Android Security Bulletin Analysis (May 2022)


2022-05-01 security patch level vulnerability details

Framework

CVE-2021-39662

  • 对于MediaProvider不允许授予FLAG_GRANT_PREFIX_URI_PERMISSION,因为这样会导致应用只要有某一个媒体分类的权限(例如音频、照片或者下载),就可以在不请求额外权限的情况下获得所有类别文件的访问权限。其根本原因是FLAG_GRANT_PREFIX_URI_PERMISSION允许以前缀进行授权,这样就扩大了原有权限的范围。
  • 这个问题的背景是MediaProvider是Android 10之后用于分区存储的实现,目的是让应用在无法直接读写sdcard的情况下,提供常用媒体文件分类的访问权限,就类似于iOS一样。
  • Updated AOSP versions: 11, 12
  • 致谢:无

CVE-2022-20004

  • SliceManagerService的checkSlicePermission函数没有对调用者进行校验
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Aman Pandey of bugsmirror

CVE-2022-20005

  • 在应用的base.apk更新之后,使得PMS立即重启目标应用
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Edward Cunningham of Google

CVE-2022-20007

  • 在一个Activity被其他半透明的悬浮窗等遮挡的时候,不要调用Activity的onResume,因为有的应用依赖onResume去做一些鉴权操作,这时候如果有悬浮窗遮挡的话会影响用户的判断。
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Xianbo Wang (@sanebow) of MobiTec, The Chinese University of Hong Kong

CVE-2021-39700

  • 允许adbd访问/proc/net/{tcp,tcp6,udp,udp6},不知道不让访问会造成什么安全影响。
  • Updated AOSP versions: 10, 11, 12
  • 致谢:Gregory Montoir and Gary Arakaki of Google

System

CVE-2022-20113

  • 默认USB配置的界面从RestrictedSwitchPreference更换为RestrictedPreference,应该和在锁屏上的可访问性有关。
  • Updated AOSP versions: 12, 12L
  • 致谢:Ben Turley

CVE-2022-20114

  • 如果ConnectionService返回空绑定,则自动执行unbind解绑操作。
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Aman Pandey of bugsmirror

CVE-2022-20116

  • SystemUI的CallNotificationInfo函数接收Intent作为参数并且启动界面,会导致LaunchAnyWhere漏洞。
  • Updated AOSP versions: 12, 12L
  • 致谢:Michał Bednarski (michalbednarski)

CVE-2022-20010

  • 蓝牙L2CAP_CMD_CREDIT_BASED_CONN_RES命令中的越界读取
 case L2CAP_CMD_CREDIT_BASED_CONN_RES:
-      if (p + 2 > p_pkt_end) {
+      if (p + 8 > p_pkt_end) {
         LOG(ERROR) << "invalid L2CAP_CMD_CREDIT_BASED_CONN_RES len";
         return;
       }
  • Updated AOSP versions: 12, 12L
  • 致谢:Kevin Deus of Google

CVE-2022-20011

  • NotificationManagerService的getActiveNotifications和getHistoricalNotifications函数没有针对多用户场景进行正确校验,会导致跨用户获取通知内容,似乎需要“通知使用权”权限。
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Art (github)

CVE-2022-20115

  • 对于TelephonyRegistry中的android.intent.action.SERVICE_STATE广播,在应用没有ACCESS_FINE_LOCATION权限的情况下则不发送包含位置信息的extras。
     // Send the broadcast twice -- once for all apps with READ_PHONE_STATE, then again
-    // for all apps with READ_PRIV but not READ_PHONE_STATE. This ensures that any app holding
-    // either READ_PRIV or READ_PHONE get this broadcast exactly once.
-    mContext.sendBroadcastAsUser(intent, UserHandle.ALL, Manifest.permission.READ_PHONE_STATE);
-    mContext.createContextAsUser(UserHandle.ALL, 0)
-            .sendBroadcastMultiplePermissions(intent,
-                    new String[] { Manifest.permission.READ_PRIVILEGED_PHONE_STATE },
-                    new String[] { Manifest.permission.READ_PHONE_STATE });
+    // for all apps with READ_PRIVILEGED_PHONE_STATE but not READ_PHONE_STATE.
+    // Do this again twice, the first time for apps with ACCESS_FINE_LOCATION, then again with
+    // the location-sanitized service state for all apps without ACCESS_FINE_LOCATION.
+    // This ensures that any app holding either READ_PRIVILEGED_PHONE_STATE or READ_PHONE_STATE
+    // get this broadcast exactly once, and we are not exposing location without permission.
+    mContext.createContextAsUser(UserHandle.ALL, 0).sendBroadcastMultiplePermissions(intent,
+            new String[] {Manifest.permission.READ_PHONE_STATE,
+                    Manifest.permission.ACCESS_FINE_LOCATION});
+    mContext.createContextAsUser(UserHandle.ALL, 0).sendBroadcastMultiplePermissions(intent,
+            new String[] {Manifest.permission.READ_PRIVILEGED_PHONE_STATE,
+                    Manifest.permission.ACCESS_FINE_LOCATION},
+            new String[] {Manifest.permission.READ_PHONE_STATE});
+
+    // Replace bundle with location-sanitized ServiceState
+    data = new Bundle();
+    state.createLocationInfoSanitizedCopy(true).fillInNotifierBundle(data);
+    intent.putExtras(data);
+    mContext.createContextAsUser(UserHandle.ALL, 0).sendBroadcastMultiplePermissions(intent,
+            new String[] {Manifest.permission.READ_PHONE_STATE},
+            new String[] {Manifest.permission.ACCESS_FINE_LOCATION});
+    mContext.createContextAsUser(UserHandle.ALL, 0).sendBroadcastMultiplePermissions(intent,
+            new String[] {Manifest.permission.READ_PRIVILEGED_PHONE_STATE},
+            new String[] {Manifest.permission.READ_PHONE_STATE,
+                    Manifest.permission.ACCESS_FINE_LOCATION});
  • Updated AOSP versions: 12, 12L
  • 致谢:hsia.angsh

CVE-2021-39670

  • 解析壁纸时使用ImageDecoder而不是BitmapRegionDecoder,因为BitmapRegionDecoder的generateCrop()方法无法处理超大文件。
  • Updated AOSP versions: 12, 12L
  • 致谢:Sithija

CVE-2022-20112

  • 在访客模式下隐藏私密DNS的设置,不允许访客用户更改
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Xianfeng Lu(卢先锋) and Lei Ai(艾磊) of OPPO Amber Security Lab

2022-05-05 security patch level vulnerability details