(i));
if (newEvent != null) {
newEvent.numUnfinishedStarts += numPreviousUnfinishedStarts - 1;
}
} catch (RemoteException e) {
if (DEBUG) Slog.e(TAG, "Cannot switch to new uidState " + newState);
}
}
}
}
- 已更新的AOSP版本:12
- 致谢信息:Soonil Nagarkar of Google
CVE-2021-39695
- 修复了下面两个方法中,读取BasePermission中的protectionLevel内容的不一致
- 反射访问字段:
BasePermission.perm.protection-Level - API接口:
BasePermission.getProtectionLevel()
- 已更新的AOSP版本:11
- 致谢信息:Rui Li and Wenrui Diao, Shandong University
CVE-2021-39697
- 禁止未适配分区存储的应用使用DownloadProvider下载文件到其他目录的外置卡私有目录(
/sdcard/Android/<package_name>/data和/sdcard/Android/<package_name>/obb) - 主要原因是未适配分区存储的应用,在申请了存储权限之后可以访问整个sdcard目录。
- 已更新的AOSP版本:11, 12
- 致谢信息:Bo Zhang (张波) of Bytedance Wuheng Lab
CVE-2021-39624
- PackageInstallerService中放弃子会话,可能导致拒绝服务的问题
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:Hongli Han (@hexb1n) and Mingjian Zhou (周明建) (@Mingjian_Zhou) of C0RE Team
CVE-2021-39690
- Skia错误地接受和渲染超过OpenGL限制大小的缓冲区,可能导致拒绝服务的问题
- 已更新的AOSP版本:12
- 致谢信息:Sithija
CVE-2021-39667
- 解析H.264视频头部时的问题,问题由OSS-Fuzz发现
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:无
System
CVE-2021-39708
- In gatt_process_notification of gatt_cl.cc, there is a possible out of bounds write due to an incorrect bounds check.
- 截至发稿,该漏洞的代码更改细节暂未公开
- 已更新的AOSP版本:12
- 致谢信息:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team
CVE-2021-0957
- 在多用户场景下,用户配置完成之前不显示通知页脚
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:SHIHAB P M
CVE-2021-39701
- SystemUI绑定到前台服务时,正确处理onNullBinding方法,防止出现前台服务通知绕过。
+ override fun onNullBinding(name: ComponentName?) {
+ if (DEBUG) Log.d(TAG, "onNullBinding $name")
+ wrapper = null
+ context.unbindService(this)
+ }
- 已更新的AOSP版本:11, 12
- 致谢信息:Aman Pandey of bugsmirror
CVE-2021-39702
- RequestManageCredentials界面添加SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS标志,防止悬浮窗攻击。
- 已更新的AOSP版本:12
- 致谢信息:Hao Zhou, Xiapu Luo from the Hong Kong Polytechnique University, Haoyu Wang from the Beijing University of Posts and Telecommunications, and Yajin Zhou from the Zhejiang University
CVE-2021-39703
- AOSP里面需要手动授权才能开启USB MTP模式,在断开连接一个已启用MTP的设备之后3秒内再插入其他设备,可能导致其他设备直接获得MTP权限。修复是把这个延时改为1秒。
- private static final int DEVICE_STATE_UPDATE_DELAY = 3000;
-
- // Delay for debouncing USB disconnects on Type-C ports in host mode
- private static final int HOST_STATE_UPDATE_DELAY = 1000;
+ private static final int UPDATE_DELAY = 1000;
- 已更新的AOSP版本:12
- 致谢信息:Elijah Bowman of Accenture
CVE-2021-39704
- 删除通知Channel之前检查是否有已关联的前台服务,防止出现前台服务通知绕过。
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:Aman Pandey of bugsmirror
CVE-2021-39706
- 为
com.android.credentials.RESET这个Action添加调用者检查,只允许通过设置应用发起凭据存储的重置。 - 已更新的AOSP版本:10, 11, 12
- 致谢信息:Lucian and Sheep of OPPO Amber Security Lab
CVE-2021-39707
- AppRestrictionsFragment中的RestrictionsResultReceiver可以接收一个广播并且启动一个界面,由于是以设置页面启动的界面,导致可以launchAnyWhere。
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:Bo Zhang (张波) and Tianyi Hu (胡天易) of Bytedance Wuheng Lab
CVE-2021-39709
- SipAccountRegistry中的PendingIntent漏洞
- 已更新的AOSP版本:12
- 致谢信息:7h0r
CVE-2021-39705
- AOSP的Dialer应用中存在通过广播的方式泄漏ICCID,导致信息泄漏漏洞。
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:无
2022-03-05 security patch level vulnerability details