In executeRequest of OverlayManagerService.java, there is a possible way to control fabricated overlays from adb shell due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"vanir_signatures": [
{
"id": "ASB-A-202768292-12db0af8",
"target": {
"function": "OverlayManagerService",
"file": "services/core/java/com/android/server/om/OverlayManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/627d5eb68e19a8ea18c3c1405701b3a33f073315",
"signature_type": "Function",
"digest": {
"function_hash": "326322751240508323355186466492298396434",
"length": 1337.0
},
"deprecated": false
},
{
"id": "ASB-A-202768292-638c12c8",
"target": {
"function": "executeRequest",
"file": "services/core/java/com/android/server/om/OverlayManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/627d5eb68e19a8ea18c3c1405701b3a33f073315",
"signature_type": "Function",
"digest": {
"function_hash": "22931789430284818538229315262645915337",
"length": 1784.0
},
"deprecated": false
},
{
"id": "ASB-A-202768292-e7a115a8",
"target": {
"file": "services/core/java/com/android/server/om/OverlayManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/627d5eb68e19a8ea18c3c1405701b3a33f073315",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"264047575499705013826057957145778461627",
"74772262489499897834733044985686582819",
"119807025025831525566320421356378051124",
"91008912170575886755658254909050260530",
"308322145304475201728355297492677055162",
"275155973538704798048365005284701952787",
"32400124045898944545581680566210961286",
"274268388700510425115480133473086407073",
"42702381939894791518723683671897731020",
"181485930362381194113622465111492284765",
"74878875272942187113388173881169542538",
"326663632130122039236458743459309863891",
"254975610931225471233459325600541047397",
"124160822546388015943020434133872821608"
]
},
"deprecated": false
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/627d5eb68e19a8ea18c3c1405701b3a33f073315"
],
"types": [
"EoP"
],
"spl": "2022-01-01",
"severity": "High"
}