Android Security Bulletin Analysis (July 2021)

2021-07-01 security patch level vulnerability details

Framework

CVE-2021-0441

  • 允许MediaProvier权限弹框显示超过两行的文本。

CVE-2021-0486

  • 当应用降级到API 28以下或者在API 29中申请完全存储权限时(回退场景),撤销已授予的存储权限。
  • 因为在Scoped Storage的模式下,已授予的存储权限只限于媒体目录的访问,这时在回退场景之后如果存储权限保留,会导致应用直接可以访问全部外部存储,修改后需要用户重新进行授权。
  • Scoped Storage:https://source.android.google.cn/devices/storage/scoped

Media Framework

CVE-2021-0587

CVE-2021-0601

System

CVE-2020-0417

  • GpsNetIniticatedHandler的Notification中写入了不必要的PendingIntent,且PendingIntent没有指定包名,会导致经典PendingIntent劫持攻击。

CVE-2021-0585

  • 检查libfmq中,对MessageQueue进行读写操作时,长度是否对齐
     auto writePtr = mWritePtr->load(std::memory_order_relaxed);
+    if (writePtr % sizeof(T) != 0) {
+        hardware::details::logError(
+                "The write pointer has become misaligned. Writing to the queue is no longer "
+                "possible.");
+        return false;
+    }
     size_t writeOffset = writePtr % mDesc->getSize();
     auto readPtr = mReadPtr->load(std::memory_order_relaxed);
+    if (writePtr % sizeof(T) != 0 || readPtr % sizeof(T) != 0) {
+        hardware::details::logError(
+                "The write or read pointer has become misaligned. Reading from the queue is no "
+                "longer possible.");
+        return false;
+    }
 
     if (writePtr - readPtr > mDesc->getSize()) {
         mReadPtr->store(writePtr, std::memory_order_release);

CVE-2021-0586

  • 为蓝牙设备选择界面DevicePickerActivity添加SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS,防止悬浮窗覆盖。

CVE-2021-0589

  • 蓝牙btm_acl中的数组越界写入,这个问题是从本地触发的。
bool BTM_TryAllocateSCN(uint8_t scn) {
  /* Make sure we don't exceed max port range.
   * Stack reserves scn 1 for HFP, HSP we still do the correct way.
   */
-  if ((scn >= BTM_MAX_SCN) || (scn == 1)) return false;
+  if ((scn >= BTM_MAX_SCN) || (scn == 1) || (scn == 0)) return false;
  /* check if this port is available */
  if (!btm_cb.btm_scn[scn - 1]) {
    btm_cb.btm_scn[scn - 1] = true;
    return true;
  }
  return (false); /* Port was busy */
}
bool BTM_FreeSCN(uint8_t scn) {
  BTM_TRACE_DEBUG("BTM_FreeSCN ");
-  if (scn <= BTM_MAX_SCN) {
+  if (scn <= BTM_MAX_SCN && scn > 0) {
    btm_cb.btm_scn[scn - 1] = false;
    return (true);
  } else {
    return (false); /* Illegal SCN passed in */
  }
}

CVE-2021-0594

  • NFC确认连接的界面,处理NDFF消息中的蓝牙设备名称字段存在CRLF注入,导致对话框文本换行,使用户无法准确看到蓝牙设备名称。
+        String btExtraName = launchIntent.getStringExtra(BluetoothDevice.EXTRA_NAME);
         String confirmString = String.format(res.getString(R.string.confirm_pairing),
-                launchIntent.getStringExtra(BluetoothDevice.EXTRA_NAME));
+                "\"" + btExtraName.replaceAll("\\r|\\n", "") + "\"");

CVE-2021-0600

  • 设备管理员请求界面存在HTML注入,导致界面显示异常。
-        mAddMsgText = getIntent().getCharSequenceExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION);
+        final CharSequence addMsgCharSequence = getIntent().getCharSequenceExtra(
+                DevicePolicyManager.EXTRA_ADD_EXPLANATION);
+        if (addMsgCharSequence != null) {
+            mAddMsgText = addMsgCharSequence.toString();
+        }

CVE-2021-0602

  • 在访客模式下,不允许编辑Wi-Fi详细设置,而是显示一个阻止的页面。

CVE-2021-0588

  • 发送蓝牙MAP客户端消息广播时,要求接收者必须有RECEIVE_SMS权限,并且如果有默认的短信应用,则仅发给默认短信应用。
-   mService.sendBroadcast(intent);
+   // Only send to the current default SMS app if one exists
+   String defaultMessagingPackage = Telephony.Sms.getDefaultSmsPackage(mService);
+   if (defaultMessagingPackage != null) {
+       intent.setPackage(defaultMessagingPackage);
+   }
+   mService.sendBroadcast(intent, android.Manifest.permission.RECEIVE_SMS);

CVE-2021-0590

  • 移除了android.net.conn.NETWORK_CONDITIONS_MEASURED广播,防止预置应用可获取到SSID和BSSID。

CVE-2021-0596

  • phNciNfc_RecvMfResp中的越界读取
+            if (2 > RspBuffInfo->wLen) {
+              android_errorWriteLog(0x534e4554, "181346550");
+              return NFCSTATUS_FAILED;
+            }
             uint8_t rspAck = RspBuffInfo->pBuff[RspBuffInfo->wLen - 2];
+            if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
+                RspBuffInfo->wLen) {
+              android_errorWriteLog(0x534e4554, "181346550");
+              return NFCSTATUS_FAILED;
+            }
             /* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
             wPldDataSize = ((RspBuffInfo->wLen) -
                             (PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));

CVE-2021-0597

  • 对VoIP模块中的SIP广播添加USE_SIP权限
-        mContext.sendBroadcast(intent);
+        mContext.sendBroadcast(intent, android.Manifest.permission.USE_SIP);

CVE-2021-0599

  • 对于通知超时广播的PendingIntent添加接收者,防止经典PendingIntent攻击。
  final PendingIntent pi = PendingIntent.getBroadcast(getContext(),
          REQUEST_CODE_TIMEOUT,
          new Intent(ACTION_NOTIFICATION_TIMEOUT)
+                 .setPackage(PackageManagerService.PLATFORM_PACKAGE_NAME)
                  .setData(new Uri.Builder().scheme(SCHEME_TIMEOUT)
                          .appendPath(record.getKey()).build())
                  .addFlags(Intent.FLAG_RECEIVER_FOREGROUND)

CVE-2021-0604

  • 不允许蓝牙分享文件功能从MmsFileProvider分享文件
         // This will allow more 3rd party applications to share files via
         // bluetooth
         if ("content".equals(scheme)) {
+            if (fromExternal && BluetoothOppUtility.isForbiddenContent(uri)) {
+                EventLog.writeEvent(0x534e4554, "179910660", -1, uri.toString());
+                Log.e(TAG, "Content from forbidden URI is not allowed.");
+                return SEND_FILE_INFO_ERROR;
+            }
+
             contentType = contentResolver.getType(uri);
+    static boolean isForbiddenContent(Uri uri) {
+        if ("com.android.bluetooth.map.MmsFileProvider".equals(uri.getHost())) {
+            return true;
+        }
+        return false;
+    }
+

2021-07-05 security patch level vulnerability

Framework

CVE-2020-0368

  • 通话记录数据库中的SQL注入,由于该数据库中语音信箱的内容受READ_VOICEMAIL权限保护,如果攻击者仅有READ_CALL_LOG权限,但没有READ_VOICEMAIL权限,那么不允许通过SQL注入等方式读取语音信箱的信息。
         /**
+         * Form of {@link #CONTENT_URI} which limits the query results to a single result.
+         */
+        private static final Uri CONTENT_URI_LIMIT_1 = CONTENT_URI.buildUpon()
+                .appendQueryParameter(LIMIT_PARAM_KEY, "1")
+                .build();
+
+        /**
                 c = resolver.query(
-                    CONTENT_URI,
+                    CONTENT_URI_LIMIT_1,
                     new String[] {NUMBER},
                     TYPE + " = " + OUTGOING_TYPE,
                     null,
-                    DEFAULT_SORT_ORDER + " LIMIT 1");
+                    DEFAULT_SORT_ORDER);
+        final SQLiteQueryBuilder qb = new SQLiteQueryBuilder();
+        qb.setTables(Tables.CALLS);
+        qb.setProjectionMap(sCallsProjectionMap);
+        qb.setStrict(true);
+        // If the caller doesn't have READ_VOICEMAIL, make sure they can't
+        // do any SQL shenanigans to get access to the voicemails. If the caller does have the
+        // READ_VOICEMAIL permission, then they have sufficient permissions to access any data in
+        // the database, so the strict check is unnecessary.
+        if (!mVoicemailPermissions.callerHasReadAccess(getCallingPackage())) {
+            qb.setStrictGrammar(true);
+        }

System

CVE-2021-0514

CVE-2021-0515

  • 将V8升级到8.8.278.14版本

CVE-2021-0603

  • 为联系人选择界面ContactSelectionActivity添加 SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS,防止悬浮窗覆盖。