2022-06-01 security patch level vulnerability details
Framework
CVE-2021-39691
- 截至发稿,该漏洞的补丁尚未上传到AOSP
- Updated AOSP versions: 10, 11, 12
- 致谢:Matthew Daley
CVE-2022-20006
- 在切换用户时因为System UI主线程繁忙,导致不能及时响应
PhoneWindowManager.lockNow()
和KeyguardViewMediator.doKeyguardTimeout()
方法调用,这样会导致一个竞争窗口,使得访客用户可以切换回主用户,并可以访问主用户的内容,而不需要主用户的凭据(锁屏密码)。在低性能设备上这个竞争窗口可能长达15-30秒。缓解措施是优先考虑这两个事件确保设备尽快锁定,并且让system_server优先更新本地缓存。 - Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Joshua Nearchos
CVE-2022-20125
- 增加finalizeWorkProfileProvisioning接口,具体漏洞点还需要分析。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:ISMAEL AMZDAK
CVE-2022-20138
- 截至发稿,该漏洞的补丁尚未上传到AOSP
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Yu-Cheng Lin (林禹成) (@AndroBugs)
CVE-2021-39624
- PackageInstallerService中的空指针异常
// Their staging dirs will be removed too
PackageInstallerSession root = !session.hasParentSessionId()
? session : mSessions.get(session.getParentSessionId());
- if (!root.isDestroyed() && + if (root == null) {+ Slog.e(TAG, "freeStageDirs: found an orphaned session: "+ + session.sessionId + " parent=" + session.getParentSessionId());+ } else if (!root.isDestroyed() &&
(!root.isStaged() || (root.isStaged() && root.isStagedSessionReady())))
{
root.abandon();
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Hongli Han (@hexb1n) and Mingjian Zhou (周明建) (@Mingjian_Zhou) of C0RE Team
CVE-2022-20130
- libMpegTPDec中的transportDec_OutOfBandConfig函数拒绝非法的OutOfBandConfig并且跳过内存重分配
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
System
CVE-2022-20127
- NFC的ce_t4t模块中存在Double Free,修改是在freebuf之后立即返回
} else {
GKI_freebuf(p_c_apdu);
ce_t4t_send_status(T4T_RSP_NOT_FOUND);
+ return;
}
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
CVE-2022-20140
- GATT
- Updated AOSP versions: 12, 12L
CVE-2022-20145
- 截至发稿,该漏洞的补丁尚未上传到AOSP
- Updated AOSP versions: 11
- 致谢:Sze Yiu Chau, Hugo Hue, and Ka Lok Wu of The Chinese University of Hong Kong (CUHK)
CVE-2022-20124
- 禁止非管理员用户卸载系统应用的更新(降级),主要是防止访客用户卸载系统应用的更新。
if (isSystemApp(uninstalledPs)) {
UserInfouserInfo= mUserManager.getUserInfo(userId);
if (userInfo == null || !userInfo.isAdmin()) {
Slog.w(TAG, "Not removing package " + packageName
+ " as only admin user may downgrade system apps");
EventLog.writeEvent(0x534e4554, "170646036", -1, packageName);
return PackageManager.DELETE_FAILED_USER_RESTRICTED;
}
}
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Pratheesh P Narayanan
CVE-2022-20126
- 从现在开始使用
BluetoothAdapter.setScanMode
接口需要BLUETOOTH_PRIVILEGED特权。 - Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Aman Pandey of bugsmirror
CVE-2022-20133
- 从现在开始使用
BluetoothAdapter.setDiscoverableTimeout
接口需要BLUETOOTH_PRIVILEGED特权。 - Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Aman Pandey of bugsmirror
CVE-2022-20134
- 使com.android.contacts.dialog.CallSubjectDialog界面不再导出
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
CVE-2022-20135
- GateKeeperResponse中存在Parcel序列化反序列化不匹配漏洞,当mPayload的长度是0的时候会出现问题。可使用Bundle mismatch漏洞利用方式进行利用
- if (mPayload != null) {+ if (mPayload != null && mPayload.length > 0) {
dest.writeInt(mPayload.length);
dest.writeByteArray(mPayload);
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Sergey Toshin (@bagipro) of Oversecured Inc.
CVE-2022-20137
- 禁止非管理员用户分享和忘记Wi-Fi网络。
- Updated AOSP versions: 12, 12L
- 致谢:Lucian of OPPO Amber Security Lab
CVE-2022-20142
- GeofenceHardwareRequestParcelable中存在Parcel序列化反序列化不匹配漏洞。可使用Bundle mismatch漏洞利用方式进行利用
public GeofenceHardwareRequestParcelable createFromParcel(Parcel parcel) {
int geofenceType = parcel.readInt();
- if(geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) {- Log.e(- "GeofenceHardwareRequest",- String.format("Invalid Geofence type: %d", geofenceType));- return null;+ if (geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) {+ throw new BadParcelableException("Invalid Geofence type: " + geofenceType);
}
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Sergey Toshin (@bagipro) of Oversecured Inc.
CVE-2022-20144
- EditUserPhotoController中存在越权读取文件的问题,限制只调用系统应用进行头像编辑,这个问题看起来是从CVE-2021-0952漏洞的变体分析而来。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
CVE-2022-20147
- NFC模块nfa_dm_check_set_config中的越界读取
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab
CVE-2022-20123
- NFC模块phNciNfc_RecvMfResp中的越界读取
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab
CVE-2022-20131
- NFC模块nfc_ncif_proc_ee_discover_req中的越界读取
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab
CVE-2022-20129
- 在TelecomManager中每个应用只能注册最多10个联系人账户,在registerPhoneAccount函数中增加判断并更新API文档。
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
CVE-2022-20143
- 在Zen mode中为Zen规则添加OEM可配置的限制
- Updated AOSP versions: 10, 11, 12, 12L
- 致谢:无
2022-06-05 security patch level vulnerability details