Android Security Bulletin Analysis (May 2021)

2021-05-01 security patch level vulnerability details

Framework

CVE-2021-0472

  • LockTaskController的shouldLockKeyguard方法中,调用了LockPatternUtils的isSecure方法,该方法接受的userId参数必须是实际的userId,不能接受UserHandle.USER_CURRENT,定义如下:
// frameworks/base/core/java/android/os/UserHandle.java
/** @hide A user id to indicate the currently active user **/
@UnsupportAppUsage
public static final @UserIdInt int USER_CURRENT = -2;
//...
  • 从UserHandle的源码可以看出,USER_CURRENT的值实际上是-2,这个值只有在创建UserHandle的时候才有效,直接使用-2作为userId显然是不正确的。该漏洞由Google的Edward Cunningham发现。

CVE-2021-0485

<!--
  The overridable minimal size of a PiP task, in both dimensions.
  Different from default_minimal_size_pip_resizable_task, this is to limit the dimension
  when the pinned stack size is overridden by app via minWidth/minHeight.
-->
<dimen name="overridable_minimal_size_pip_resizable_task">48dp</dimen>
  • 该漏洞由Cognizant的Dimitrios Valsamaras发现。

CVE-2021-0487

  • 为CalendarDebugActivity界面 (话说这个界面是干嘛的?) 配置HIDE_NON_SYSTEM_OVERLAY_WINDOWS权限,防止悬浮窗覆盖。该漏洞由hard_______发现。

Media Framework

CVE-2021-0482

CVE-2021-0484

System

CVE-2021-0473

  • NFC在处理T3T Tag的时候存在内存泄漏、越界写入和Double Free。该漏洞由Google Project Zero的Ned Williamson发现。

CVE-2021-0474

  • 蓝牙在处理超长AVCT commands时出现溢出
   if (cr == AVCT_CMD && (p_pkt->layer_specific & AVCT_DATA_CTRL &&
-                         AVRC_PACKET_LEN < sizeof(p_pkt->len))) {
-    /* Ignore the invalid AV/C command frame */
-    p_drop_msg = "dropped - too long AV/C cmd frame size";
+                         p_pkt->len > AVRC_PACKET_LEN)) {
+    android_errorWriteLog(0x534e4554, "177611958");
+    AVRC_TRACE_WARNING("%s: Command length %d too long: must be at most %d",
+                       __func__, p_pkt->len, AVRC_PACKET_LEN);
     osi_free(p_pkt);
     return;
   }

CVE-2021-0475

  • 蓝牙在L2CAP连接Socket关闭后返回,感觉是一个UAF问题,该漏洞由L.O. Team的Wenwen Wang and Fei发现。
         << ": unable to push data to socket - closing  fixed channel";
       BTA_JvL2capCloseLE(sock->handle);
       btsock_l2cap_free_l(sock);
+      return;
     }
                    << ": unable to push data to socket - closing channel";
           BTA_JvL2capClose(sock->handle);
           btsock_l2cap_free_l(sock);
+          return;
         }
       }
     }

CVE-2021-0476

  • btif_av.cc中对std::map未进行加锁,该问题由GWP-ASan发现。

CVE-2021-0477

  • 在SystemUI的ScreenshotNotificationsController中,对截屏错误的PendingInten添加FLAG_IMMUTABLE标志。

CVE-2021-0481

  • 在设置多用户的用户头像时,避免使用非法的URI作为图片来源。
# packages/apps/Settings/src/com/android/settings/users/EditUserPhotoController.java
         }
         final Uri pictureUri = data != null && data.getData() != null
                 ? data.getData() : mTakePictureUri;
+
+        // Check if the result is a content uri
+        if (!ContentResolver.SCHEME_CONTENT.equals(pictureUri.getScheme())) {
+            Log.e(TAG, "Invalid pictureUri scheme: " + pictureUri.getScheme());
+            EventLog.writeEvent(0x534e4554, "172939189", -1, pictureUri.getPath());
+            return false;
+        }
+

CVE-2021-0466

  • 仅在使用随机WLAN MAC地址时才使用EUI64 IPv6 link-local address generation (不太懂)。该漏洞由Google的Bram Bonné发现。

CVE-2021-0480

  • SnoozeHelper中的PendingIntent添加目标包名,使其成为显式Intent。该漏洞由Yu-Cheng Lin (林禹成) (@AndroBugs)发现。
# frameworks/base/services/core/java/com/android/server/notification/SnoozeHelper.java
         return PendingIntent.getBroadcast(mContext,
                 REQUEST_CODE_REPOST,
                 new Intent(REPOST_ACTION)
+                        .setPackage(PackageManagerService.PLATFORM_PACKAGE_NAME)
                         .setData(new Uri.Builder().scheme(REPOST_SCHEME).appendPath(key).build())
                         .addFlags(Intent.FLAG_RECEIVER_FOREGROUND)
                         .putExtra(EXTRA_KEY, key)

2021-05-05 security patch level vulnerability details