2022-04-01 security patch level vulnerability details
Framework
CVE-2021-0694
- 从后台启动的前台服务不再允许获得“仅在使用时允许”的权限,包括位置、相机和麦克风权限。
- Updated AOSP versions: 11
- 致谢:Makoto Onuki of Google
CVE-2021-39794
- 限制下面三个ADBManager中的广播的权限为MANAGE_DEBUGGING签名权限
com.android.server.adb.WIRELESS_DEBUG_STATUS
com.android.server.adb.WIRELESS_DEBUG_PAIRED_DEVICES
com.android.server.adb.WIRELESS_DEBUG_PAIRING_RESULT
- Updated AOSP versions: 11, 12, 12L
- 致谢:hluwa
CVE-2021-39795
- 不允许未适配分区存储的应用通过MediaProvider向其他应用的外置私有目录写入文件,也就是
/sdcard/Android/data/<package_name>
目录。 - Updated AOSP versions: 11, 12, 12L
- 致谢:Bo Zhang (张波) of Bytedance Wuheng Lab
CVE-2021-39796
- 对有害应用警告页面HarmfulAppWarningActivity添加SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS,防止悬浮窗点击劫持和覆盖攻击。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Hao Zhou, Xiapu Luo from the Hong Kong Polytechnique University, Haoyu Wang from the Huazhong University of Science and Technology, and Yajin Zhou from the Zhejiang University
CVE-2021-39797
- 不再允许LauncherApps创建PendingIntent时指定任意的ActivityOptions
- Updated AOSP versions: 12, 12L
- 致谢:Michał Bednarski (michalbednarski)
CVE-2021-39798
- Bitmap_createFromParcel中的问题,后续可以进一步研究一下。
// In place callback
[&](std::unique_ptr<int8_t[]> buffer, int32_t size) {
+ if (allocationSize > size) {
+ android_errorWriteLog(0x534e4554, "213169612");
+ return STATUS_BAD_VALUE;
+ }
nativeBitmap = Bitmap::allocateHeapBitmap(allocationSize, imageInfo, rowBytes);
if (nativeBitmap) {
- memcpy(nativeBitmap->pixels(), buffer.get(), size);
+ memcpy(nativeBitmap->pixels(), buffer.get(), allocationSize);
+ return STATUS_OK;
}
+ return STATUS_NO_MEMORY;
}
- allocationSize不能比size大,这里面size是readBlob过程中读取的大小,而allocationSize源于
Bitmap::computeAllocationSize
,这个可能是根据Bitmap里面其他的结构计算出来的,攻击者可控,详细分析后续会单独文章进行讲解。 - Updated AOSP versions: 12, 12L
- 致谢:lovepink
CVE-2021-39799
- AttributionSource里面除了校验UID之外还要校验PID
- Updated AOSP versions: 12, 12L
- 致谢:Michał Bednarski (michalbednarski)
CVE-2021-39803
- C2AllocatorIon中使用mutex锁保护mMappings
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
CVE-2021-39804
- 解析HEIF中的METADATA_KEY_VIDEO_FRAME_COUNT时判断其是否为NULL,只能导致DoS
- mSequenceLength = atoi(mRetriever->extractMetadata(METADATA_KEY_VIDEO_FRAME_COUNT));
+ const char* frameCount = mRetriever->extractMetadata(METADATA_KEY_VIDEO_FRAME_COUNT);
+ if (frameCount == nullptr) {
+ android_errorWriteWithInfoLog(0x534e4554, "215002587", -1, NULL, 0);
+ ALOGD("No valid sequence information in metadata");
+ return false;
+ }
+ mSequenceLength = atoi(frameCount);
- Updated AOSP versions: 11, 12, 12L
- 致谢:Dawuge of Pangu Team
System
CVE-2021-39808
- 应用可以将通知渠道设置为Blocked来绕过前台服务通知显示,实现用户无感知启动前台服务。
- Updated AOSP versions: 10, 11, 12
- 致谢:Aman Pandey of bugsmirror
CVE-2021-39805
uint16_t result;
+ if (p + sizeof(uint16_t) > p_pkt_end) {
+ android_errorWriteLog(0x534e4554, "212694559");
+ LOG(ERROR) << "invalid read";
+ return;
+ }
STREAM_TO_UINT16(result, p);
- Updated AOSP versions: 12, 12L
- 致谢:Lei Ai(艾磊) and Xianfeng Lu(卢先锋) of OPPO Amber Security Lab
CVE-2021-39809
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_COMP_ID) {
+ android_errorWriteLog(0x534e4554, "205837191");
+ return AVRC_STS_INTERNAL_ERR;
+ }
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team
2022-04-05 security patch level vulnerability details
System
CVE-2021-39807
- 不允许Guest用户禁用NFC
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Lei Ai(艾磊) and Xianfeng Lu(卢先锋) of OPPO Amber Security Lab