In multiple functions of TaskFragmentOrganizerController.java, there is a possible token leak due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/61ab2b65caf855c48fdb4166f94e02bf79c90e7b"
],
"severity": "High",
"types": [
"EoP"
],
"spl": "2025-02-01",
"vanir_signatures": [
{
"digest": {
"length": 1705.0,
"function_hash": "258478466582053932562972805744309917193"
},
"target": {
"file": "services/core/java/com/android/server/wm/TaskFragmentOrganizerController.java",
"function": "prepareActivityReparentedToTask"
},
"id": "ASB-A-367266072-369b8d30",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://android.googlesource.com/platform/frameworks/base/+/61ab2b65caf855c48fdb4166f94e02bf79c90e7b"
},
{
"digest": {
"length": 767.0,
"function_hash": "254536546993706067293086853655003430576"
},
"deprecated": false,
"id": "ASB-A-367266072-6e5285ca",
"signature_version": "v1",
"target": {
"file": "services/core/java/com/android/server/wm/TaskFragmentOrganizerController.java",
"function": "registerOrganizerInternal"
},
"signature_type": "Function",
"source": "https://android.googlesource.com/platform/frameworks/base/+/61ab2b65caf855c48fdb4166f94e02bf79c90e7b"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"305473753703075709662241343561870851338",
"228630335061760418983991193824018250327",
"51570354093347570584818779925955699345",
"322683727079362404473207885342128339824",
"43248681677435104589713249023685432749",
"158386467047123906994316145995961275954",
"140179672334136548481612718360284859088",
"295952053634069586958544687074386247353",
"244563026434396631081597411571759810511",
"244322703832231804463929918876674278528",
"81738051495843237278386653792798493326"
]
},
"deprecated": false,
"id": "ASB-A-367266072-77b804fe",
"signature_version": "v1",
"target": {
"file": "services/core/java/com/android/server/wm/TaskFragmentOrganizerController.java"
},
"signature_type": "Line",
"source": "https://android.googlesource.com/platform/frameworks/base/+/61ab2b65caf855c48fdb4166f94e02bf79c90e7b"
}
]
}
{
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/6ab778a0dd3d09c6e3e2b6176245d3c99b5170ce"
],
"spl": "2025-02-01",
"types": [
"EoP"
],
"vanir_signatures": [
{
"digest": {
"length": 684.0,
"function_hash": "120866179522785176100423247400284955131"
},
"target": {
"file": "services/core/java/com/android/server/wm/TaskFragmentOrganizerController.java",
"function": "registerOrganizerInternal"
},
"id": "ASB-A-367266072-5b1310e9",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://android.googlesource.com/platform/frameworks/base/+/6ab778a0dd3d09c6e3e2b6176245d3c99b5170ce"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"305473753703075709662241343561870851338",
"228630335061760418983991193824018250327",
"51570354093347570584818779925955699345",
"322683727079362404473207885342128339824",
"148127237614072993949563398758548040678",
"246944160736285649391157079928574168445",
"321093641113601555085511763643355382193",
"133423095171064206238589195682130855981",
"321097959900322095929850331402440622743",
"10132185648953448340096912882409853318",
"148859158618058696663581924228187173960",
"57703179688146376310926396744847699471"
]
},
"deprecated": false,
"id": "ASB-A-367266072-d5ca3317",
"signature_version": "v1",
"target": {
"file": "services/core/java/com/android/server/wm/TaskFragmentOrganizerController.java"
},
"signature_type": "Line",
"source": "https://android.googlesource.com/platform/frameworks/base/+/6ab778a0dd3d09c6e3e2b6176245d3c99b5170ce"
},
{
"digest": {
"length": 1729.0,
"function_hash": "20395962646095279340786937332553877787"
},
"deprecated": false,
"id": "ASB-A-367266072-e49204dc",
"signature_version": "v1",
"target": {
"file": "services/core/java/com/android/server/wm/TaskFragmentOrganizerController.java",
"function": "prepareActivityReparentedToTask"
},
"signature_type": "Function",
"source": "https://android.googlesource.com/platform/frameworks/base/+/6ab778a0dd3d09c6e3e2b6176245d3c99b5170ce"
}
],
"severity": "High"
}