2021-05-01 security patch level vulnerability details
Framework
CVE-2021-0472
- LockTaskController的shouldLockKeyguard方法中,调用了LockPatternUtils的isSecure方法,该方法接受的userId参数必须是实际的userId,不能接受UserHandle.USER_CURRENT,定义如下:
// frameworks/base/core/java/android/os/UserHandle.java
/** @hide A user id to indicate the currently active user **/
@UnsupportAppUsage
public static final @UserIdInt int USER_CURRENT = -2;
//...
- 从UserHandle的源码可以看出,USER_CURRENT的值实际上是-2,这个值只有在创建UserHandle的时候才有效,直接使用-2作为userId显然是不正确的。该漏洞由Google的Edward Cunningham发现。
CVE-2021-0485
<!--
The overridable minimal size of a PiP task, in both dimensions.
Different from default_minimal_size_pip_resizable_task, this is to limit the dimension
when the pinned stack size is overridden by app via minWidth/minHeight.
-->
<dimen name="overridable_minimal_size_pip_resizable_task">48dp</dimen>
- 该漏洞由Cognizant的Dimitrios Valsamaras发现。
CVE-2021-0487
- 为CalendarDebugActivity界面 (话说这个界面是干嘛的?) 配置HIDE_NON_SYSTEM_OVERLAY_WINDOWS权限,防止悬浮窗覆盖。该漏洞由hard_______发现。
CVE-2021-0482
CVE-2021-0484
System
CVE-2021-0473
- NFC在处理T3T Tag的时候存在内存泄漏、越界写入和Double Free。该漏洞由Google Project Zero的Ned Williamson发现。
CVE-2021-0474
- 蓝牙在处理超长AVCT commands时出现溢出
if (cr == AVCT_CMD && (p_pkt->layer_specific & AVCT_DATA_CTRL &&
- AVRC_PACKET_LEN < sizeof(p_pkt->len))) {
- /* Ignore the invalid AV/C command frame */
- p_drop_msg = "dropped - too long AV/C cmd frame size";
+ p_pkt->len > AVRC_PACKET_LEN)) {
+ android_errorWriteLog(0x534e4554, "177611958");
+ AVRC_TRACE_WARNING("%s: Command length %d too long: must be at most %d",
+ __func__, p_pkt->len, AVRC_PACKET_LEN);
osi_free(p_pkt);
return;
}
CVE-2021-0475
- 蓝牙在L2CAP连接Socket关闭后返回,感觉是一个UAF问题,该漏洞由L.O. Team的Wenwen Wang and Fei发现。
<< ": unable to push data to socket - closing fixed channel";
BTA_JvL2capCloseLE(sock->handle);
btsock_l2cap_free_l(sock);
+ return;
}
<< ": unable to push data to socket - closing channel";
BTA_JvL2capClose(sock->handle);
btsock_l2cap_free_l(sock);
+ return;
}
}
}
CVE-2021-0476
- btif_av.cc中对std::map未进行加锁,该问题由GWP-ASan发现。
CVE-2021-0477
- 在SystemUI的ScreenshotNotificationsController中,对截屏错误的PendingInten添加FLAG_IMMUTABLE标志。
CVE-2021-0481
- 在设置多用户的用户头像时,避免使用非法的URI作为图片来源。
# packages/apps/Settings/src/com/android/settings/users/EditUserPhotoController.java
}
final Uri pictureUri = data != null && data.getData() != null
? data.getData() : mTakePictureUri;
+
+ // Check if the result is a content uri
+ if (!ContentResolver.SCHEME_CONTENT.equals(pictureUri.getScheme())) {
+ Log.e(TAG, "Invalid pictureUri scheme: " + pictureUri.getScheme());
+ EventLog.writeEvent(0x534e4554, "172939189", -1, pictureUri.getPath());
+ return false;
+ }
+
CVE-2021-0466
- 仅在使用随机WLAN MAC地址时才使用EUI64 IPv6 link-local address generation (不太懂)。该漏洞由Google的Bram Bonné发现。
CVE-2021-0480
- SnoozeHelper中的PendingIntent添加目标包名,使其成为显式Intent。该漏洞由Yu-Cheng Lin (林禹成) (@AndroBugs)发现。
# frameworks/base/services/core/java/com/android/server/notification/SnoozeHelper.java
return PendingIntent.getBroadcast(mContext,
REQUEST_CODE_REPOST,
new Intent(REPOST_ACTION)
+ .setPackage(PackageManagerService.PLATFORM_PACKAGE_NAME)
.setData(new Uri.Builder().scheme(REPOST_SCHEME).appendPath(key).build())
.addFlags(Intent.FLAG_RECEIVER_FOREGROUND)
.putExtra(EXTRA_KEY, key)
2021-05-05 security patch level vulnerability details