2021-11-01 security patch level vulnerability details
Framework
CVE-2021-0799
- 在ActivityThread中,使用ArrayMap来管理ProviderKey,而不是使用SparseArray,因为ArrayMap可以更好的处理Hash碰撞场景。ActivityThread是位于应用进程中,不太清楚这个漏洞的具体利用场景。
- 影响版本:12
- 致谢信息:Makoto Onuki of Google
CVE-2021-0921
- 跨进程传递ParsingPackage的时候,传递复杂对象,先写入长度再写入内容,这里传递的是一个
Map<String, ArraySet<PublicKey>>
嵌套类型
/**
* Writes the keyset mapping to the provided package. {@code null} mappings are permitted.
*/
public static void writeKeySetMapping(@NonNull Parcel dest,
@NonNull Map<String, ArraySet<PublicKey>> keySetMapping) {
if (keySetMapping == null) {
dest.writeInt(-1);
return;
}
final int N = keySetMapping.size();
dest.writeInt(N);
for (String key : keySetMapping.keySet()) {
dest.writeString(key);
ArraySet<PublicKey> keys = keySetMapping.get(key);
if (keys == null) {
dest.writeInt(-1);
continue;
}
final int M = keys.size();
dest.writeInt(M);
for (int j = 0; j < M; j++) {
dest.writeSerializable(keys.valueAt(j));
}
}
}
/**
* Reads a keyset mapping from the given parcel at the given data position. May return
* {@code null} if the serialized mapping was {@code null}.
*/
@NonNull
public static ArrayMap<String, ArraySet<PublicKey>> readKeySetMapping(@NonNull Parcel in) {
final int N = in.readInt();
if (N == -1) {
return null;
}
ArrayMap<String, ArraySet<PublicKey>> keySetMapping = new ArrayMap<>();
for (int i = 0; i < N; ++i) {
String key = in.readString();
final int M = in.readInt();
if (M == -1) {
keySetMapping.put(key, null);
continue;
}
ArraySet<PublicKey> keys = new ArraySet<>(M);
for (int j = 0; j < M; ++j) {
PublicKey pk = (PublicKey) in.readSerializable();
keys.add(pk);
}
keySetMapping.put(key, keys);
}
return keySetMapping;
}
- 影响版本:11
- 致谢信息:Zinuo Han (weibo.com/ele7enxxh) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd.
CVE-2021-0923
- 当Internal类型的权限所有者变更时,收回权限
- if (permission.isRuntime() && (ownerChanged || wasNonRuntime)) {
- // If this is a runtime permission and the owner has changed, or this wasn't a runtime
- // permission, then permission state should be cleaned up
+ if ((permission.isInternal() && ownerChanged)
+ || (permission.isRuntime() && (ownerChanged || wasNonRuntime))) {
+ // If this is an internal/runtime permission and the owner has changed, or this wasn't a
+ // runtime permission, then permission state should be cleaned up.
permission.mDefinitionChanged = true;
}
- ownerChanged的条件是,系统应用重新定义了非系统权限的时候,这种场景应该非常少,可能是一个非系统应用在OTA升级之后变成了系统应用
@NonNull
public static Permission createOrUpdate(@Nullable Permission permission,
@NonNull PermissionInfo permissionInfo, @NonNull AndroidPackage pkg,
@NonNull Collection<Permission> permissionTrees, boolean isOverridingSystemPermission) {
// Allow system apps to redefine non-system permissions
boolean ownerChanged = false;
if (permission != null && !Objects.equals(permission.mPermissionInfo.packageName,
permissionInfo.packageName)) {
if (pkg.isSystem()) {
if (permission.mType == Permission.TYPE_CONFIG && !permission.mReconciled) {
// It's a built-in permission and no owner, take ownership now
permissionInfo.flags |= PermissionInfo.FLAG_INSTALLED;
permission.mPermissionInfo = permissionInfo;
permission.mReconciled = true;
permission.mUid = pkg.getUid();
} else if (!isOverridingSystemPermission) {
Slog.w(TAG, "New decl " + pkg + " of permission "
+ permissionInfo.name + " is system; overriding "
+ permission.mPermissionInfo.packageName);
ownerChanged = true;
permission = null;
}
}
}
//...
}
- 影响版本:12
- 致谢信息:Xianlin Wu(吴宪林) of OPPO Amber Security Lab
CVE-2021-0926
- 限制第三方应用调用NfcImportVCardActivity,增加android.permission.DISPATCH_NFC_MESSAGE权限管控
- 影响版本:9, 10, 11, 12
- 致谢信息:Yu-Cheng Lin (林禹成) (@AndroBugs)
CVE-2021-0933
- CompanionDeviceActivity中潜在的XSS问题,使用
Html.escapeHtml
对显示名称进行过滤。 - 影响版本:9, 10, 11, 12
- 致谢信息:无
CVE-2020-13871
- sqlite漏洞 CVE-2020-15358 and CVE-2020-13871修复
- 影响版本:11
- 致谢信息:无
CVE-2021-0653
- NetworkPolicyManagerService中的
com.android.server.net.action.SNOOZE_WARNING
广播增加接收者,防止第三方应用收到该广播 - 影响版本:9, 10, 11
- 致谢信息:Yu-Cheng Lin (林禹成) (@AndroBugs)
CVE-2021-0922
- INTERACT_ACROSS_PROFILE这个appop是授予给了package,但是如果有两个packages使用了shareUserId的话,允许只有一个package有此权限,此时enforceCrossUserOrProfilePermission接口校验会出现问题,因为其底层调用的是getPackagesForUid接口,但是对于shareUserId的场景,会返回随机的一个package,因为有多个package对应同一个uid。解决方案是将这个appop授予给一个uid,而不是package,因为Android应用沙箱本质上是保护的uid,而不是package。
- 影响版本:11
- 致谢信息:Khouloud Mansouri of Google
CVE-2021-0928
- 在向Android Camera 2接口传递OutputConfiguration等对象时存在不正确的异常捕获,会导致返回空对象
- 共有四个对象存在此问题
- OutputConfiguration
- VendorTagDescriptor
- VendorTagDescriptorCache
- SessionConfiguration
- 影响版本:9, 10, 11
- 致谢信息:Michał Bednarski (michalbednarski)
CVE-2021-0650
- sonivox组件的WT_InterpolateNoLoop中存在越界读
- 影响版本:9, 10, 11
- 致谢信息:无
System
CVE-2021-0918
- GATT远程代码执行漏洞
- 影响版本:12
- 致谢信息:Xianfeng Lu(卢先锋) and Lei Ai(艾磊) of OPPO Amber Security Lab
CVE-2021-0930
- NFC的pn8x实现中,phNxpNciHal_process_ext_rsp函数存在越界写入
+ if (*p_len <= (p_ntf[2] + 2)) {
+ android_errorWriteLog(0x534e4554, "181660091");
+ NXPLOG_NCIHAL_E("length error!");
+ return NFCSTATUS_FAILED;
+ }
- 影响版本:9, 10, 11, 12
- 致谢信息:Chaoyuan Peng (@ret2happy)
CVE-2021-0434
- 更改了蓝牙权限授予中不清晰的警告文本,防止钓鱼欺骗
- 影响版本:9, 10, 11
- 致谢信息:Christophe Devine, ANSSI
CVE-2021-0649
- VpnManagerService中的stopVpnProfile() & startVpnProfile函数,没有对调用者进行校验,导致可以关闭其他应用开启的VPN。
@Override
public void startVpnProfile(@NonNull String packageName) {
- final int user = UserHandle.getUserId(mDeps.getCallingUid());
+ final int callingUid = Binder.getCallingUid();
+ verifyCallingUidAndPackage(packageName, callingUid);
+ final int user = UserHandle.getUserId(callingUid);
synchronized (mVpns) {
throwIfLockdownEnabled();
mVpns.get(user).startVpnProfile(packageName);
//...
@Override
public void stopVpnProfile(@NonNull String packageName) {
- final int user = UserHandle.getUserId(mDeps.getCallingUid());
+ final int callingUid = Binder.getCallingUid();
+ verifyCallingUidAndPackage(packageName, callingUid);
+ final int user = UserHandle.getUserId(callingUid);
synchronized (mVpns) {
mVpns.get(user).stopVpnProfile(packageName);
}
//...
- 影响版本:11
- 致谢信息:Aman Pandey of bugsmirror
CVE-2021-0932
- SystemUI中的NavigationModeController存在不安全的PendingIntent
.setStyle(new Notification.BigTextStyle())
.setSmallIcon(R.drawable.ic_info)
.setAutoCancel(true)
- .setContentIntent(PendingIntent.getActivity(context, 0, new Intent(), 0));
+ .setContentIntent(PendingIntent.getActivity(context, 0, new Intent(),
+ PendingIntent.FLAG_IMMUTABLE));
context.getSystemService(NotificationManager.class).notify(TAG, 0, builder.build());
}
- 影响版本:10
- 致谢信息:Yu-Cheng Lin (林禹成) (@AndroBugs)
CVE-2021-0925
- NFC t4t中cc_file_rsp_len初始化时被赋值为0,实际应该是T4T_CC_FILE_MIN_LEN,应该是会导致越界读。
- 影响版本:12
- 致谢信息:Android Security Red Team
CVE-2021-0931
- BluetoothDevice中获取远端设备别名时过滤换行符,防止文本折断。
- 影响版本:9, 10, 11, 12
- 致谢信息:无
CVE-2021-0919
- libbinder中uptimeMillis的精度丢失,应为int64_t,该问题会导致设备正常时间约为1个月,不是很清楚会导致什么。
- 影响版本:9, 10, 11
- 致谢信息:无
2021-11-05 security patch level vulnerability details
Android TV
CVE-2021-0889
- 该漏洞允许远程攻击者静默配对一个电视并且实现远程代码执行,漏洞代码补丁还没有发布。
CVE-2021-0927
- TvInputManagerService中的requestChannelBrowsable函数,在
Binder.clearCallingIdentity()
之后调用了Binder.getCallingUid()
,导致权限绕过