2022-02-01 security patch level vulnerability details
Framework
CVE-2021-39619
- 如果某用户存在配置文件Owner,则在应用卸载时不要删除该应用的使用用量信息
- 影响版本:11, 12
- 致谢信息:无
CVE-2021-39663
- In openFileAndEnforcePathPermissionsHelper of MediaProvider.java, there is a possible bypass of a permissions check due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-200682135
- 截至发稿,该漏洞的代码更改细节暂未公开
- 影响版本:10
- 致谢信息:Dzmitry Lukyanenka
CVE-2021-39676
- In writeThrowable of AndroidFuture.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-197228210
- 截至发稿,该漏洞的代码更改细节暂未公开
- 影响版本:11
- 致谢信息:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team
CVE-2021-39664
std::unordered_set<uint32_t> finalized_ids;
const auto lib_alias = child_chunk.header<ResTable_staged_alias_header>();
if (!lib_alias) {
+ LOG(ERROR) << "RES_TABLE_STAGED_ALIAS_TYPE is too small.";
+ return {};
+ }
+ if ((child_chunk.data_size() / sizeof(ResTable_staged_alias_entry))
+ < dtohl(lib_alias->count)) {
+ LOG(ERROR) << "RES_TABLE_STAGED_ALIAS_TYPE is too small to hold entries.";
return {};
}
const auto entry_begin = child_chunk.data_ptr().convert<ResTable_staged_alias_entry>();
- 影响版本:12
- 致谢信息:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team
CVE-2020-13112
- An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes. This is different from CVE-2020-0093.
- 截至发稿,该漏洞的代码更改细节暂未公开
- 影响版本:10, 11
- 致谢信息:Kris Alder of Google
CVE-2020-13113
- An issue was discovered in libexif before 0.6.22. Use of uninitialized memory in EXIF Makernote handling could lead to crashes and potential use-after-free conditions.
- 截至发稿,该漏洞的代码更改细节暂未公开
- 影响版本:10, 11
- 致谢信息:Kris Alder of Google
CVE-2021-39665
void AAVCAssembler::checkSpsUpdated(const sp<ABuffer> &buffer) {
+ if (buffer->size() == 0) {
+ android_errorWriteLog(0x534e4554, "204077881");
+ return;
+ }
const uint8_t *data = buffer->data();
unsigned nalType = data[0] & 0x1f;
- 影响版本:12
- 致谢信息:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team
CVE-2021-39666
template <> // static
status_t extract(std::string *val, const char **bufferpptr, const char *bufferptrmax) {
const char *ptr = *bufferpptr;
- while (*ptr != 0) {
+ do {
if (ptr >= bufferptrmax) {
ALOGE("%s: buffer exceeded", __func__);
return BAD_VALUE;
}
- ++ptr;
- }
- const size_t size = (ptr - *bufferpptr) + 1;
+ } while (*ptr++ != 0);
+ // ptr is terminator+1, == bufferptrmax if we finished entire buffer
*val = *bufferpptr;
- *bufferpptr += size;
+ *bufferpptr = ptr;
return NO_ERROR;
}
template <> // static
- 影响版本:11, 12
- 致谢信息:Hongli Han(@hexb1n) and Guang Gong(@oldfresher) of Vulnerability Research Institute
System
CVE-2021-39675
- NFC模块中NFA_SendRawFrame缺少长度上限,可能导致越界写入
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include "gki_int.h"
#if (GKI_NUM_TOTAL_BUF_POOLS > 16)
@@ -258,8 +259,9 @@
FREE_QUEUE_T* Q;
#if defined(DYN_ALLOC) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
- if (size == 0) {
- LOG(ERROR) << StringPrintf("getbuf: Size is zero");
+ if (size == 0 || size > (USHRT_MAX - 3)) {
+ LOG(ERROR) << StringPrintf("getbuf: Requested size(%d) is invalid", size);
+ android_errorWriteLog(0x534e4554, "205729183");
#ifndef DYN_ALLOC
abort();
#else
CVE-2021-39668
- SystemUI中的一种PendingIntent漏洞新类型,待研究
- 影响版本:11, 12
- 致谢信息:无
CVE-2021-39669
- 为安装CA证书警告界面InstallCaCertificateWarning添加SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS标记,防止悬浮窗点击劫持攻击
- 影响版本:11, 12
- 致谢信息:Tianyi Hu (胡天易) of Bytedance Wuheng Lab
CVE-2021-39671
- 在AIDL文件编译时为char类型的变量增加默认值\0,这个问题看起来之前就提交过一次但是不知道为啥在Android 12又撤回了,这次又撤回了撤回的那次提交(禁止套娃)。
Revert "Revert "Add automatic default value for char-type field""
This reverts commit ac1cb3eb26525c868fd7dfeba90b6ee85161c9d8.
Original commit message:
Add automatic default value for char-type field
char type fields are auto-initialized with '\0' when not specified.
Ignore-AOSP-First: security fix
Bug: 206718630
Test: aidl_unittests
Reason for re-submit:
Conflicts resolved in the downstream branches.
- 影响版本:12
- 致谢信息:Jooyung Han of Google
CVE-2021-39674
- btm_sec_connected和btm_sec_disconnected中的UAF漏洞
- 影响版本:10, 11, 12
- 致谢信息:Nguyễn Hoàng Thạch (d4rkn3ss) of STAR Labs
CVE-2021-0706
- In startListening of PluginManagerImpl.java, there is a possible way to disable arbitrary app components due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-193444889
- 截至发稿,该漏洞的代码更改细节暂未公开
- 影响版本:10, 11
- 致谢信息:Ryan Johnson and Mohamed Elsabagh of Kryptowire
2022-02-05 security patch level vulnerability details
System
CVE-2021-39631
- <string name="clear_data_dlg_text" msgid="7870723948123690332">"系统会永久删除此应用的所有数据。删除的内容包括所有文件、设置、帐号、数据库等。"</string>
+ <string name="clear_data_dlg_text" msgid="1107610960337399006">"系统将永久删除此应用的数据,其中包括文件、设置、数据库和其他应用数据。"</string>
- 影响版本:10, 11, 12
- 致谢信息:Pustam Raut (पुस्तम राउत) from Sarlahi & IISc/RIT/NMC