2022-12-01 security patch level vulnerability details
Android Runtime
CVE-2022-20502
- ART模块中处理dex_caches_时的UAF问题。当使用openDexFile的时候,class linker会缓存dex文件地址到dexcaches,但这closeDexFile时将其释放并且未从dex_caches_中移除,当其他线程遍历访问dex_caches_时会造成UAF。
Framework
CVE-2022-20472
- minikin中registerLocaleList中的越界读取
CVE-2022-20473
- minikin中registerLocaleList中的越界
CVE-2021-39617
- SurfaceFlinger中DrawingState::trustedOverlay未初始化的问题,可能会被随机初始化为true。
CVE-2021-39795
- isDataOrObbPath只禁止访问Android/[data|obb]自身,而不会直接禁止访问其子目录,子目录的访问权限由应用自身决定。
CVE-2022-20124
- 禁止非管理员用户删除系统应用。
CVE-2022-20442
- 该漏洞未公开修补链接。
CVE-2022-20444
CVE-2022-20470
- AppWidgetManager中的bindRemoteViewsService方法,调用bindService时候指定BIND_FOREGROUND_SERVICE_WHILE_AWAKE flag,防止绕过后台Activity启动限制,待具体分析。
CVE-2022-20474
- 在AccountManagerService中新增对KEY_INTENT二次序列化对检查(Bundle序列化问题),并且修复了Android 13中readLazyValue允许接受字段长度为负数导致读取游标向前回滚的漏洞。
CVE-2022-20475
allowTaskReparenting导致Activity劫持的问题,现在仅允许当前应用TaskAffinity和目标Task的TaskAffinity相同时才允许栈重排(不是很理解,有待进一步测试)。
CVE-2022-20477
- 在锁屏上隐藏标记为VISIBILITY_SECRET的通知,这个问题仅影响Android 13,而且是以前版本正常的功能,可能是大版本迭代时候不小心引入。
CVE-2022-20485
CVE-2022-20486
CVE-2022-20491
- 限制NotificationChannel和NotificationChannelGroup中部分字段的长度,一共给了九个CVE编号,本部分有三个。
CVE-2022-20611
- 禁止卸载被保护的包,这个是针对在网上广为流传的一种
pm uninstall --user 0的方式的修复。
CVE-2021-0934
- 将Account的Name和Type的字符数限制为200以内的检查,从
Account.java(客户端)移动到AccountManagerService.java(服务端),防止被绕过。
CVE-2022-20449
- UserManagerService中
setApplicationRestrictions函数的路径穿越问题。
CVE-2022-20482
- 把每个应用能注册的NotificationChannel数量由50000降低到5000。
CVE-2022-20500
- 忽略不合法的Shortcut对象。
Media Framework
CVE-2022-20496
- libstagefright的NuMediaExtractor中的堆上的UAF。
System
CVE-2022-20411
- 蓝牙组件拷贝AVDT和AVCT包的越界写入,添加长度检查
CVE-2022-20498
- libfdt中fdt_path_offset_namelen函数的越界读取
CVE-2022-20469
- 蓝牙组件AVCT中的越界写入
CVE-2022-20144
- Avatar Picker存在越权读取照片的问题,这次出在EmergencyInfo中。
CVE-2022-20240
- 禁止特权应用绕过位置限制,并且允许system_server绕过位置限制(用于restricted user)。
CVE-2022-20478
CVE-2022-20479
CVE-2022-20480
CVE-2022-20484
CVE-2022-20487
CVE-2022-20488
- 限制NotificationChannel和NotificationChannelGroup中部分字段的长度,一共给了九个CVE编号,本部分有六个。
CVE-2022-20495
CVE-2022-20501
- 对EnableAccountPreferenceActivity界面添加
SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS标志,防止悬浮窗劫持攻击。
CVE-2022-20466
- 禁止ChooseLockPassword界面被投射到远程视图(RemoteView)上,添加FLAG_SECURE标志,由于在Android 13中更难打开悬浮窗权限,所以在13上级别为中,其他系统级别是高。
CVE-2022-20471
- NFC模块NxpMfcReader中的越界读取。
CVE-2022-20483
- 处理AVRC响应时的整数溢出。
CVE-2022-20497
- 可能在锁屏上显示敏感通知内容,CL里写的逻辑比较复杂。
CVE-2022-20468
- BNEP中的越界读取。
2022-11-01 security patch level vulnerability details
Framework
CVE-2022-2209
- DRM组件中clearKey流程的setSecurityLevel操作可能存在竞争条件。
CVE-2022-20441
- 在WMS中的navigateUpTo方法,如果调用者UID和目标Activity UID不同,则不允许调用非导出的Activity,防止出现LaunchAnyWhere漏洞。
CVE-2022-20446
- 必须具有CAPTURE_AUDIO_HOTWORD权限才允许访问AlwaysOnHotwordDetector,若没有RECORD_AUDIO权限也无法识别音频,主要是应用于语音助手的。
CVE-2022-20448
- 辅助功能模块中,当通知是发送给不同的User ID时,不发送AccessibilityEvent。
CVE-2022-20450
- 对于从Android Q升级上来的应用,如果应用的Target SDK级别是Q,则禁止自动授予AR运行时权限。
CVE-2022-20452
- 在Android 13中,如果使用了ReadWriteHelper,就使得BaseBundle对象不适用LazyValue机制,否则可能会导致在Parcel对象已被回收时,LazyValue对象中依旧存在到Parcel对象的引用(可能类似于UAF)。
CVE-2022-20457
- StorageManager中,对外部Installers移除遗留的WRITE_EXTERNAL_STORAGE权限检查,因为已实施分区存储。
Multiple components
CVE-2022-20426
- 从TelecomManager中获取列表数据时使用ParceledListSlice,否则在出现超过1MB的phoneAccountHandles时会抛出TransactionTooLarge异常,然后静默返回一个空列表,影响可用性。
System
CVE-2022-20451
- CallRedirectionService返回的PhoneAccountHandle数据没有检查是否跨用户。
CVE-2022-20454
CVE-2022-20462
- NFC模块phNxpNciHal_write_unlocked的越界写入。
CVE-2022-20465
- 在SIM卡因为PIN输入次数过多,而必须使用PUK解锁的场景下,使用PUK解锁之后由于条件竞争问题错误的忽略了锁屏密码,导致锁屏绕过。这个漏洞11月中旬刚刚披露的时候很火,可以在网上用关键词“Android PUK vulnerability”检索以获取更多信息。
CVE-2022-20445
- 蓝牙SDP模块process_service_search_rsp函数中添加负数检查。
CVE-2022-20447
- 蓝牙PAN中pcb->write.octets不选用全局的len进行加操作。
CVE-2022-20414
- 在AlarmManagerService中当达到Alarm限制的时候,不执行软重启操作。
CVE-2022-20453
- MmsProvider中的路径穿越问题,会导致意外将文件权限更改为0644。
2022-10-01 security patch level vulnerability details
Framework
CVE-2022-20419
- ActivityRecord里面的ActivityOptions在传递给应用之前先把mRemoteTransition清空,防止敏感信息泄漏,里面包含了IApplicationThread对象。看补丁往上的调用点是在
makeActiveIfNeeded,是在Activity的resume或pause生命周期调度时调用的。该漏洞定级为严重。
CVE-2022-20420
- AppRestrictionController中将用户允许列表检查移动到所有其他允许列表检查之后,防止绕过设备策略限制。
CVE-2022-20351
- CallLogProvider的查询存在SQL注入,原本phoneNumber字段没有使用selectionArgument而是直接拼接,会绕过Voicemail权限检查。
CVE-2021-39624
- PackageInstallerService中的空指针异常。
CVE-2021-39758
- 对于中私有虚拟屏幕(Private Virtual Display)上显示的Activity,其类型为TYPE_PRIVATE_PRESENTATION,不计入可见窗口,防止后台弹窗绕过。
CVE-2022-20415
- 如果某个通知组设置了GroupAlertBehavior(推测是设置为Notification.GROUP_ALERT_SUMMARY),则在解锁状态下默认阻止全屏Intent(FullScreenIntent),应该是防止通过FullScreenIntent实现后台弹窗,待进一步研究。
System
CVE-2022-20412
- libfdt中的边界检查问题
CVE-2022-20416
- audioTransportToHal中存在数组越界
CVE-2022-20417
- 该漏洞未公开修补链接。
CVE-2021-39673
- 似乎是BLE地址随机化的问题,在最后一个绑定关系移除时重新配置地址策略,并且在地址策略已存在时忽略set的请求。
CVE-2022-20394
- 仅允许活跃的输入法(IME)应用调用getInputMethodWindowVisibleHeight,阻止其他应用调用。
CVE-2022-20410
- 蓝牙AVRC处理供应商返回的响应时存在整数溢出。
CVE-2022-20425
- 确保Zen模式限制在应用包的维度,这个功能不确定OEM中是否能使用。
2022-09-01 security patch level vulnerability details
Android Runtime
CVE-2022-22822
CVE-2022-23852
CVE-2022-23990
CVE-2022-25314
- Google更新了
external/expat库的版本,并且修复了三个整形溢出漏洞。 - 受影响AOSP版本: 10, 11, 12, 12L
- 致谢: 无
Framework
CVE-2022-20218
- PermissionController里面对于同一组权限中,如果有已授予的权限,可能会自动授予组里的其他权限,具体如何构造待分析。
- 受影响AOSP版本: 12, 12L
- 致谢: Hai Zhang of Google
CVE-2022-20392
- 不允许一个应用重复定义同一个自定义权限,但是使用不同的权限保护级别。正常来说应用如果重复定义其他应用已定义的权限,在安装时将无法检查通过,但是如果两个重复权限都在要安装的应用中,不清楚具体利用场景是什么。
- 受影响AOSP版本: 10, 11, 12, 12L
- 致谢: Rui Li and Wenrui Diao, Shandong University
CVE-2022-20393
- libstagefright中修复一个越界读取问题。
- 受影响AOSP版本: 11, 12, 12L
- 致谢: Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab
CVE-2022-20197
- 在回收Parcel对象时清除mClassCookies,防止被复用。另外这位Google的开发人员写的commit非常皮,分享一下,哈哈。
Parcel: recycle recycles
Before, it was like getting a used pan with food stuck on it. We run
a clean ship here. You want a Parcel? You get a fresh Parcel. When
we recycle a Parcel, we do a real clean-up job. Air freshener. All
bits brushed over. These Parcel objects are clean as heck now!
(specifically cleans mClassCookies)
* 受影响AOSP版本: 10, 11, 12, 12L
* 致谢: Chucheng Ye, Binhu Yang, Hongzhi Ding of OPPO and En He of OPPO ZIWU Security Lab
### System
#### [CVE-2022-20395](https://www.cve.org/CVERecord?id=CVE-2022-20395)
* 在MediaProvider的delete调用处理时存在路径穿越漏洞,会导致任意文件删除。修复补丁改为使用getCanonicalFile和getCanonicalPath API,对路径进行正规化之后再使用。
* 受影响AOSP版本: 11, 12, 12L, 13
* 致谢: C_C
#### [CVE-2022-20398](https://www.cve.org/CVERecord?id=CVE-2022-20398)
* 禁止通过相机应用添加WiFi网络,还是针对Android for work方面的限制。
* 受影响AOSP版本: 11, 12, 12L, 13
* 致谢: Lucian of OPPO Amber Security Lab
#### [CVE-2022-20396](https://www.cve.org/CVERecord?id=CVE-2022-20396)
* SettingsActivity在大屏设备中,由于左侧显示设置主页面,右侧显示二级页面,导致二级页面的callingPackage的校验出现问题,可能使得在启动蓝牙扫描界面(ConnectedDeviceDashboardFragment)时,意外使蓝牙进入可发现状态。
* 受影响AOSP版本: 12L, 13
* 致谢: 无
## 2022-08-01 security patch level vulnerability details
### Framework
#### [CVE-2021-39696](https://www.cve.org/CVERecord?id=CVE-2021-39696)
* android:relinquishTaskIdentity属性可被恶意应用滥用,用于实施Activity栈重排攻击。修改使得该属性只对相同应用生效。此前与该问题相似的漏洞有[CVE-2020-0096](https://www.cve.org/CVERecord?id=CVE-2020-0096),关于Activity栈重排攻击可以参考本博客2020年发表的StrandHogg系列文章。
* 受影响AOSP版本: 10, 11, 12
* 致谢:Edward Cunningham of Google
#### [CVE-2022-20344](https://www.cve.org/CVERecord?id=CVE-2022-20344)
* 修复了SurfaceFlinger进程的stealReceiveChannel中潜在的Race Condition
* 受影响AOSP版本: 10, 11, 12, 12L
* 致谢:Hongli Han(@hexb1n) and Guang Gong(@oldfresher) of 360 Alpha Lab
#### [CVE-2022-20348](https://www.cve.org/CVERecord?id=CVE-2022-20348)
* DISALLOW_CONFIG_LOCATION可以正确禁止WiFi扫描和蓝牙扫描功能,因为这两项扫描功能也可以用于位置服务,该CVE用于跟踪WiFi扫描的问题。似乎是Android for Work相关的特性。
* 受影响AOSP版本: 10, 11, 12, 12L
* 致谢:Robert Tseng
#### [CVE-2022-20349](https://www.cve.org/CVERecord?id=CVE-2022-20349)
* DISALLOW_CONFIG_LOCATION可以正确禁止WiFi扫描和蓝牙扫描功能,因为这两项扫描功能也可以用于位置服务,该CVE用于跟踪蓝牙扫描的问题。似乎是Android for Work相关的特性。
* 受影响AOSP版本: 10, 11, 12, 12L
* 致谢:Robert Tseng
#### [CVE-2022-20356](https://www.cve.org/CVERecord?id=CVE-2022-20356)
* 在ActiveServices中在对后台启动前台服务(BG-FGS)限制检查中,针对callingPackage做检查,确保其属于调用者uid,防止被恶意应用利用用来绕过BG-FGS限制。
* 受影响AOSP版本: 11, 12, 12L
* 致谢:Kieron Quinn (https://kieronquinn.co.uk/)
#### [CVE-2022-20350](https://www.cve.org/CVERecord?id=CVE-2022-20350)
*
#### [CVE-2022-20352](https://www.cve.org/CVERecord?id=CVE-2022-20352)
* LocationManagerService中防止应用在没有INTERACT_ACROSS_USERS权限的情况下,通过addProviderRequestListener添加监听回调的方式,跨用户读取其他用户的位置请求。
* 受影响AOSP版本: 12, 12L
* 致谢:Aman Pandey of bugsmirror
#### [CVE-2022-20357](https://www.cve.org/CVERecord?id=CVE-2022-20357)
* SurfaceControl中对未初始化的内存置0。
* 受影响AOSP版本: 12, 12L
* 致谢:lovepink
#### [CVE-2022-20358](https://www.cve.org/CVERecord?id=CVE-2022-20358)
* 只允许system uid访问应用注册的帐号同步服务,也就是SyncAdapter。
* 受影响AOSP版本: 10, 11, 12, 12L
* 致谢:Edward Cunningham of Google
### Media Framework
#### [CVE-2022-20346](https://www.cve.org/CVERecord?id=CVE-2022-20346)
* MPEG4Extractor中的越界读
* 受影响AOSP版本: 10, 11, 12, 12L
* 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab
#### [CVE-2022-20353](https://www.cve.org/CVERecord?id=CVE-2022-20353)
* 确保铃声选择器选择到的文件确实是一个音频文件。
* 受影响AOSP版本: 10, 11, 12, 12L
* 致谢:无
### System
#### [CVE-2022-20345](https://www.cve.org/CVERecord?id=CVE-2022-20345)
*
#### [CVE-2022-20347](https://www.cve.org/CVERecord?id=CVE-2022-20347)
* SliceDeepLinkTrampoline界面出现时不要让蓝牙进入可发现状态。因为这个页面不是用于连接新的蓝牙设备而展示的页面。
* 受影响AOSP版本: 10, 11, 12, 12L
* 致谢:无
#### [CVE-2022-20354](https://www.cve.org/CVERecord?id=CVE-2022-20354)
* 在WiFi连接或断开的时候确保IKEv2 VPN不会意外断开。
* 受影响AOSP版本: 11, 12, 12L
* 致谢:Nathan Harold of Google
#### [CVE-2022-20360](https://www.cve.org/CVERecord?id=CVE-2022-20360)
* 不允许Guset用户禁用Secure NFC开关
* 受影响AOSP版本: 10, 11, 12, 12L
* 致谢:无
#### [CVE-2022-20361](https://www.cve.org/CVERecord?id=CVE-2022-20361)
* 因为缺少配对密钥而认证失败时,将其从已绑定的设备列表中移除
* 受影响AOSP版本: 10, 11, 12, 12L
* 致谢:Daniele Antonioli (EURECOM), Nils Ole Tippenhauer (CISPA), Kasper Rasmussen (University of Oxford), Mathias Payer (EPFL).
#### [CVE-2022-20355](https://www.cve.org/CVERecord?id=CVE-2022-20355)
* 对提供的PAC URL进行验证
* 受影响AOSP版本: 10, 11, 12, 12L
* 致谢:Austin Emmitt ofNowSecure(@alkalinesec)
## 2022-07-01 security patch level vulnerability details
### Framework
#### [CVE-2022-20219](https://www.cve.org/CVERecord?id=CVE-2022-20219)
- StorageManagerService在加密用户文件的时候如果出现异常,需要重新抛出异常给调用者表示加密操作失败,不能静默处理之后使得部分文件还处于未加密状态。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Eric Biggers of Google
#### [CVE-2022-20228](https://www.cve.org/CVERecord?id=CVE-2022-20228)
- C2DmaBufAllocator内存映射的条件竞争问题
- Updated AOSP versions: 12, 12L
- 致谢:无
### System
#### [CVE-2022-20222](https://www.cve.org/CVERecord?id=CVE-2022-20222)
- 蓝牙进程gatt_db中的越界写入漏洞
```diff
uint16_t char_ext_prop =
attr16.p_value ? attr16.p_value->char_ext_prop : 0x0000;
*p_len = 2;
+
+ if (mtu < *p_len) {
+ android_errorWriteWithInfoLog(0x534e4554, "228078096", -1, NULL, 0);
+ return GATT_NO_RESOURCES;
+ }
+
UINT16_TO_STREAM(p, char_ext_prop);
*p_data = p;
return GATT_SUCCESS;</code></pre>
<ul>
<li>Updated AOSP versions: 12, 12L</li>
<li>致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab</li>
</ul>
<h4><a href="https://www.cve.org/CVERecord?id=CVE-2022-20229">CVE-2022-20229</a></h4>
<ul>
<li>
<p>蓝牙进程HFP Client的越界写入漏洞</p>
<pre><code class="language-diff">
APPL_TRACE_DEBUG("%s: %lu.%s <%lu:%lu>", __func__, index, name, min, max);</code></pre>
</li>
<li>
<p>if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) {</p>
</li>
<li>
<p>return;</p>
</li>
<li>
<p>}</p>
</li>
<li>
<p>/<em> look for a matching indicator on list of supported ones </em>/
for (i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++) {
if (strcmp(name, BTA_HF_CLIENT_INDICATOR_SERVICE) == 0) {</p>
<pre><code></code></pre>
</li>
<li>
<p>Updated AOSP versions: 10, 11, 12, 12L</p>
</li>
<li>
<p>致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab</p>
</li>
</ul>
<h4><a href="https://www.cve.org/CVERecord?id=CVE-2021-0981">CVE-2021-0981</a></h4>
<ul>
<li>对于无法通过fixNotification修复的通知,如果是前台服务通知,则需要杀死对应的前台服务,Android 12上没有这个问题
<pre><code class="language-diff">
// Fix the notification as best we can.
try {
fixNotification(notification, pkg, tag, id, userId);</code></pre></li>
<li>
<pre><code> } catch (Exception e) {</code></pre>
</li>
<li>if (notification.isForegroundService()) {</li>
<li>throw new SecurityException("Invalid FGS notification", e);</li>
<li>}
Slog.e(TAG, "Cannot fix notification", e);
return;
}
<pre><code></code></pre></li>
<li>Updated AOSP versions: 10, 11</li>
<li>致谢:无</li>
</ul>
<h4><a href="https://www.cve.org/CVERecord?id=CVE-2022-20223">CVE-2022-20223</a></h4>
<ul>
<li>AppRestrictionsFragment中判断传入的Intent的package是否满足同应用的要求,但是这个判断存在漏洞。因为如果组件名被设置,那么包名字段就会被忽略。修复则是删除了这一段多余的判断。
<pre><code class="language-diff">
private void assertSafeToStartCustomActivity(Intent intent) {</code></pre></li>
<li>// Activity can be started if it belongs to the same app</li>
<li>if (intent.getPackage() != null && intent.getPackage().equals(packageName)) {</li>
<li>return;</li>
<li>}</li>
<li>EventLog.writeEvent(0x534e4554, "223578534", -1 /<em> UID </em>/, "");
ResolveInfo resolveInfo = mPackageManager.resolveActivity(
intent, PackageManager.MATCH_DEFAULT_ONLY);
<pre><code></code></pre></li>
<li>Updated AOSP versions: 10, 11, 12, 12L</li>
<li>致谢:Tianyi Hu (胡天易) of Bytedance Wuheng Lab</li>
</ul>
<h4><a href="https://www.cve.org/CVERecord?id=CVE-2022-20226">CVE-2022-20226</a></h4>
<ul>
<li>待分析</li>
<li>Updated AOSP versions: 12, 12L</li>
<li>致谢:Rob Carr of Google</li>
</ul>
<h4><a href="https://www.cve.org/CVERecord?id=CVE-2022-20221">CVE-2022-20221</a></h4>
<ul>
<li>
<p>蓝牙进程在处理Avrcp报文时的越界读取漏洞</p>
<pre><code class="language-diff">
tAVRC_STS status = AVRC_STS_NO_ERROR;</code></pre>
</li>
<li>
<p>if (p_msg->vendor_len < 4) { // 4 == pdu + reserved byte + len as uint16</p>
</li>
<li>
<p>AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",</p>
</li>
<li>
<p><strong>func</strong>, p_msg->vendor_len);</p>
</li>
<li>
<p>android_errorWriteLog(0x534e4554, "205571133");</p>
</li>
<li>
<p>return AVRC_STS_INTERNAL_ERR;</p>
</li>
<li>
<p>}
uint8_t<em> p = p_msg->p_vendor_data;
p_result->pdu = </em>p++;
AVRC_TRACE_DEBUG("%s pdu:0x%x", <strong>func</strong>, p_result->pdu);</p>
<pre><code></code></pre>
</li>
<li>
<p>Updated AOSP versions: 10, 11, 12, 12L</p>
</li>
<li>
<p>致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab</p>
</li>
</ul>
<h4><a href="https://www.cve.org/CVERecord?id=CVE-2022-20224">CVE-2022-20224</a></h4>
<ul>
<li>蓝牙进程HFP Client中的越界读取漏洞
<pre><code class="language-diff">
/* skip rest of AT string up to <cr> */
-#define AT_SKIP_REST(buf) \</code></pre></li>
<li>do { \</li>
<li>while (*(buf) != '\r') (buf)++; \
+#define AT_SKIP_REST(buf) \</li>
<li>do { \</li>
<li>while (<em>(buf) != '\r' && </em>(buf) != '\0') (buf)++; \
} while (0)
<pre><code></code></pre></li>
<li>Updated AOSP versions: 10, 11, 12, 12L</li>
<li>致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab</li>
</ul>
<h4><a href="https://www.cve.org/CVERecord?id=CVE-2022-20225">CVE-2022-20225</a></h4>
<ul>
<li>getSubscriptionProperty(GROUP_UUID)接口未被READ_PRIVILEGED_PHONE_STATE权限保护,造成信息泄漏。
<pre><code class="language-diff">
public String getSubscriptionProperty(int subId, String propKey, String callingPackage,
String callingFeatureId) {</code></pre></li>
<li>if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState(mContext, subId, callingPackage,</li>
<li>callingFeatureId, "getSubscriptionProperty")) {</li>
<li>return null;</li>
<li>switch (propKey) {</li>
<li>case SubscriptionManager.GROUP_UUID:</li>
<li>if (mContext.checkCallingOrSelfPermission(</li>
<li>Manifest.permission.READ_PRIVILEGED_PHONE_STATE) != PERMISSION_GRANTED) {</li>
<li>EventLog.writeEvent(0x534e4554, "213457638", Binder.getCallingUid());</li>
<li>return null;</li>
<li>}</li>
<li>break;</li>
<li>default:</li>
<li>if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState(mContext, subId,</li>
<li>callingPackage, callingFeatureId, "getSubscriptionProperty")) {</li>
<li>return null;</li>
<li>}
}
<pre><code></code></pre></li>
<li>Updated AOSP versions: 10, 11, 12, 12L</li>
<li>致谢:Aman Pandey of bugsmirror</li>
</ul>
<h4><a href="https://www.cve.org/CVERecord?id=CVE-2022-20230">CVE-2022-20230</a></h4>
<ul>
<li>KeyChain显示URI Authority的时候进行URL编码
<pre><code class="language-diff">
Uri uri = getIntent().getParcelableExtra(KeyChain.EXTRA_URI);
if (uri != null) {
String hostMessage = String.format(res.getString(R.string.requesting_server),</code></pre></li>
<li>uri.getAuthority());</li>
<li>Uri.encode(uri.getAuthority(), "$,;:@&=+"));
if (contextMessage == null) {
contextMessage = hostMessage;
} else {
<pre><code></code></pre></li>
<li>Updated AOSP versions: 10, 11, 12, 12L</li>
<li>致谢:无</li>
</ul>
<h2>2022-07-05 security patch level vulnerability details</h2>
<h3>Framework</h3>
<h4><a href="https://www.cve.org/CVERecord?id=CVE-2022-20220">CVE-2022-20220</a></h4>
<ul>
<li>ContactsProvider防止打开、删除、同步或插入文件到Call Composer文件夹以外的地方。
<pre><code class="language-java">/**
* Enforces a stricter check on what files the CallLogProvider can perform file operations on.
* @param rootPath where all valid new/existing paths should pass through.
* @param pathToCheck newly created path that is requesting a file op. (open, delete, etc.)
* @param callingMethod the calling method. Used only for debugging purposes.
*/
private void enforceValidCallLogPath(Path rootPath, Path pathToCheck, String callingMethod){
if (!FileUtilities.isSameOrSubDirectory(rootPath.toFile(), pathToCheck.toFile())) {
EventLog.writeEvent(0x534e4554, "219015884", Binder.getCallingUid(),
(callingMethod + ": invalid uri passed"));
throw new SecurityException(
FileUtilities.INVALID_CALL_LOG_PATH_EXCEPTION_MESSAGE + pathToCheck);
}
}</code></pre>
<pre><code class="language-java">
package com.android.providers.contacts.util;</code></pre></li>
</ul>
<p>import android.util.Log;</p>
<p>import java.io.File;
import java.io.IOException;</p>
<p>public final class FileUtilities {</p>
<pre><code>public static final String TAG = FileUtilities.class.getSimpleName();
public static final String INVALID_CALL_LOG_PATH_EXCEPTION_MESSAGE =
"Invalid [Call Log] path. Cannot operate on file:";
/**
* Checks, whether the child directory is the same as, or a sub-directory of the base
* directory.
*/
public static boolean isSameOrSubDirectory(File base, File child) {
try {
File basePath = base.getCanonicalFile();
File currPath = child.getCanonicalFile();
while (currPath != null) {
if (basePath.equals(currPath)) {
return true;
}
currPath = currPath.getParentFile(); // pops sub-dir
}
return false;
} catch (IOException ex) {
Log.e(TAG, "Error while accessing file", ex);
return false;
}
}</code></pre>
<p>}</p>
<pre><code>- Updated Android versions: 12, 12L
## 2022-06-01 security patch level vulnerability details
### Framework
#### CVE-2021-39691
- 截至发稿,该漏洞的补丁尚未上传到AOSP
- Updated AOSP versions: 10, 11, 12
- 致谢:Matthew Daley
#### CVE-2022-20006
- 在切换用户时因为System UI主线程繁忙,导致不能及时响应<code>PhoneWindowManager.lockNow()</code>和<code>KeyguardViewMediator.doKeyguardTimeout()</code>方法调用,这样会导致一个竞争窗口,使得访客用户可以切换回主用户,并可以访问主用户的内容,而不需要主用户的凭据(锁屏密码)。在低性能设备上这个竞争窗口可能长达15-30秒。缓解措施是优先考虑这两个事件确保设备尽快锁定,并且让system_server优先更新本地缓存。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Joshua Nearchos
#### CVE-2022-20125
- 增加finalizeWorkProfileProvisioning接口,具体漏洞点还需要分析。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:ISMAEL AMZDAK
#### CVE-2022-20138
- 截至发稿,该漏洞的补丁尚未上传到AOSP
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Yu-Cheng Lin (林禹成) (@AndroBugs)
#### CVE-2021-39624
- PackageInstallerService中的空指针异常
```diff
// Their staging dirs will be removed too
PackageInstallerSession root = !session.hasParentSessionId()
? session : mSessions.get(session.getParentSessionId());
- if (!root.isDestroyed() &&
+ if (root == null) {
+ Slog.e(TAG, "freeStageDirs: found an orphaned session: "
+ + session.sessionId + " parent=" + session.getParentSessionId());
+ } else if (!root.isDestroyed() &&
(!root.isStaged() || (root.isStaged() && root.isStagedSessionReady())))
{
root.abandon();- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Hongli Han (@hexb1n) and Mingjian Zhou (周明建) (@Mingjian_Zhou) of C0RE Team
Media Framework
CVE-2022-20130
- libMpegTPDec中的transportDec_OutOfBandConfig函数拒绝非法的OutOfBandConfig并且跳过内存重分配
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
System
CVE-2022-20127
- NFC的ce_t4t模块中存在Double Free,修改是在freebuf之后立即返回
} else { GKI_freebuf(p_c_apdu); ce_t4t_send_status(T4T_RSP_NOT_FOUND); - return;
} - Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
CVE-2022-20140
- GATT
- Updated AOSP versions: 12, 12L
CVE-2022-20145
- 截至发稿,该漏洞的补丁尚未上传到AOSP
- Updated AOSP versions: 11
- 致谢:Sze Yiu Chau, Hugo Hue, and Ka Lok Wu of The Chinese University of Hong Kong (CUHK)
CVE-2022-20124
- 禁止非管理员用户卸载系统应用的更新(降级),主要是防止访客用户卸载系统应用的更新。
if (isSystemApp(uninstalledPs)) { UserInfo userInfo = mUserManager.getUserInfo(userId); if (userInfo == null || !userInfo.isAdmin()) { Slog.w(TAG, "Not removing package " + packageName + " as only admin user may downgrade system apps"); EventLog.writeEvent(0x534e4554, "170646036", -1, packageName); return PackageManager.DELETE_FAILED_USER_RESTRICTED; } } - Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Pratheesh P Narayanan
CVE-2022-20126
- 从现在开始使用
BluetoothAdapter.setScanMode接口需要BLUETOOTH_PRIVILEGED特权。 - Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Aman Pandey of bugsmirror
CVE-2022-20133
- 从现在开始使用
BluetoothAdapter.setDiscoverableTimeout接口需要BLUETOOTH_PRIVILEGED特权。 - Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Aman Pandey of bugsmirror
CVE-2022-20134
- 使com.android.contacts.dialog.CallSubjectDialog界面不再导出
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
CVE-2022-20135
- GateKeeperResponse中存在Parcel序列化反序列化不匹配漏洞,当mPayload的长度是0的时候会出现问题。可使用Bundle mismatch漏洞利用方式进行利用
- if (mPayload != null) {
- if (mPayload != null && mPayload.length > 0) {
dest.writeInt(mPayload.length);
dest.writeByteArray(mPayload); - Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Sergey Toshin (@bagipro) of Oversecured Inc.
CVE-2022-20137
- 禁止非管理员用户分享和忘记Wi-Fi网络。
- Updated AOSP versions: 12, 12L
- 致谢:Lucian of OPPO Amber Security Lab
CVE-2022-20142
- GeofenceHardwareRequestParcelable中存在Parcel序列化反序列化不匹配漏洞。可使用Bundle mismatch漏洞利用方式进行利用
public GeofenceHardwareRequestParcelable createFromParcel(Parcel parcel) { int geofenceType = parcel.readInt(); - if(geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) {
- Log.e(
- "GeofenceHardwareRequest",
- String.format("Invalid Geofence type: %d", geofenceType));
- return null;
- if (geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) {
- throw new BadParcelableException("Invalid Geofence type: " + geofenceType);
} - Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Sergey Toshin (@bagipro) of Oversecured Inc.
CVE-2022-20144
- EditUserPhotoController中存在越权读取文件的问题,限制只调用系统应用进行头像编辑,这个问题看起来是从CVE-2021-0952漏洞的变体分析而来。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
CVE-2022-20147
- NFC模块nfa_dm_check_set_config中的越界读取
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab
CVE-2022-20123
- NFC模块phNciNfc_RecvMfResp中的越界读取
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab
CVE-2022-20131
- NFC模块nfc_ncif_proc_ee_discover_req中的越界读取
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab
CVE-2022-20129
- 在TelecomManager中每个应用只能注册最多10个联系人账户,在registerPhoneAccount函数中增加判断并更新API文档。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
CVE-2022-20143
- 在Zen mode中为Zen规则添加OEM可配置的限制
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
2022-06-05 security patch level vulnerability details
2022-05-01 security patch level vulnerability details
Framework
CVE-2021-39662
- 对于MediaProvider不允许授予FLAG_GRANT_PREFIX_URI_PERMISSION,因为这样会导致应用只要有某一个媒体分类的权限(例如音频、照片或者下载),就可以在不请求额外权限的情况下获得所有类别文件的访问权限。其根本原因是FLAG_GRANT_PREFIX_URI_PERMISSION允许以前缀进行授权,这样就扩大了原有权限的范围。
- 这个问题的背景是MediaProvider是Android 10之后用于分区存储的实现,目的是让应用在无法直接读写sdcard的情况下,提供常用媒体文件分类的访问权限,就类似于iOS一样。
- Updated AOSP versions: 11, 12
- 致谢:无
CVE-2022-20004
- SliceManagerService的checkSlicePermission函数没有对调用者进行校验
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Aman Pandey of bugsmirror
CVE-2022-20005
- 在应用的base.apk更新之后,使得PMS立即重启目标应用
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Edward Cunningham of Google
CVE-2022-20007
- 在一个Activity被其他半透明的悬浮窗等遮挡的时候,不要调用Activity的onResume,因为有的应用依赖onResume去做一些鉴权操作,这时候如果有悬浮窗遮挡的话会影响用户的判断。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Xianbo Wang (@sanebow) of MobiTec, The Chinese University of Hong Kong
CVE-2021-39700
- 允许adbd访问/proc/net/{tcp,tcp6,udp,udp6},不知道不让访问会造成什么安全影响。
- Updated AOSP versions: 10, 11, 12
- 致谢:Gregory Montoir and Gary Arakaki of Google
System
CVE-2022-20113
- 默认USB配置的界面从RestrictedSwitchPreference更换为RestrictedPreference,应该和在锁屏上的可访问性有关。
- Updated AOSP versions: 12, 12L
- 致谢:Ben Turley
CVE-2022-20114
- 如果ConnectionService返回空绑定,则自动执行unbind解绑操作。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Aman Pandey of bugsmirror
CVE-2022-20116
- SystemUI的CallNotificationInfo函数接收Intent作为参数并且启动界面,会导致LaunchAnyWhere漏洞。
- Updated AOSP versions: 12, 12L
- 致谢:Michał Bednarski (michalbednarski)
CVE-2022-20010
- 蓝牙L2CAP_CMD_CREDIT_BASED_CONN_RES命令中的越界读取
case L2CAP_CMD_CREDIT_BASED_CONN_RES: - if (p + 2 > p_pkt_end) {
- if (p + 8 > p_pkt_end) {
LOG(ERROR) << "invalid L2CAP_CMD_CREDIT_BASED_CONN_RES len";
return;
} - Updated AOSP versions: 12, 12L
- 致谢:Kevin Deus of Google
CVE-2022-20011
- NotificationManagerService的getActiveNotifications和getHistoricalNotifications函数没有针对多用户场景进行正确校验,会导致跨用户获取通知内容,似乎需要“通知使用权”权限。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Art (github)
CVE-2022-20115
- 对于TelephonyRegistry中的
android.intent.action.SERVICE_STATE广播,在应用没有ACCESS_FINE_LOCATION权限的情况下则不发送包含位置信息的extras。// Send the broadcast twice -- once for all apps with READ_PHONE_STATE, then again - // for all apps with READ_PRIV but not READ_PHONE_STATE. This ensures that any app holding
- // either READ_PRIV or READ_PHONE get this broadcast exactly once.
- mContext.sendBroadcastAsUser(intent, UserHandle.ALL, Manifest.permission.READ_PHONE_STATE);
- mContext.createContextAsUser(UserHandle.ALL, 0)
- .sendBroadcastMultiplePermissions(intent,
- new String[] { Manifest.permission.READ_PRIVILEGED_PHONE_STATE },
- new String[] { Manifest.permission.READ_PHONE_STATE });
- // for all apps with READ_PRIVILEGED_PHONE_STATE but not READ_PHONE_STATE.
- // Do this again twice, the first time for apps with ACCESS_FINE_LOCATION, then again with
- // the location-sanitized service state for all apps without ACCESS_FINE_LOCATION.
- // This ensures that any app holding either READ_PRIVILEGED_PHONE_STATE or READ_PHONE_STATE
- // get this broadcast exactly once, and we are not exposing location without permission.
- mContext.createContextAsUser(UserHandle.ALL, 0).sendBroadcastMultiplePermissions(intent,
- new String[] {Manifest.permission.READ_PHONE_STATE,
- Manifest.permission.ACCESS_FINE_LOCATION});
- mContext.createContextAsUser(UserHandle.ALL, 0).sendBroadcastMultiplePermissions(intent,
- new String[] {Manifest.permission.READ_PRIVILEGED_PHONE_STATE,
- Manifest.permission.ACCESS_FINE_LOCATION},
- new String[] {Manifest.permission.READ_PHONE_STATE});
- // Replace bundle with location-sanitized ServiceState
- data = new Bundle();
- state.createLocationInfoSanitizedCopy(true).fillInNotifierBundle(data);
- intent.putExtras(data);
- mContext.createContextAsUser(UserHandle.ALL, 0).sendBroadcastMultiplePermissions(intent,
- new String[] {Manifest.permission.READ_PHONE_STATE},
- new String[] {Manifest.permission.ACCESS_FINE_LOCATION});
- mContext.createContextAsUser(UserHandle.ALL, 0).sendBroadcastMultiplePermissions(intent,
- new String[] {Manifest.permission.READ_PRIVILEGED_PHONE_STATE},
- new String[] {Manifest.permission.READ_PHONE_STATE,
- Manifest.permission.ACCESS_FINE_LOCATION});
- Updated AOSP versions: 12, 12L
- 致谢:hsia.angsh
CVE-2021-39670
- 解析壁纸时使用ImageDecoder而不是BitmapRegionDecoder,因为BitmapRegionDecoder的generateCrop()方法无法处理超大文件。
- Updated AOSP versions: 12, 12L
- 致谢:Sithija
CVE-2022-20112
- 在访客模式下隐藏私密DNS的设置,不允许访客用户更改
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Xianfeng Lu(卢先锋) and Lei Ai(艾磊) of OPPO Amber Security Lab
2022-05-05 security patch level vulnerability details
2022-04-01 security patch level vulnerability details
Framework
CVE-2021-0694
- 从后台启动的前台服务不再允许获得“仅在使用时允许”的权限,包括位置、相机和麦克风权限。
- Updated AOSP versions: 11
- 致谢:Makoto Onuki of Google
CVE-2021-39794
- 限制下面三个ADBManager中的广播的权限为MANAGE_DEBUGGING签名权限
com.android.server.adb.WIRELESS_DEBUG_STATUS com.android.server.adb.WIRELESS_DEBUG_PAIRED_DEVICES com.android.server.adb.WIRELESS_DEBUG_PAIRING_RESULT - Updated AOSP versions: 11, 12, 12L
- 致谢:hluwa
CVE-2021-39795
- 不允许未适配分区存储的应用通过MediaProvider向其他应用的外置私有目录写入文件,也就是
/sdcard/Android/data/<package_name>目录。 - Updated AOSP versions: 11, 12, 12L
- 致谢:Bo Zhang (张波) of Bytedance Wuheng Lab
CVE-2021-39796
- 对有害应用警告页面HarmfulAppWarningActivity添加SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS,防止悬浮窗点击劫持和覆盖攻击。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Hao Zhou, Xiapu Luo from the Hong Kong Polytechnique University, Haoyu Wang from the Huazhong University of Science and Technology, and Yajin Zhou from the Zhejiang University
CVE-2021-39797
- 不再允许LauncherApps创建PendingIntent时指定任意的ActivityOptions
- Updated AOSP versions: 12, 12L
- 致谢:Michał Bednarski (michalbednarski)
CVE-2021-39798
- Bitmap_createFromParcel中的问题,后续可以进一步研究一下。
// In place callback [&](std::unique_ptr<int8_t[]> buffer, int32_t size) { - if (allocationSize > size) {
- android_errorWriteLog(0x534e4554, "213169612");
- return STATUS_BAD_VALUE;
- }
nativeBitmap = Bitmap::allocateHeapBitmap(allocationSize, imageInfo, rowBytes);
if (nativeBitmap) { - memcpy(nativeBitmap->pixels(), buffer.get(), size);
- memcpy(nativeBitmap->pixels(), buffer.get(), allocationSize);
- return STATUS_OK;
} - return STATUS_NO_MEMORY;
} - allocationSize不能比size大,这里面size是readBlob过程中读取的大小,而allocationSize源于
Bitmap::computeAllocationSize,这个可能是根据Bitmap里面其他的结构计算出来的,攻击者可控,详细分析后续会单独文章进行讲解。 - Updated AOSP versions: 12, 12L
- 致谢:lovepink
CVE-2021-39799
- AttributionSource里面除了校验UID之外还要校验PID
- Updated AOSP versions: 12, 12L
- 致谢:Michał Bednarski (michalbednarski)
Media Framework
CVE-2021-39803
- C2AllocatorIon中使用mutex锁保护mMappings
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
CVE-2021-39804
- 解析HEIF中的METADATA_KEY_VIDEO_FRAME_COUNT时判断其是否为NULL,只能导致DoS
- mSequenceLength = atoi(mRetriever->extractMetadata(METADATA_KEY_VIDEO_FRAME_COUNT));
- const char* frameCount = mRetriever->extractMetadata(METADATA_KEY_VIDEO_FRAME_COUNT);
- if (frameCount == nullptr) {
- android_errorWriteWithInfoLog(0x534e4554, "215002587", -1, NULL, 0);
- ALOGD("No valid sequence information in metadata");
- return false;
- }
- mSequenceLength = atoi(frameCount);
- Updated AOSP versions: 11, 12, 12L
- 致谢:Dawuge of Pangu Team
System
CVE-2021-39808
- 应用可以将通知渠道设置为Blocked来绕过前台服务通知显示,实现用户无感知启动前台服务。
- Updated AOSP versions: 10, 11, 12
- 致谢:Aman Pandey of bugsmirror
CVE-2021-39805
- 蓝牙L2CAP中的越界读取,超出了包长度末尾
uint16_t result; - if (p + sizeof(uint16_t) > p_pkt_end) {
- android_errorWriteLog(0x534e4554, "212694559");
- LOG(ERROR) << "invalid read";
- return;
- }
STREAM_TO_UINT16(result, p); - Updated AOSP versions: 12, 12L
- 致谢:Lei Ai(艾磊) and Xianfeng Lu(卢先锋) of OPPO Amber Security Lab
CVE-2021-39809
- 蓝牙AVRC中的越界读取
- if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_COMP_ID) {
- android_errorWriteLog(0x534e4554, "205837191");
- return AVRC_STS_INTERNAL_ERR;
- }
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team
2022-04-05 security patch level vulnerability details
System
CVE-2021-39807
- 不允许Guest用户禁用NFC
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Lei Ai(艾磊) and Xianfeng Lu(卢先锋) of OPPO Amber Security Lab
2022-03-01 security patch level vulnerability details
Android runtime
Framework
CVE-2021-39692
- ManagedProvisioning个人资料授权界面添加SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS标志,防止悬浮窗攻击。
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:Hao Zhou, Xiapu Luo from the Hong Kong Polytechnique University, Haoyu Wang from the Beijing University of Posts and Telecommunications, and Yajin Zhou from the Zhejiang University
CVE-2021-39693
- 在AppOpsService的onUidStateChanged函数存在条件竞争问题,具体影响待进一步研究。
/** * Notify that the state of the uid changed * * @param newState The new state */ public void onUidStateChanged(@AppOpsManager.UidState int newState) { if (!isPaused() && !isRunning()) { return; } boolean isRunning = isRunning(); ArrayMap<IBinder, AppOpsService.InProgressStartOpEvent> events = isRunning ? mInProgressEvents : mPausedInProgressEvents; int numInProgressEvents = events.size(); List<IBinder> binders = new ArrayList<>(events.keySet()); for (int i = 0; i < numInProgressEvents; i++) { InProgressStartOpEvent event = events.get(binders.get(i)); if (event != null && event.getUidState() != newState) { try { // Remove all but one unfinished start count and then call finished() to // remove start event object int numPreviousUnfinishedStarts = event.numUnfinishedStarts; event.numUnfinishedStarts = 1; OpEventProxyInfo proxy = event.getProxy(); finished(event.getClientId(), false); // Call started() to add a new start event object and then add the // previously removed unfinished start counts back if (proxy != null) { startedOrPaused(event.getClientId(), proxy.getUid(), proxy.getPackageName(), proxy.getAttributionTag(), newState, event.getFlags(), false, isRunning, event.getAttributionFlags(), event.getAttributionChainId()); } else { startedOrPaused(event.getClientId(), Process.INVALID_UID, null, null, newState, event.getFlags(), false, isRunning, event.getAttributionFlags(), event.getAttributionChainId()); } - events = isRunning ? mInProgressEvents : mPausedInProgressEvents;
InProgressStartOpEvent newEvent = events.get(binders.get(i));
if (newEvent != null) {
newEvent.numUnfinishedStarts += numPreviousUnfinishedStarts – 1;
}
} catch (RemoteException e) {
if (DEBUG) Slog.e(TAG, "Cannot switch to new uidState " + newState);
}
}
}
} - 已更新的AOSP版本:12
- 致谢信息:Soonil Nagarkar of Google
CVE-2021-39695
- 修复了下面两个方法中,读取BasePermission中的protectionLevel内容的不一致
- 反射访问字段:
BasePermission.perm.protection-Level - API接口:
BasePermission.getProtectionLevel()
- 反射访问字段:
- 已更新的AOSP版本:11
- 致谢信息:Rui Li and Wenrui Diao, Shandong University
CVE-2021-39697
- 禁止未适配分区存储的应用使用DownloadProvider下载文件到其他目录的外置卡私有目录(
/sdcard/Android/<package_name>/data和/sdcard/Android/<package_name>/obb) - 主要原因是未适配分区存储的应用,在申请了存储权限之后可以访问整个sdcard目录。
- 已更新的AOSP版本:11, 12
- 致谢信息:Bo Zhang (张波) of Bytedance Wuheng Lab
CVE-2021-39624
- PackageInstallerService中放弃子会话,可能导致拒绝服务的问题
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:Hongli Han (@hexb1n) and Mingjian Zhou (周明建) (@Mingjian_Zhou) of C0RE Team
CVE-2021-39690
- Skia错误地接受和渲染超过OpenGL限制大小的缓冲区,可能导致拒绝服务的问题
- 已更新的AOSP版本:12
- 致谢信息:Sithija
Media Framework
CVE-2021-39667
- 解析H.264视频头部时的问题,问题由OSS-Fuzz发现
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:无
System
CVE-2021-39708
- In gatt_process_notification of gatt_cl.cc, there is a possible out of bounds write due to an incorrect bounds check.
- 截至发稿,该漏洞的代码更改细节暂未公开
- 已更新的AOSP版本:12
- 致谢信息:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team
CVE-2021-0957
- 在多用户场景下,用户配置完成之前不显示通知页脚
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:SHIHAB P M
CVE-2021-39701
- SystemUI绑定到前台服务时,正确处理onNullBinding方法,防止出现前台服务通知绕过。
- override fun onNullBinding(name: ComponentName?) {
- if (DEBUG) Log.d(TAG, "onNullBinding $name")
- wrapper = null
- context.unbindService(this)
- }
- 已更新的AOSP版本:11, 12
- 致谢信息:Aman Pandey of bugsmirror
CVE-2021-39702
- RequestManageCredentials界面添加SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS标志,防止悬浮窗攻击。
- 已更新的AOSP版本:12
- 致谢信息:Hao Zhou, Xiapu Luo from the Hong Kong Polytechnique University, Haoyu Wang from the Beijing University of Posts and Telecommunications, and Yajin Zhou from the Zhejiang University
CVE-2021-39703
- AOSP里面需要手动授权才能开启USB MTP模式,在断开连接一个已启用MTP的设备之后3秒内再插入其他设备,可能导致其他设备直接获得MTP权限。修复是把这个延时改为1秒。
- private static final int DEVICE_STATE_UPDATE_DELAY = 3000;
- // Delay for debouncing USB disconnects on Type-C ports in host mode
- private static final int HOST_STATE_UPDATE_DELAY = 1000;
- private static final int UPDATE_DELAY = 1000;
- 已更新的AOSP版本:12
- 致谢信息:Elijah Bowman of Accenture
CVE-2021-39704
- 删除通知Channel之前检查是否有已关联的前台服务,防止出现前台服务通知绕过。
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:Aman Pandey of bugsmirror
CVE-2021-39706
- 为
com.android.credentials.RESET这个Action添加调用者检查,只允许通过设置应用发起凭据存储的重置。 - 已更新的AOSP版本:10, 11, 12
- 致谢信息:Lucian and Sheep of OPPO Amber Security Lab
CVE-2021-39707
- AppRestrictionsFragment中的RestrictionsResultReceiver可以接收一个广播并且启动一个界面,由于是以设置页面启动的界面,导致可以launchAnyWhere。
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:Bo Zhang (张波) and Tianyi Hu (胡天易) of Bytedance Wuheng Lab
CVE-2021-39709
- SipAccountRegistry中的PendingIntent漏洞
- 已更新的AOSP版本:12
- 致谢信息:7h0r
CVE-2021-39705
- AOSP的Dialer应用中存在通过广播的方式泄漏ICCID,导致信息泄漏漏洞。
- 已更新的AOSP版本:10, 11, 12
- 致谢信息:无
2022-03-05 security patch level vulnerability details
2022-02-01 security patch level vulnerability details
Framework
CVE-2021-39619
- 如果某用户存在配置文件Owner,则在应用卸载时不要删除该应用的使用用量信息
- 影响版本:11, 12
- 致谢信息:无
CVE-2021-39663
- In openFileAndEnforcePathPermissionsHelper of MediaProvider.java, there is a possible bypass of a permissions check due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-200682135
- 截至发稿,该漏洞的代码更改细节暂未公开
- 影响版本:10
- 致谢信息:Dzmitry Lukyanenka
CVE-2021-39676
- In writeThrowable of AndroidFuture.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-197228210
- 截至发稿,该漏洞的代码更改细节暂未公开
- 影响版本:11
- 致谢信息:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team
CVE-2021-39664
- androidfw中的越界读取
std::unordered_set<uint32_t> finalized_ids; const auto lib_alias = child_chunk.header<ResTable_staged_alias_header>(); if (!lib_alias) { - LOG(ERROR) << "RES_TABLE_STAGED_ALIAS_TYPE is too small.";
- return {};
- }
- if ((child_chunk.data_size() / sizeof(ResTable_staged_alias_entry))
- < dtohl(lib_alias->count)) {
- LOG(ERROR) << "RES_TABLE_STAGED_ALIAS_TYPE is too small to hold entries.";
return {};
}
const auto entry_begin = child_chunk.data_ptr().convert<ResTable_staged_alias_entry>(); - 影响版本:12
- 致谢信息:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team
Media Framework
CVE-2020-13112
- An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes. This is different from CVE-2020-0093.
- 截至发稿,该漏洞的代码更改细节暂未公开
- 影响版本:10, 11
- 致谢信息:Kris Alder of Google
CVE-2020-13113
- An issue was discovered in libexif before 0.6.22. Use of uninitialized memory in EXIF Makernote handling could lead to crashes and potential use-after-free conditions.
- 截至发稿,该漏洞的代码更改细节暂未公开
- 影响版本:10, 11
- 致谢信息:Kris Alder of Google
CVE-2021-39665
- libstagefright中的越界读取
void AAVCAssembler::checkSpsUpdated(const sp<ABuffer> &buffer) { - if (buffer->size() == 0) {
- android_errorWriteLog(0x534e4554, "204077881");
- return;
- }
const uint8_t *data = buffer->data();
unsigned nalType = data[0] & 0x1f; - 影响版本:12
- 致谢信息:Zinuo Han(weibo.com/ele7enxxh) of Alibaba Cloud Security Team
CVE-2021-39666
- libmediametrics中的越界读取
template <> // static status_t extract(std::string *val, const char **bufferpptr, const char *bufferptrmax) { const char *ptr = *bufferpptr; - while (*ptr != 0) {
- do {
if (ptr >= bufferptrmax) {
ALOGE("%s: buffer exceeded", func);
return BAD_VALUE;
} - ++ptr;
- }
- const size_t size = (ptr – *bufferpptr) + 1;
- } while (*ptr++ != 0);
- // ptr is terminator+1, == bufferptrmax if we finished entire buffer
val = bufferpptr; - *bufferpptr += size;
- *bufferpptr = ptr;
return NO_ERROR;
}
template <> // static - 影响版本:11, 12
- 致谢信息:Hongli Han(@hexb1n) and Guang Gong(@oldfresher) of Vulnerability Research Institute
System
CVE-2021-39675
-
NFC模块中NFA_SendRawFrame缺少长度上限,可能导致越界写入
#include <android-base/stringprintf.h> #include <base/logging.h> +#include <log/log.h> #include "gki_int.h" #if (GKI_NUM_TOTAL_BUF_POOLS > 16) @@ -258,8 +259,9 @@ FREE_QUEUE_T* Q; #if defined(DYN_ALLOC) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) - if (size == 0) {
- LOG(ERROR) << StringPrintf("getbuf: Size is zero");
- if (size == 0 || size > (USHRT_MAX – 3)) {
- LOG(ERROR) << StringPrintf("getbuf: Requested size(%d) is invalid", size);
- android_errorWriteLog(0x534e4554, "205729183");
ifndef DYN_ALLOC
abort();
else
- 影响版本:12
- 致谢信息:无
CVE-2021-39668
- SystemUI中的一种PendingIntent漏洞新类型,待研究
- 影响版本:11, 12
- 致谢信息:无
CVE-2021-39669
- 为安装CA证书警告界面InstallCaCertificateWarning添加SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS标记,防止悬浮窗点击劫持攻击
- 影响版本:11, 12
- 致谢信息:Tianyi Hu (胡天易) of Bytedance Wuheng Lab
CVE-2021-39671
- 在AIDL文件编译时为char类型的变量增加默认值\0,这个问题看起来之前就提交过一次但是不知道为啥在Android 12又撤回了,这次又撤回了撤回的那次提交(禁止套娃)。
Revert "Revert "Add automatic default value for char-type field""
This reverts commit ac1cb3eb26525c868fd7dfeba90b6ee85161c9d8.
Original commit message:
Add automatic default value for char-type field
char type fields are auto-initialized with '\0' when not specified.
Ignore-AOSP-First: security fix
Bug: 206718630
Test: aidl_unittests
Reason for re-submit:
Conflicts resolved in the downstream branches.
- 影响版本:12
- 致谢信息:Jooyung Han of Google
#### CVE-2021-39674
- btm_sec_connected和btm_sec_disconnected中的UAF漏洞
- 影响版本:10, 11, 12
- 致谢信息:Nguyễn Hoàng Thạch (d4rkn3ss) of STAR Labs
#### CVE-2021-0706
- In startListening of PluginManagerImpl.java, there is a possible way to disable arbitrary app components due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-193444889
- 截至发稿,该漏洞的代码更改细节暂未公开
- 影响版本:10, 11
- 致谢信息:Ryan Johnson and Mohamed Elsabagh of Kryptowire
## 2022-02-05 security patch level vulnerability details
### System
#### CVE-2021-39631
- 翻译问题也能成为漏洞,厉害了
```diff
- <string name="clear_data_dlg_text" msgid="7870723948123690332">"系统会永久删除此应用的所有数据。删除的内容包括所有文件、设置、帐号、数据库等。"</string>
+ <string name="clear_data_dlg_text" msgid="1107610960337399006">"系统将永久删除此应用的数据,其中包括文件、设置、数据库和其他应用数据。"</string></code></pre>
<ul>
<li>影响版本:10, 11, 12</li>
<li>致谢信息:Pustam Raut (पुस्तम राउत) from Sarlahi & IISc/RIT/NMC</li>
</ul>
<h2>2022-01-01 security patch level vulnerability details</h2>
<h3>Framework</h3>
<h4>CVE-2021-39630</h4>
<ul>
<li>修复OverlayManagerService中的漏洞,屏蔽掉shell uid的overlays,并且在开机时清理掉所有创建者是shell uid的overlays,有待进一步研究。</li>
<li>影响版本:12</li>
<li>致谢信息:无</li>
</ul>
<h4>CVE-2021-39632</h4>
<ul>
<li>
<p>AOSP Recovery中的越界写入,可能不影响部分OEM的机型</p>
<pre><code class="language-diff"></code></pre>
</li>
<li>
<p>pevent->name[pevent->len] = '\0';</p>
</li>
<li>
<p>if (strncmp(pevent->name, "event", 5)) {</p>
</li>
<li>
<p>std::string event_name(pevent->name, pevent->len);</p>
</li>
<li>
<p>if (!android::base::StartsWith(event_name, "event")) {
continue;
}</p>
</li>
<li>
<p>android::base::unique_fd dfd(openat(dirfd(dir.get()), pevent->name, O_RDONLY));</p>
</li>
<li>
<p>android::base::unique_fd dfd(openat(dirfd(dir.get()), event_name.c_str(), O_RDONLY));</p>
<pre><code></code></pre>
</li>
<li>
<p>影响版本:11, 12</p>
</li>
<li>
<p>致谢信息:Sam Schumacher of Google</p>
</li>
</ul>
<h4>CVE-2020-0338</h4>
<ul>
<li>AccountManagerService中存在逻辑问题,checkKeyIntent中没有判断ClipData中是否存在内容,导致后续会对ClipData中的URI授予权限,应该是后续有机会来编辑这个Intent
<pre><code class="language-diff">
protected boolean checkKeyIntent(int authUid, Intent intent) {</code></pre></li>
<li>// Explicitly set an empty ClipData to ensure that we don't offer to</li>
<li>// promote any Uris contained inside for granting purposes</li>
<li>if (intent.getClipData() == null) {</li>
<li>intent.setClipData(ClipData.newPlainText(null, null));</li>
<li>}
intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
| Intent.FLAG_GRANT_WRITE_URI_PERMISSION
| Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
<pre><code></code></pre></li>
<li>影响版本:9, 10</li>
<li>致谢信息:Dzmitry Lukyanenka</li>
</ul>
<h3>Media Framework</h3>
<h4>CVE-2021-39623</h4>
<ul>
<li>SimpleDecodingSource中的越界写入
<pre><code class="language-diff">
if (mIsVorbis) {
int32_t numPageSamples;
if (!in_buf->meta_data().findInt32(kKeyValidSamples, &numPageSamples)) {
numPageSamples = -1;
}</code></pre></li>
<li>memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));</li>
<li>if (cpLen + sizeof(numPageSamples) <= in_buffer->capacity()) {</li>
<li>memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));</li>
<li>cpLen += sizeof(numPageSamples);</li>
<li>} else {</li>
<li>ALOGW("Didn't have enough space to copy kKeyValidSamples");</li>
<li>
<p>}
}</p>
<pre><code> res = mCodec->queueInputBuffer(</code></pre>
</li>
<li>in_ix, 0 /<em> offset </em>/, in_buf->range_length() + (mIsVorbis ? 4 : 0),</li>
<li>in_ix, 0 /<em> offset </em>/, cpLen,
timestampUs, 0 /<em> flags </em>/);
<pre><code></code></pre></li>
<li>影响版本:9, 10, 11, 12</li>
<li>致谢信息:Huinian Yang (@vmth6) and Qingyu Li (QQQ) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd.</li>
</ul>
<h3>System</h3>
<h4>CVE-2021-39618</h4>
<ul>
<li><strong>截至发稿前,该漏洞补丁细节尚未披露。</strong> CVE漏洞描述:In multiple methods of EuiccNotificationManager.java, there is a possible way to install existing packages without user consent due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-196855999</li>
<li>影响版本:9, 10, 11, 12</li>
<li>致谢信息:无</li>
</ul>
<h4>CVE-2021-39620</h4>
<ul>
<li>删除了Parcel错误处理中多余的释放对象操作
<pre><code class="language-diff">
// We should never receive other types (eg BINDER_TYPE_FDA) as long as we don't support
// them in libbinder. If we do receive them, it probably means a kernel bug; try to</code></pre></li>
<li>// recover gracefully by clearing out the objects, and releasing the objects we do</li>
<li>// know about.</li>
<li>// recover gracefully by clearing out the objects.
android_errorWriteLog(0x534e4554, "135930648");</li>
<li>android_errorWriteLog(0x534e4554, "203847542");
ALOGE("%s: unsupported type object (%" PRIu32 ") at offset %" PRIu64 "\n",
<strong>func</strong>, type, (uint64_t)offset);</li>
<li>releaseObjects();</li>
<li>
</li>
<li>// WARNING: callers of ipcSetDataReference need to make sure they</li>
<li>// don't rely on mObjectsSize in their release_func.
mObjectsSize = 0;
break;
<pre><code></code></pre></li>
<li>影响版本:11, 12</li>
<li>致谢信息:Amit Nama of Google using Realtime Stability Insights (RTSI)</li>
</ul>
<h4>CVE-2021-39621</h4>
<ul>
<li>VoiceMail的LegacyModeSmsHandler中不安全的PendingIntent使用,增加FLAG_IMMUTABLE标志</li>
<li>影响版本:9, 10, 11, 12</li>
<li>致谢信息:无</li>
</ul>
<h4>CVE-2021-39622</h4>
<ul>
<li><strong>截至发稿前,该漏洞补丁细节尚未披露。</strong> CVE漏洞描述:In GBoard, there is a possible way to bypass Factory Reset Protection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-192663648</li>
<li>影响版本:10, 11, 12</li>
<li>致谢信息:Vikram Singh</li>
</ul>
<h4>CVE-2021-39625</h4>
<ul>
<li><strong>截至发稿前,该漏洞补丁细节尚未披露。</strong> CVE漏洞描述:In showCarrierAppInstallationNotification of EuiccNotificationManager.java, there is a possible way to gain an access to MediaProvider content due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-194695347</li>
<li>影响版本:9, 10, 11, 12</li>
<li>致谢信息:h0rd7</li>
</ul>
<h4>CVE-2021-39626</h4>
<ul>
<li>修复第三方应用可无权限更改蓝牙可见性状态的问题,只允许Settings和SystemUI在进入到已连接的蓝牙设备界面时将蓝牙设置为可见,待后续实际测试影响</li>
<li>影响版本:9, 10, 11, 12</li>
<li>致谢信息:Yu-Cheng Lin (林禹成) (@AndroBugs)</li>
</ul>
<h4>CVE-2021-39627</h4>
<ul>
<li>VoiceMail的LegacyModeSmsHandler中不安全的PendingIntent使用,增加FLAG_IMMUTABLE标志,与CVE-2021-39621相同只不过是同一个类型中的另一处</li>
<li>影响版本:9, 10, 11, 12</li>
<li>致谢信息:无</li>
</ul>
<h4>CVE-2021-39629</h4>
<ul>
<li>NFC模块中phTmlNfc_TmlThread的UAF漏洞
<pre><code class="language-diff">
/* Clean up all the TML resources if any error */
if (NFCSTATUS_SUCCESS != wInitStatus) {
/* Clear all handles and memory locations initialized during init */</code></pre></li>
<li>phTmlNfc_CleanUp();</li>
<li>phTmlNfc_Shutdown_CleanUp();
}
<pre><code></code></pre></li>
<li>影响版本:9, 10, 11, 12</li>
<li>致谢信息:无</li>
</ul>
<h4>CVE-2021-0643</h4>
<ul>
<li><code>SubscriptionManager.getAllActiveSubscriptionInfoList</code>接口会泄漏设备ICCID信息,改为使用READ_PRIVILEGED_PHONE_STATE权限保护</li>
<li>影响版本:10, 11, 12</li>
<li>致谢信息:Aman Pandey of bugsmirror</li>
</ul>
<h4>CVE-2021-39628</h4>
<ul>
<li>StatusBar里面的信息泄漏。没看明白,有机会研究下,官方说明:
<pre><code>
Allow forcing status bar state changes and do so during a cancelled screen off.</code></pre></li>
</ul>
<p>During screen off, we show the AOD UI without fully switching to the KEYGUARD state. When screen off is cancelled, we ask all components to reset to the SHADE state, which should also reset the UI components we changed to show AOD. However, since the StatusBarState was already SHADE, this is ignored.</p>
<p>This adds a force flag, which we use when cancelling screen off to make sure that all UI components are reset to the SHADE state regardless.</p>
<pre><code>- 影响版本:10, 11
- 致谢信息:Atharav R. Hedage and Om Suryakant Koli
#### CVE-2021-39659
- CreateConnectionProcessor在对重复的电话账户进行排序时存在整形溢出,会导致对紧急服务的拒绝访问
```diff
// then by hashcode
- return account1.hashCode() - account2.hashCode();
+ return Integer.compare(account1.hashCode(), account2.hashCode());
});- 影响版本:10, 11, 12
- 致谢信息:无