In setServiceForegroundInnerLocked of ActiveServices.java, there is a possible way for a background application to regain foreground permissions due to insufficient background restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"spl": "2022-04-01",
"vanir_signatures": [
{
"id": "ASB-A-183147114-10254509",
"target": {
"file": "services/core/java/com/android/server/am/ServiceRecord.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d5abccff3c61b81aeb67d6fda10d9a27d3e326bd",
"signature_type": "Line",
"digest": {
"line_hashes": [
"292762601671949391188886427069774043044",
"178179483851649164907329492748631345295",
"215770875784487134119564293110198720946",
"295311241368219348253606930595280934397",
"105325388689878462282126945594418638479",
"94074992895794731491708567251212997797",
"50241428778675872448634208715429769923",
"27993896186466159472096083860545022123"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "ASB-A-183147114-159217e6",
"target": {
"function": "bringDownServiceLocked",
"file": "services/core/java/com/android/server/am/ActiveServices.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d5abccff3c61b81aeb67d6fda10d9a27d3e326bd",
"signature_type": "Function",
"digest": {
"function_hash": "94528014051996533600763844613411130701",
"length": 5922.0
},
"deprecated": false
},
{
"id": "ASB-A-183147114-3332857f",
"target": {
"file": "services/core/java/com/android/server/am/ActivityManagerConstants.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d5abccff3c61b81aeb67d6fda10d9a27d3e326bd",
"signature_type": "Line",
"digest": {
"line_hashes": [
"102145344600065068275315505623878121400",
"300287006603375784254482357113259097752",
"216034118795692326826595457159211126584",
"25922412119424364018712193880378016439",
"79653212448156541655807711230715989932",
"133338719998875336652102767224019822165",
"177031911820733438446217163245207878153",
"69418448387561443775261482850883052491",
"235946820829113858050223257103513918905",
"92027267969356150552632291138762743118",
"325069914107018130042924704387246645571",
"20042012258345223900547389841687143835",
"149959644260655716503272512577902837205",
"153557129293459282494328127833083147669",
"273044645211350846033584871890401335473",
"203846633251218761569533763224626829115",
"266402079140342021631649749852840486986",
"308639363720279597114991477159869703535",
"194444847399843156135933477407384865435",
"335047318329122365347518559137634245592",
"89604008459349576777643997431874178940",
"136532745999589261333501970143767325788"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "ASB-A-183147114-47980118",
"target": {
"function": "onPropertiesChanged",
"file": "services/core/java/com/android/server/am/ActivityManagerConstants.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d5abccff3c61b81aeb67d6fda10d9a27d3e326bd",
"signature_type": "Function",
"digest": {
"function_hash": "203340053231650395050604770606458471999",
"length": 673.0
},
"deprecated": false
},
{
"id": "ASB-A-183147114-5688debc",
"target": {
"function": "setServiceForegroundInnerLocked",
"file": "services/core/java/com/android/server/am/ActiveServices.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d5abccff3c61b81aeb67d6fda10d9a27d3e326bd",
"signature_type": "Function",
"digest": {
"function_hash": "30059143808098329886176421100978993083",
"length": 6718.0
},
"deprecated": false
},
{
"id": "ASB-A-183147114-618fa826",
"target": {
"function": "dump",
"file": "services/core/java/com/android/server/am/ActivityManagerConstants.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d5abccff3c61b81aeb67d6fda10d9a27d3e326bd",
"signature_type": "Function",
"digest": {
"function_hash": "19685807976373868340028459596720380250",
"length": 6293.0
},
"deprecated": false
},
{
"digest": {
"function_hash": "76524835646998283722004811787457937889",
"length": 7597.0
},
"target": {
"function": "bindServiceLocked",
"file": "services/core/java/com/android/server/am/ActiveServices.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d5abccff3c61b81aeb67d6fda10d9a27d3e326bd",
"signature_type": "Function",
"id": "ASB-A-183147114-728ef392",
"deprecated": false
},
{
"id": "ASB-A-183147114-a6aa0334",
"target": {
"function": "shouldAllowWhileInUsePermissionInFgsLocked",
"file": "services/core/java/com/android/server/am/ActiveServices.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d5abccff3c61b81aeb67d6fda10d9a27d3e326bd",
"signature_type": "Function",
"digest": {
"function_hash": "269616201809156354802687755981140154714",
"length": 1260.0
},
"deprecated": false
},
{
"id": "ASB-A-183147114-b42718b7",
"target": {
"file": "services/core/java/com/android/server/am/ActiveServices.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d5abccff3c61b81aeb67d6fda10d9a27d3e326bd",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"177790264076275715940936756121314512021",
"180321275701780512095736725273840036618",
"270970066476195326383899126005423905687",
"84632808241161562809322648637624673232",
"196709658655115593157046025833993949670",
"285433126121400619134427967437091770902",
"278313368269326795631656823941315913546",
"236157627719198909048642842360894537190",
"106267704454261286302310032465850147905",
"111228187903134272533245138640090190616",
"297528959451757084138535811649324250969",
"331607138558159067874568969303771321058",
"139982830642479046501473407768592628493",
"182834814874772001733911387456054277833",
"93624585980910401744453244257823720492",
"225214536018305176137823552176852083516",
"174049213195683237448128695667025836533",
"131227377618934006521375393958475141946",
"174400748672944235690161519179529849514",
"233453019535994120835401575430223179140",
"279808062969295668727627686490378285943",
"238392047454416007172113838639507436083",
"180705337549064098754830838608058544536",
"179452351931813127429382405648166135660",
"129983982336044746855609749516887896479",
"96719548634579347816437856498033703288",
"46814022828148021945051988605125270821",
"226630017567086848765534989391212620252",
"299283151396272748964867800606376284294",
"122867858554487561758677893296564505445",
"233750713077872121013490719273718838372",
"50531069565430227596259128544763000008",
"293594147986705545236415462069785371289",
"188529881187301191248050279109468657379",
"176657924315679829536534937064234572873",
"181808488743392591450769472061515832727",
"321276472207164768032242119467225639771",
"275606966257351430290148340919239104792",
"236148572293355585589974529782137027420",
"253489809879593668521229758255789182323",
"200719735054191659841715193314925193577",
"198030567912485242311378403251330563066",
"330580704681644061627282002554953698800",
"228384292420556941992564974055163463171",
"222806676300966728337403252480271596448",
"119258988697698457769296765622298402469",
"183325986263730029783145769233746546977"
]
},
"deprecated": false
},
{
"id": "ASB-A-183147114-d1f34fe1",
"target": {
"function": "dump",
"file": "services/core/java/com/android/server/am/ServiceRecord.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d5abccff3c61b81aeb67d6fda10d9a27d3e326bd",
"signature_type": "Function",
"digest": {
"function_hash": "215058529715378188517459454698147137751",
"length": 6096.0
},
"deprecated": false
},
{
"id": "ASB-A-183147114-d49cfde6",
"target": {
"function": "startServiceLocked",
"file": "services/core/java/com/android/server/am/ActiveServices.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d5abccff3c61b81aeb67d6fda10d9a27d3e326bd",
"signature_type": "Function",
"digest": {
"function_hash": "202410244396220899947434456059685061360",
"length": 6434.0
},
"deprecated": false
}
],
"types": [
"EoP"
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/d5abccff3c61b81aeb67d6fda10d9a27d3e326bd"
],
"severity": "High"
}