In setSkipPrompt of AssociationRequest.java , there is a possible way to establish a companion device association without any confirmation due to CDM. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/56ac420b653da3f716f37a77780d7a74bc5fc439", "https://android.googlesource.com/platform/frameworks/base/+/71418ecfa539b99d9bb0053d1de5060040bdf02f" ], "severity": "Critical", "types": [ "EoP" ], "spl": "2024-07-01", "vanir_signatures": [ { "target": { "file": "core/java/android/companion/AssociationRequest.java" }, "id": "ASB-A-329230490-5add1a57", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "283533769886380923448576656925363146498", "306640430079475523562921556048505603680", "220247844284439815336487099373551580211", "296340939658799727884616528029234346770" ] }, "source": "https://android.googlesource.com/platform/frameworks/base/+/56ac420b653da3f716f37a77780d7a74bc5fc439", "signature_type": "Line", "signature_version": "v1" }, { "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java" }, "id": "ASB-A-329230490-6b902821", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "67950038913822548496977403571025662121", "222725767583171763006265824348111716351", "286500330299365691393581685729299877668", "166044803054551522655759985343015696389", "151376619027520813586001682013091186310", "194068989226376155571126814800988254819", "257382018809139542673220738604381729552" ] }, "source": "https://android.googlesource.com/platform/frameworks/base/+/71418ecfa539b99d9bb0053d1de5060040bdf02f", "signature_type": "Line", "signature_version": "v1" }, { "target": { "file": "core/java/android/companion/AssociationRequest.java", "function": "setSkipPrompt" }, "id": "ASB-A-329230490-a4ce043d", "deprecated": false, "digest": { "function_hash": "168892350902793353495994525992132626819", "length": 55.0 }, "source": "https://android.googlesource.com/platform/frameworks/base/+/56ac420b653da3f716f37a77780d7a74bc5fc439", "signature_type": "Function", "signature_version": "v1" }, { "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java", "function": "associate" }, "id": "ASB-A-329230490-a592a235", "deprecated": false, "digest": { "function_hash": "37463952415737052809221431915743857188", "length": 1588.0 }, "source": "https://android.googlesource.com/platform/frameworks/base/+/71418ecfa539b99d9bb0053d1de5060040bdf02f", "signature_type": "Function", "signature_version": "v1" } ] }
{ "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/be2e3b05858ba7a6349f5487d2658d00853b11cd", "https://android.googlesource.com/platform/frameworks/base/+/f28e88e53d57779fff5900d1811ffa07ab174640" ], "severity": "Critical", "types": [ "EoP" ], "spl": "2024-07-01", "vanir_signatures": [ { "target": { "file": "core/java/android/companion/AssociationRequest.java" }, "id": "ASB-A-329230490-2e9d0f69", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "283533769886380923448576656925363146498", "306640430079475523562921556048505603680", "220247844284439815336487099373551580211", "296340939658799727884616528029234346770" ] }, "source": "https://android.googlesource.com/platform/frameworks/base/+/be2e3b05858ba7a6349f5487d2658d00853b11cd", "signature_type": "Line", "signature_version": "v1" }, { "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java" }, "id": "ASB-A-329230490-3f23a8b1", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "67950038913822548496977403571025662121", "222725767583171763006265824348111716351", "286500330299365691393581685729299877668", "166044803054551522655759985343015696389", "151376619027520813586001682013091186310", "194068989226376155571126814800988254819", "257382018809139542673220738604381729552" ] }, "source": "https://android.googlesource.com/platform/frameworks/base/+/f28e88e53d57779fff5900d1811ffa07ab174640", "signature_type": "Line", "signature_version": "v1" }, { "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java", "function": "associate" }, "id": "ASB-A-329230490-8ac5bf9f", "deprecated": false, "digest": { "function_hash": "65861310754994395892854568185787642004", "length": 1683.0 }, "source": "https://android.googlesource.com/platform/frameworks/base/+/f28e88e53d57779fff5900d1811ffa07ab174640", "signature_type": "Function", "signature_version": "v1" }, { "target": { "file": "core/java/android/companion/AssociationRequest.java", "function": "setSkipPrompt" }, "id": "ASB-A-329230490-f8035f09", "deprecated": false, "digest": { "function_hash": "168892350902793353495994525992132626819", "length": 55.0 }, "source": "https://android.googlesource.com/platform/frameworks/base/+/be2e3b05858ba7a6349f5487d2658d00853b11cd", "signature_type": "Function", "signature_version": "v1" } ] }