In updatePictureInPictureMode of ActivityRecord.java, there is a possible bypass of background launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "function_hash": "84463906349357637457593819849224613900", "length": 429.0 }, "id": "ASB-A-265293293-0cfbc7f2", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "target": { "file": "services/core/java/com/android/server/wm/ActivityRecord.java", "function": "updatePictureInPictureMode" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "38811885578589579865256225484930353749", "182937806377545620401941566465606663173", "50687391986007160311991249772947348109", "19085090832050058609389267391752865303" ] }, "id": "ASB-A-265293293-3b846db4", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "target": { "file": "services/core/java/com/android/server/wm/ActivityRecord.java" } } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21" ], "spl": "2023-07-01" }
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "function_hash": "84463906349357637457593819849224613900", "length": 429.0 }, "id": "ASB-A-265293293-047a6d7d", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "target": { "file": "services/core/java/com/android/server/wm/ActivityRecord.java", "function": "updatePictureInPictureMode" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "38811885578589579865256225484930353749", "182937806377545620401941566465606663173", "50687391986007160311991249772947348109", "19085090832050058609389267391752865303" ] }, "id": "ASB-A-265293293-3fb8d3fe", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "target": { "file": "services/core/java/com/android/server/wm/ActivityRecord.java" } } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21" ], "spl": "2023-07-01" }
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "38811885578589579865256225484930353749", "182937806377545620401941566465606663173", "50687391986007160311991249772947348109", "19085090832050058609389267391752865303" ] }, "id": "ASB-A-265293293-36bf829f", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "target": { "file": "services/core/java/com/android/server/wm/ActivityRecord.java" } }, { "digest": { "function_hash": "84463906349357637457593819849224613900", "length": 429.0 }, "id": "ASB-A-265293293-d6c25797", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "target": { "file": "services/core/java/com/android/server/wm/ActivityRecord.java", "function": "updatePictureInPictureMode" } } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21" ], "spl": "2023-07-01" }
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "38811885578589579865256225484930353749", "182937806377545620401941566465606663173", "50687391986007160311991249772947348109", "19085090832050058609389267391752865303" ] }, "id": "ASB-A-265293293-4318acab", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "target": { "file": "services/core/java/com/android/server/wm/ActivityRecord.java" } }, { "digest": { "function_hash": "84463906349357637457593819849224613900", "length": 429.0 }, "id": "ASB-A-265293293-5ab22b4c", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "target": { "file": "services/core/java/com/android/server/wm/ActivityRecord.java", "function": "updatePictureInPictureMode" } } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21" ], "spl": "2023-07-01" }
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "38811885578589579865256225484930353749", "182937806377545620401941566465606663173", "50687391986007160311991249772947348109", "19085090832050058609389267391752865303" ] }, "id": "ASB-A-265293293-2ee0aa9f", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "target": { "file": "services/core/java/com/android/server/wm/ActivityRecord.java" } }, { "digest": { "function_hash": "84463906349357637457593819849224613900", "length": 429.0 }, "id": "ASB-A-265293293-b815f286", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "target": { "file": "services/core/java/com/android/server/wm/ActivityRecord.java", "function": "updatePictureInPictureMode" } } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21" ], "spl": "2023-07-01" }