2022-05-01 security patch level vulnerability details
Framework
CVE-2021-39662
- 对于MediaProvider不允许授予FLAG_GRANT_PREFIX_URI_PERMISSION,因为这样会导致应用只要有某一个媒体分类的权限(例如音频、照片或者下载),就可以在不请求额外权限的情况下获得所有类别文件的访问权限。其根本原因是FLAG_GRANT_PREFIX_URI_PERMISSION允许以前缀进行授权,这样就扩大了原有权限的范围。
- 这个问题的背景是MediaProvider是Android 10之后用于分区存储的实现,目的是让应用在无法直接读写sdcard的情况下,提供常用媒体文件分类的访问权限,就类似于iOS一样。
- Updated AOSP versions: 11, 12
- 致谢:无
CVE-2022-20004
- SliceManagerService的checkSlicePermission函数没有对调用者进行校验
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Aman Pandey of bugsmirror
CVE-2022-20005
- 在应用的base.apk更新之后,使得PMS立即重启目标应用
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Edward Cunningham of Google
CVE-2022-20007
- 在一个Activity被其他半透明的悬浮窗等遮挡的时候,不要调用Activity的onResume,因为有的应用依赖onResume去做一些鉴权操作,这时候如果有悬浮窗遮挡的话会影响用户的判断。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Xianbo Wang (@sanebow) of MobiTec, The Chinese University of Hong Kong
CVE-2021-39700
- 允许adbd访问/proc/net/{tcp,tcp6,udp,udp6},不知道不让访问会造成什么安全影响。
- Updated AOSP versions: 10, 11, 12
- 致谢:Gregory Montoir and Gary Arakaki of Google
System
CVE-2022-20113
- 默认USB配置的界面从RestrictedSwitchPreference更换为RestrictedPreference,应该和在锁屏上的可访问性有关。
- Updated AOSP versions: 12, 12L
- 致谢:Ben Turley
CVE-2022-20114
- 如果ConnectionService返回空绑定,则自动执行unbind解绑操作。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Aman Pandey of bugsmirror
CVE-2022-20116
- SystemUI的CallNotificationInfo函数接收Intent作为参数并且启动界面,会导致LaunchAnyWhere漏洞。
- Updated AOSP versions: 12, 12L
- 致谢:Michał Bednarski (michalbednarski)
CVE-2022-20010
- 蓝牙L2CAP_CMD_CREDIT_BASED_CONN_RES命令中的越界读取
case L2CAP_CMD_CREDIT_BASED_CONN_RES:
- if (p + 2 > p_pkt_end) {
+ if (p + 8 > p_pkt_end) {
LOG(ERROR) << "invalid L2CAP_CMD_CREDIT_BASED_CONN_RES len";
return;
}
- Updated AOSP versions: 12, 12L
- 致谢:Kevin Deus of Google
CVE-2022-20011
- NotificationManagerService的getActiveNotifications和getHistoricalNotifications函数没有针对多用户场景进行正确校验,会导致跨用户获取通知内容,似乎需要“通知使用权”权限。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Art (github)
CVE-2022-20115
- 对于TelephonyRegistry中的
android.intent.action.SERVICE_STATE
广播,在应用没有ACCESS_FINE_LOCATION权限的情况下则不发送包含位置信息的extras。
// Send the broadcast twice -- once for all apps with READ_PHONE_STATE, then again
- // for all apps with READ_PRIV but not READ_PHONE_STATE. This ensures that any app holding
- // either READ_PRIV or READ_PHONE get this broadcast exactly once.
- mContext.sendBroadcastAsUser(intent, UserHandle.ALL, Manifest.permission.READ_PHONE_STATE);
- mContext.createContextAsUser(UserHandle.ALL, 0)
- .sendBroadcastMultiplePermissions(intent,
- new String[] { Manifest.permission.READ_PRIVILEGED_PHONE_STATE },
- new String[] { Manifest.permission.READ_PHONE_STATE });
+ // for all apps with READ_PRIVILEGED_PHONE_STATE but not READ_PHONE_STATE.
+ // Do this again twice, the first time for apps with ACCESS_FINE_LOCATION, then again with
+ // the location-sanitized service state for all apps without ACCESS_FINE_LOCATION.
+ // This ensures that any app holding either READ_PRIVILEGED_PHONE_STATE or READ_PHONE_STATE
+ // get this broadcast exactly once, and we are not exposing location without permission.
+ mContext.createContextAsUser(UserHandle.ALL, 0).sendBroadcastMultiplePermissions(intent,
+ new String[] {Manifest.permission.READ_PHONE_STATE,
+ Manifest.permission.ACCESS_FINE_LOCATION});
+ mContext.createContextAsUser(UserHandle.ALL, 0).sendBroadcastMultiplePermissions(intent,
+ new String[] {Manifest.permission.READ_PRIVILEGED_PHONE_STATE,
+ Manifest.permission.ACCESS_FINE_LOCATION},
+ new String[] {Manifest.permission.READ_PHONE_STATE});
+
+ // Replace bundle with location-sanitized ServiceState
+ data = new Bundle();
+ state.createLocationInfoSanitizedCopy(true).fillInNotifierBundle(data);
+ intent.putExtras(data);
+ mContext.createContextAsUser(UserHandle.ALL, 0).sendBroadcastMultiplePermissions(intent,
+ new String[] {Manifest.permission.READ_PHONE_STATE},
+ new String[] {Manifest.permission.ACCESS_FINE_LOCATION});
+ mContext.createContextAsUser(UserHandle.ALL, 0).sendBroadcastMultiplePermissions(intent,
+ new String[] {Manifest.permission.READ_PRIVILEGED_PHONE_STATE},
+ new String[] {Manifest.permission.READ_PHONE_STATE,
+ Manifest.permission.ACCESS_FINE_LOCATION});
- Updated AOSP versions: 12, 12L
- 致谢:hsia.angsh
CVE-2021-39670
- 解析壁纸时使用ImageDecoder而不是BitmapRegionDecoder,因为BitmapRegionDecoder的generateCrop()方法无法处理超大文件。
- Updated AOSP versions: 12, 12L
- 致谢:Sithija
CVE-2022-20112
- 在访客模式下隐藏私密DNS的设置,不允许访客用户更改
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Xianfeng Lu(卢先锋) and Lei Ai(艾磊) of OPPO Amber Security Lab
2022-05-05 security patch level vulnerability details