Android Security Bulletin Analysis (November 2021)

2021-11-01 security patch level vulnerability details

Framework

CVE-2021-0799

  • 在ActivityThread中,使用ArrayMap来管理ProviderKey,而不是使用SparseArray,因为ArrayMap可以更好的处理Hash碰撞场景。ActivityThread是位于应用进程中,不太清楚这个漏洞的具体利用场景。
  • 影响版本:12
  • 致谢信息:Makoto Onuki of Google

CVE-2021-0921

  • 跨进程传递ParsingPackage的时候,传递复杂对象,先写入长度再写入内容,这里传递的是一个Map<String, ArraySet<PublicKey>>嵌套类型
/**
 * Writes the keyset mapping to the provided package. {@code null} mappings are permitted.
 */
public static void writeKeySetMapping(@NonNull Parcel dest,
        @NonNull Map<String, ArraySet<PublicKey>> keySetMapping) {
    if (keySetMapping == null) {
        dest.writeInt(-1);
        return;
    }

    final int N = keySetMapping.size();
    dest.writeInt(N);

    for (String key : keySetMapping.keySet()) {
        dest.writeString(key);
        ArraySet<PublicKey> keys = keySetMapping.get(key);
        if (keys == null) {
            dest.writeInt(-1);
            continue;
        }

        final int M = keys.size();
        dest.writeInt(M);
        for (int j = 0; j < M; j++) {
            dest.writeSerializable(keys.valueAt(j));
        }
    }
}

/**
 * Reads a keyset mapping from the given parcel at the given data position. May return
 * {@code null} if the serialized mapping was {@code null}.
 */
@NonNull
public static ArrayMap<String, ArraySet<PublicKey>> readKeySetMapping(@NonNull Parcel in) {
    final int N = in.readInt();
    if (N == -1) {
        return null;
    }

    ArrayMap<String, ArraySet<PublicKey>> keySetMapping = new ArrayMap<>();
    for (int i = 0; i < N; ++i) {
        String key = in.readString();
        final int M = in.readInt();
        if (M == -1) {
            keySetMapping.put(key, null);
            continue;
        }

        ArraySet<PublicKey> keys = new ArraySet<>(M);
        for (int j = 0; j < M; ++j) {
            PublicKey pk = (PublicKey) in.readSerializable();
            keys.add(pk);
        }

        keySetMapping.put(key, keys);
    }

    return keySetMapping;
}
  • 影响版本:11
  • 致谢信息:Zinuo Han (weibo.com/ele7enxxh) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd.

CVE-2021-0923

  • 当Internal类型的权限所有者变更时,收回权限
- if (permission.isRuntime() && (ownerChanged || wasNonRuntime)) {
-     // If this is a runtime permission and the owner has changed, or this wasn't a runtime
-     // permission, then permission state should be cleaned up
+ if ((permission.isInternal() && ownerChanged)
+         || (permission.isRuntime() && (ownerChanged || wasNonRuntime))) {
+     // If this is an internal/runtime permission and the owner has changed, or this wasn't a
+     // runtime permission, then permission state should be cleaned up.
      permission.mDefinitionChanged = true;
  }
  • ownerChanged的条件是,系统应用重新定义了非系统权限的时候,这种场景应该非常少,可能是一个非系统应用在OTA升级之后变成了系统应用
@NonNull
public static Permission createOrUpdate(@Nullable Permission permission,
        @NonNull PermissionInfo permissionInfo, @NonNull AndroidPackage pkg,
        @NonNull Collection<Permission> permissionTrees, boolean isOverridingSystemPermission) {
    // Allow system apps to redefine non-system permissions
    boolean ownerChanged = false;
    if (permission != null && !Objects.equals(permission.mPermissionInfo.packageName,
            permissionInfo.packageName)) {
        if (pkg.isSystem()) {
            if (permission.mType == Permission.TYPE_CONFIG && !permission.mReconciled) {
                // It's a built-in permission and no owner, take ownership now
                permissionInfo.flags |= PermissionInfo.FLAG_INSTALLED;
                permission.mPermissionInfo = permissionInfo;
                permission.mReconciled = true;
                permission.mUid = pkg.getUid();
            } else if (!isOverridingSystemPermission) {
                Slog.w(TAG, "New decl " + pkg + " of permission  "
                        + permissionInfo.name + " is system; overriding "
                        + permission.mPermissionInfo.packageName);
                ownerChanged = true;
                permission = null;
            }
        }
    }
    //...
}
  • 影响版本:12
  • 致谢信息:Xianlin Wu(吴宪林) of OPPO Amber Security Lab

CVE-2021-0926

  • 限制第三方应用调用NfcImportVCardActivity,增加android.permission.DISPATCH_NFC_MESSAGE权限管控
  • 影响版本:9, 10, 11, 12
  • 致谢信息:Yu-Cheng Lin (林禹成) (@AndroBugs)

CVE-2021-0933

  • CompanionDeviceActivity中潜在的XSS问题,使用Html.escapeHtml对显示名称进行过滤。
  • 影响版本:9, 10, 11, 12
  • 致谢信息:无

CVE-2020-13871

  • sqlite漏洞 CVE-2020-15358 and CVE-2020-13871修复
  • 影响版本:11
  • 致谢信息:无

CVE-2021-0653

  • NetworkPolicyManagerService中的com.android.server.net.action.SNOOZE_WARNING广播增加接收者,防止第三方应用收到该广播
  • 影响版本:9, 10, 11
  • 致谢信息:Yu-Cheng Lin (林禹成) (@AndroBugs)

CVE-2021-0922

  • INTERACT_ACROSS_PROFILE这个appop是授予给了package,但是如果有两个packages使用了shareUserId的话,允许只有一个package有此权限,此时enforceCrossUserOrProfilePermission接口校验会出现问题,因为其底层调用的是getPackagesForUid接口,但是对于shareUserId的场景,会返回随机的一个package,因为有多个package对应同一个uid。解决方案是将这个appop授予给一个uid,而不是package,因为Android应用沙箱本质上是保护的uid,而不是package。
  • 影响版本:11
  • 致谢信息:Khouloud Mansouri of Google

Media Framework

CVE-2021-0928

  • 在向Android Camera 2接口传递OutputConfiguration等对象时存在不正确的异常捕获,会导致返回空对象
  • 共有四个对象存在此问题
    • OutputConfiguration
    • VendorTagDescriptor
    • VendorTagDescriptorCache
    • SessionConfiguration
  • 影响版本:9, 10, 11
  • 致谢信息:Michał Bednarski (michalbednarski)

CVE-2021-0650

  • sonivox组件的WT_InterpolateNoLoop中存在越界读
  • 影响版本:9, 10, 11
  • 致谢信息:无

System

CVE-2021-0918

  • GATT远程代码执行漏洞
  • 影响版本:12
  • 致谢信息:Xianfeng Lu(卢先锋) and Lei Ai(艾磊) of OPPO Amber Security Lab

CVE-2021-0930

  • NFC的pn8x实现中,phNxpNciHal_process_ext_rsp函数存在越界写入
+ if (*p_len <= (p_ntf[2] + 2)) {
+   android_errorWriteLog(0x534e4554, "181660091");
+   NXPLOG_NCIHAL_E("length error!");
+   return NFCSTATUS_FAILED;
+ }
  • 影响版本:9, 10, 11, 12
  • 致谢信息:Chaoyuan Peng (@ret2happy)

CVE-2021-0434

  • 更改了蓝牙权限授予中不清晰的警告文本,防止钓鱼欺骗
  • 影响版本:9, 10, 11
  • 致谢信息:Christophe Devine, ANSSI

CVE-2021-0649

  • VpnManagerService中的stopVpnProfile() & startVpnProfile函数,没有对调用者进行校验,导致可以关闭其他应用开启的VPN。
@Override
public void startVpnProfile(@NonNull String packageName) {
-      final int user = UserHandle.getUserId(mDeps.getCallingUid());
+      final int callingUid = Binder.getCallingUid();
+      verifyCallingUidAndPackage(packageName, callingUid);
+      final int user = UserHandle.getUserId(callingUid);
       synchronized (mVpns) {
           throwIfLockdownEnabled();
           mVpns.get(user).startVpnProfile(packageName);
//...
@Override
public void stopVpnProfile(@NonNull String packageName) {
-      final int user = UserHandle.getUserId(mDeps.getCallingUid());
+      final int callingUid = Binder.getCallingUid();
+      verifyCallingUidAndPackage(packageName, callingUid);
+      final int user = UserHandle.getUserId(callingUid);
       synchronized (mVpns) {
           mVpns.get(user).stopVpnProfile(packageName);
       }
//...
  • 影响版本:11
  • 致谢信息:Aman Pandey of bugsmirror

CVE-2021-0932

  • SystemUI中的NavigationModeController存在不安全的PendingIntent
                       .setStyle(new Notification.BigTextStyle())
                       .setSmallIcon(R.drawable.ic_info)
                       .setAutoCancel(true)
-                      .setContentIntent(PendingIntent.getActivity(context, 0, new Intent(), 0));
+                      .setContentIntent(PendingIntent.getActivity(context, 0, new Intent(),
+                              PendingIntent.FLAG_IMMUTABLE));
       context.getSystemService(NotificationManager.class).notify(TAG, 0, builder.build());
   }
  • 影响版本:10
  • 致谢信息:Yu-Cheng Lin (林禹成) (@AndroBugs)

CVE-2021-0925

  • NFC t4t中cc_file_rsp_len初始化时被赋值为0,实际应该是T4T_CC_FILE_MIN_LEN,应该是会导致越界读。
  • 影响版本:12
  • 致谢信息:Android Security Red Team

CVE-2021-0931

  • BluetoothDevice中获取远端设备别名时过滤换行符,防止文本折断。
  • 影响版本:9, 10, 11, 12
  • 致谢信息:无

CVE-2021-0919

  • libbinder中uptimeMillis的精度丢失,应为int64_t,该问题会导致设备正常时间约为1个月,不是很清楚会导致什么。
  • 影响版本:9, 10, 11
  • 致谢信息:无

2021-11-05 security patch level vulnerability details

Android TV

CVE-2021-0889

  • 该漏洞允许远程攻击者静默配对一个电视并且实现远程代码执行,漏洞代码补丁还没有发布。

CVE-2021-0927

  • TvInputManagerService中的requestChannelBrowsable函数,在Binder.clearCallingIdentity()之后调用了Binder.getCallingUid(),导致权限绕过

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注