2022-07-01 security patch level vulnerability details
Framework
- StorageManagerService在加密用户文件的时候如果出现异常,需要重新抛出异常给调用者表示加密操作失败,不能静默处理之后使得部分文件还处于未加密状态。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Eric Biggers of Google
- C2DmaBufAllocator内存映射的条件竞争问题
- Updated AOSP versions: 12, 12L
- 致谢:无
System
uint16_t char_ext_prop =
attr16.p_value ? attr16.p_value->char_ext_prop : 0x0000;
*p_len = 2;
++ if (mtu < *p_len) {+ android_errorWriteWithInfoLog(0x534e4554, "228078096", -1, NULL, 0);+ return GATT_NO_RESOURCES;+ }+
UINT16_TO_STREAM(p, char_ext_prop);
*p_data = p;
return GATT_SUCCESS;
- Updated AOSP versions: 12, 12L
- 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab
APPL_TRACE_DEBUG("%s: %lu.%s <%lu:%lu>", __func__, index, name, min, max);
+ if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) {+ return;+ }+
/* look for a matching indicator on list of supported ones */
for (i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++) {
if (strcmp(name, BTA_HF_CLIENT_INDICATOR_SERVICE) == 0) {
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab
- 对于无法通过fixNotification修复的通知,如果是前台服务通知,则需要杀死对应的前台服务,Android 12上没有这个问题
// Fix the notification as best we can.
try {
fixNotification(notification, pkg, tag, id, userId);
-
} catch (Exception e) {
+ if (notification.isForegroundService()) {+ throw new SecurityException("Invalid FGS notification", e);+ }
Slog.e(TAG, "Cannot fix notification", e);
return;
}
- Updated AOSP versions: 10, 11
- 致谢:无
- AppRestrictionsFragment中判断传入的Intent的package是否满足同应用的要求,但是这个判断存在漏洞。因为如果组件名被设置,那么包名字段就会被忽略。修复则是删除了这一段多余的判断。
private void assertSafeToStartCustomActivity(Intent intent) {
- // Activity can be started if it belongs to the same app- if (intent.getPackage() != null && intent.getPackage().equals(packageName)) {- return;- }+ EventLog.writeEvent(0x534e4554, "223578534", -1 /* UID */, "");
ResolveInfo resolveInfo = mPackageManager.resolveActivity(
intent, PackageManager.MATCH_DEFAULT_ONLY);
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Tianyi Hu (胡天易) of Bytedance Wuheng Lab
- 待分析
- Updated AOSP versions: 12, 12L
- 致谢:Rob Carr of Google
tAVRC_STS status = AVRC_STS_NO_ERROR;
+ if (p_msg->vendor_len < 4) { // 4 == pdu + reserved byte + len as uint16+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",+ __func__, p_msg->vendor_len);+ android_errorWriteLog(0x534e4554, "205571133");+ return AVRC_STS_INTERNAL_ERR;+ }
uint8_t* p = p_msg->p_vendor_data;
p_result->pdu = *p++;
AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab
/* skip rest of AT string up to <cr> */
-#define AT_SKIP_REST(buf) \- do { \- while (*(buf) != '\r') (buf)++; \+#define AT_SKIP_REST(buf) \+ do { \+ while (*(buf) != '\r' && *(buf) != '\0') (buf)++; \
} while (0)
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab
- getSubscriptionProperty(GROUP_UUID)接口未被READ_PRIVILEGED_PHONE_STATE权限保护,造成信息泄漏。
public String getSubscriptionProperty(int subId, String propKey, String callingPackage,
String callingFeatureId) {
- if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState(mContext, subId, callingPackage,- callingFeatureId, "getSubscriptionProperty")) {- return null;+ switch (propKey) {+ case SubscriptionManager.GROUP_UUID:+ if (mContext.checkCallingOrSelfPermission(+ Manifest.permission.READ_PRIVILEGED_PHONE_STATE) != PERMISSION_GRANTED) {+ EventLog.writeEvent(0x534e4554, "213457638", Binder.getCallingUid());+ return null;+ }+ break;+ default:+ if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState(mContext, subId,+ callingPackage, callingFeatureId, "getSubscriptionProperty")) {+ return null;+ }
}
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Aman Pandey of bugsmirror
- KeyChain显示URI Authority的时候进行URL编码
Uri uri = getIntent().getParcelableExtra(KeyChain.EXTRA_URI);
if (uri != null) {
String hostMessage = String.format(res.getString(R.string.requesting_server),
- uri.getAuthority());+ Uri.encode(uri.getAuthority(), "$,;:@&=+"));
if (contextMessage == null) {
contextMessage = hostMessage;
} else {
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
2022-07-05 security patch level vulnerability details
Framework
- ContactsProvider防止打开、删除、同步或插入文件到Call Composer文件夹以外的地方。
/**
* Enforces a stricter check on what files the CallLogProvider can perform file operations on.
* @param rootPath where all valid new/existing paths should pass through.
* @param pathToCheck newly created path that is requesting a file op. (open, delete, etc.)
* @param callingMethod the calling method. Used only for debugging purposes.
*/privatevoidenforceValidCallLogPath(Path rootPath, Path pathToCheck, String callingMethod){
if (!FileUtilities.isSameOrSubDirectory(rootPath.toFile(), pathToCheck.toFile())) {
EventLog.writeEvent(0x534e4554, "219015884", Binder.getCallingUid(),
(callingMethod + ": invalid uri passed"));
thrownewSecurityException(
FileUtilities.INVALID_CALL_LOG_PATH_EXCEPTION_MESSAGE + pathToCheck);
}
}
package com.android.providers.contacts.util;
import android.util.Log;
import java.io.File;
import java.io.IOException;
publicfinalclassFileUtilities {
publicstaticfinalStringTAG= FileUtilities.class.getSimpleName();
publicstaticfinalStringINVALID_CALL_LOG_PATH_EXCEPTION_MESSAGE="Invalid [Call Log] path. Cannot operate on file:";
/**
* Checks, whether the child directory is the same as, or a sub-directory of the base
* directory.
*/publicstaticbooleanisSameOrSubDirectory(File base, File child) {
try {
FilebasePath= base.getCanonicalFile();
FilecurrPath= child.getCanonicalFile();
while (currPath != null) {
if (basePath.equals(currPath)) {
returntrue;
}
currPath = currPath.getParentFile(); // pops sub-dir
}
returnfalse;
} catch (IOException ex) {
Log.e(TAG, "Error while accessing file", ex);
returnfalse;
}
}
}
- Updated Android versions: 12, 12L