2021-07-01 security patch level vulnerability details
Framework
CVE-2021-0441
- 允许MediaProvier权限弹框显示超过两行的文本。
CVE-2021-0486
CVE-2021-0587
CVE-2021-0601
System
CVE-2020-0417
- GpsNetIniticatedHandler的Notification中写入了不必要的PendingIntent,且PendingIntent没有指定包名,会导致经典PendingIntent劫持攻击。
CVE-2021-0585
- 检查libfmq中,对MessageQueue进行读写操作时,长度是否对齐
auto writePtr = mWritePtr->load(std::memory_order_relaxed);
+ if (writePtr % sizeof(T) != 0) {
+ hardware::details::logError(
+ "The write pointer has become misaligned. Writing to the queue is no longer "
+ "possible.");
+ return false;
+ }
size_t writeOffset = writePtr % mDesc->getSize();
auto readPtr = mReadPtr->load(std::memory_order_relaxed);
+ if (writePtr % sizeof(T) != 0 || readPtr % sizeof(T) != 0) {
+ hardware::details::logError(
+ "The write or read pointer has become misaligned. Reading from the queue is no "
+ "longer possible.");
+ return false;
+ }
if (writePtr - readPtr > mDesc->getSize()) {
mReadPtr->store(writePtr, std::memory_order_release);
CVE-2021-0586
- 为蓝牙设备选择界面DevicePickerActivity添加SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS,防止悬浮窗覆盖。
CVE-2021-0589
- 蓝牙btm_acl中的数组越界写入,这个问题是从本地触发的。
bool BTM_TryAllocateSCN(uint8_t scn) {
/* Make sure we don't exceed max port range.
* Stack reserves scn 1 for HFP, HSP we still do the correct way.
*/
- if ((scn >= BTM_MAX_SCN) || (scn == 1)) return false;
+ if ((scn >= BTM_MAX_SCN) || (scn == 1) || (scn == 0)) return false;
/* check if this port is available */
if (!btm_cb.btm_scn[scn - 1]) {
btm_cb.btm_scn[scn - 1] = true;
return true;
}
return (false); /* Port was busy */
}
bool BTM_FreeSCN(uint8_t scn) {
BTM_TRACE_DEBUG("BTM_FreeSCN ");
- if (scn <= BTM_MAX_SCN) {
+ if (scn <= BTM_MAX_SCN && scn > 0) {
btm_cb.btm_scn[scn - 1] = false;
return (true);
} else {
return (false); /* Illegal SCN passed in */
}
}
CVE-2021-0594
- NFC确认连接的界面,处理NDFF消息中的蓝牙设备名称字段存在CRLF注入,导致对话框文本换行,使用户无法准确看到蓝牙设备名称。
+ String btExtraName = launchIntent.getStringExtra(BluetoothDevice.EXTRA_NAME);
String confirmString = String.format(res.getString(R.string.confirm_pairing),
- launchIntent.getStringExtra(BluetoothDevice.EXTRA_NAME));
+ "\"" + btExtraName.replaceAll("\\r|\\n", "") + "\"");
CVE-2021-0600
- 设备管理员请求界面存在HTML注入,导致界面显示异常。
- mAddMsgText = getIntent().getCharSequenceExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION);
+ final CharSequence addMsgCharSequence = getIntent().getCharSequenceExtra(
+ DevicePolicyManager.EXTRA_ADD_EXPLANATION);
+ if (addMsgCharSequence != null) {
+ mAddMsgText = addMsgCharSequence.toString();
+ }
CVE-2021-0602
- 在访客模式下,不允许编辑Wi-Fi详细设置,而是显示一个阻止的页面。
CVE-2021-0588
- 发送蓝牙MAP客户端消息广播时,要求接收者必须有
RECEIVE_SMS
权限,并且如果有默认的短信应用,则仅发给默认短信应用。
- mService.sendBroadcast(intent);
+ // Only send to the current default SMS app if one exists
+ String defaultMessagingPackage = Telephony.Sms.getDefaultSmsPackage(mService);
+ if (defaultMessagingPackage != null) {
+ intent.setPackage(defaultMessagingPackage);
+ }
+ mService.sendBroadcast(intent, android.Manifest.permission.RECEIVE_SMS);
CVE-2021-0590
- 移除了
android.net.conn.NETWORK_CONDITIONS_MEASURED
广播,防止预置应用可获取到SSID和BSSID。
CVE-2021-0596
- phNciNfc_RecvMfResp中的越界读取
+ if (2 > RspBuffInfo->wLen) {
+ android_errorWriteLog(0x534e4554, "181346550");
+ return NFCSTATUS_FAILED;
+ }
uint8_t rspAck = RspBuffInfo->pBuff[RspBuffInfo->wLen - 2];
+ if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
+ RspBuffInfo->wLen) {
+ android_errorWriteLog(0x534e4554, "181346550");
+ return NFCSTATUS_FAILED;
+ }
/* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
wPldDataSize = ((RspBuffInfo->wLen) -
(PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));
CVE-2021-0597
- 对VoIP模块中的SIP广播添加
USE_SIP
权限
- mContext.sendBroadcast(intent);
+ mContext.sendBroadcast(intent, android.Manifest.permission.USE_SIP);
CVE-2021-0599
- 对于通知超时广播的PendingIntent添加接收者,防止经典PendingIntent攻击。
final PendingIntent pi = PendingIntent.getBroadcast(getContext(),
REQUEST_CODE_TIMEOUT,
new Intent(ACTION_NOTIFICATION_TIMEOUT)
+ .setPackage(PackageManagerService.PLATFORM_PACKAGE_NAME)
.setData(new Uri.Builder().scheme(SCHEME_TIMEOUT)
.appendPath(record.getKey()).build())
.addFlags(Intent.FLAG_RECEIVER_FOREGROUND)
CVE-2021-0604
- 不允许蓝牙分享文件功能从
MmsFileProvider
分享文件
// This will allow more 3rd party applications to share files via
// bluetooth
if ("content".equals(scheme)) {
+ if (fromExternal && BluetoothOppUtility.isForbiddenContent(uri)) {
+ EventLog.writeEvent(0x534e4554, "179910660", -1, uri.toString());
+ Log.e(TAG, "Content from forbidden URI is not allowed.");
+ return SEND_FILE_INFO_ERROR;
+ }
+
contentType = contentResolver.getType(uri);
+ static boolean isForbiddenContent(Uri uri) {
+ if ("com.android.bluetooth.map.MmsFileProvider".equals(uri.getHost())) {
+ return true;
+ }
+ return false;
+ }
+
2021-07-05 security patch level vulnerability
Framework
CVE-2020-0368
- 通话记录数据库中的SQL注入,由于该数据库中语音信箱的内容受
READ_VOICEMAIL
权限保护,如果攻击者仅有READ_CALL_LOG
权限,但没有READ_VOICEMAIL
权限,那么不允许通过SQL注入等方式读取语音信箱的信息。
/**
+ * Form of {@link #CONTENT_URI} which limits the query results to a single result.
+ */
+ private static final Uri CONTENT_URI_LIMIT_1 = CONTENT_URI.buildUpon()
+ .appendQueryParameter(LIMIT_PARAM_KEY, "1")
+ .build();
+
+ /**
c = resolver.query(
- CONTENT_URI,
+ CONTENT_URI_LIMIT_1,
new String[] {NUMBER},
TYPE + " = " + OUTGOING_TYPE,
null,
- DEFAULT_SORT_ORDER + " LIMIT 1");
+ DEFAULT_SORT_ORDER);
+ final SQLiteQueryBuilder qb = new SQLiteQueryBuilder();
+ qb.setTables(Tables.CALLS);
+ qb.setProjectionMap(sCallsProjectionMap);
+ qb.setStrict(true);
+ // If the caller doesn't have READ_VOICEMAIL, make sure they can't
+ // do any SQL shenanigans to get access to the voicemails. If the caller does have the
+ // READ_VOICEMAIL permission, then they have sufficient permissions to access any data in
+ // the database, so the strict check is unnecessary.
+ if (!mVoicemailPermissions.callerHasReadAccess(getCallingPackage())) {
+ qb.setStrictGrammar(true);
+ }
System
CVE-2021-0514
CVE-2021-0515
CVE-2021-0603
- 为联系人选择界面ContactSelectionActivity添加 SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS,防止悬浮窗覆盖。