PUB-A-193034683
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/PUB-A-193034683.json
- JSON Data
- https://api.osv.dev/v1/vulns/PUB-A-193034683
- Aliases
-
- A-193034683
- CVE-2021-1028
- Published
- 2021-12-01T00:00:00Z
- Modified
- 2024-11-06T16:45:39.809623Z
- Summary
- [none]
- Details
-
In setClientStateLocked of SurfaceFlinger.cpp, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
Affected packages
Android / platform/frameworks/native
Package
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"length": 308.0,
"function_hash": "148854455244816904141629808056262942731"
},
"id": "PUB-A-193034683-070cdc73",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/Layer.cpp",
"function": "extractLayerFromBinder"
},
"signature_type": "Function"
},
{
"digest": {
"length": 764.0,
"function_hash": "130293978526721095055343248248164931332"
},
"id": "PUB-A-193034683-432988f3",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/Layer.cpp",
"function": "Layer::setRelativeLayer"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"239402453879805974820221514929899196888",
"2249085044513177693025040255682456257",
"226345157174825149979105440303441858407",
"13268908067441088285336305028466132062",
"112091935413235430624711822683675802486",
"225029701668452592244386154018306295060",
"277572189605657307185401248928118138060",
"219669145659572649728034698982296154536",
"94441765663594011270865342380946982847",
"74323979708334143926068579442598755407",
"193788821048580266110294070658778600659",
"296647607454635625776428477407160123115",
"223936090731318599001442584936302837053"
]
},
"id": "PUB-A-193034683-559d2e16",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/SurfaceFlinger.h"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"225306940971149859754997434060906864893",
"6962442468913351774715844956380190534",
"179625925245624769655467472890004098774",
"178712557885458808051994052757116474245",
"57500976776301698093940671872786763994",
"323481002034659072296792651226652396847",
"35566303659113572604595042255255460944",
"51864298357820387873168289895513169588",
"154607271257312167751874117487651956353",
"118326247183166808416632643915302236165",
"50214010415513002184250466891761797279",
"20727968245318005281300716163778375075",
"157662469722496657335228128105167160105",
"28303165143886896161884694133395623838",
"303087693426676530330470730658327809406",
"37538903106455159847944172283949152041",
"317915974150158399236841457190156942990"
]
},
"id": "PUB-A-193034683-59b9da9e",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/SurfaceInterceptor.cpp"
},
"signature_type": "Line"
},
{
"digest": {
"length": 285.0,
"function_hash": "190280804825596418843573860348017150566"
},
"id": "PUB-A-193034683-608695c2",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/Layer.cpp",
"function": "Layer::setInputInfo"
},
"signature_type": "Function"
},
{
"digest": {
"length": 117.0,
"function_hash": "210869673462791584966852221607700206295"
},
"id": "PUB-A-193034683-675646a8",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/SurfaceFlinger.cpp",
"function": "SurfaceFlinger::fromHandle"
},
"signature_type": "Function"
},
{
"digest": {
"length": 528.0,
"function_hash": "272397869756864511585901407042354871271"
},
"id": "PUB-A-193034683-6c2bcd89",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/SurfaceFlinger.cpp",
"function": "SurfaceFlinger::onHandleDestroyed"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"136006072136364286030451714101063289554",
"37885445453371406218133702823075601596",
"144902293842621749154798219155681528334",
"17167489456463945787529279788598170976",
"38438209846733648038135248009325580343",
"292004329668566787361512609336689332819",
"167634453265103235302795215640246023976",
"155472291971490582181828798537918678623",
"149820680580176694431406729916008354716",
"145940822595336290167236489780161960674",
"202724038824256789684451275572112850503",
"241467872763009047595648324782019049264",
"10091708412893233576477886080475815643",
"2766523982644813870630938944756034312",
"273061877606499572861151057485873373735",
"270708242246297760663083940232702998476",
"71393996832272237438156330610627666541",
"109112431274242209742538158946042517863",
"74275643563225076357676325107272933795",
"69152958776646416940753459701778578530",
"129683263321805956961470041965054686621",
"46524083787953808101646894193511390849",
"39896797484673782284311879636348978379",
"164452682644643208993642331956545705873",
"146546620116686766324279736950402761232",
"102751599998869278005733960896790012595",
"130599711656616654904211232685050482909",
"100496892379360003895295596115922141851",
"43214606916536267417661410022357656573",
"329352217235652700427298558406364434686",
"83919560248309412451529874261934986451",
"73648893346148962600065841783807431679",
"89778085805477558843696716084211082459",
"140979369812248538635045666159972441110",
"37813659987758821446922066962026899856",
"85043170291534718682850576254465764728",
"909835335659200388773556295053511519",
"187394542648027054581644542904147451484",
"237797113250768572897659021958567736260",
"224845452778262664658006672673773083002",
"277538684427090502016513850203927738191",
"101174805359562870285053871465465366111",
"296434369643084843306585402847894692334",
"335282290052372085275078867439059538904",
"255657060539628187845840042326061412235",
"169518170621707652381701704337183352223",
"149197169950953529472195273405535736149",
"178905101917885354047822277651638030170",
"170252744051276544756709934721862888796",
"42207463470114370069681183239957908455",
"213179858847220692546114735595066497979",
"103114633972873767947200851920497983405",
"214729183865059137688147169533018483573",
"160997270959241678084898697629908322870",
"73941123739552011957078085332501843006",
"235604830328682315607232431977386138049",
"12585500931071506999697251752454483799",
"194342658522476755407175476620666292064",
"87829346955865209621376591611111344704",
"7297744059548570342777310951062656277",
"63770852577913088377791142719328341571",
"310969560748103874126455025029343021514",
"332156213924422119224217121229822195439",
"126976632900394201730671429233344242604",
"135452257777181003704069165521506552603",
"333857430071666233630483665479349949876",
"17922504818346392580126872495161541075",
"106921782673202069771762251030344068290",
"298841092162327648665127528615817493617"
]
},
"id": "PUB-A-193034683-6efdfeec",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/SurfaceFlinger.cpp"
},
"signature_type": "Line"
},
{
"digest": {
"length": 252.0,
"function_hash": "238514461389302230355808178521023634988"
},
"id": "PUB-A-193034683-7bf37204",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/SurfaceInterceptor.cpp",
"function": "SurfaceInterceptor::getLayer"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"19324125944673929876317574983437657487",
"16900380928425654835962543966915816434",
"28860736293614418934226195182894854962",
"43405743797557795834132066604651494940",
"53110454057224839023518192984000517384",
"61147810411074516790205295877503383223",
"339666493182311818867657985482013197817",
"289988273976525370635197998815477395780",
"147447930624726277773736410382501647353",
"83515080549718919754867058606010317420",
"55986800092397743693966673432436847646",
"65174026325499613114215567956773254583",
"88887067396733216877118661843837852851",
"115381819434878148430744623758650560898",
"143816748848899746169392340051465753832",
"266184913105125242606668138514865619305",
"45313648379568129541186714961092023827",
"145713029121759960842183002785636454809",
"147068460252592959441033563908951256538",
"174118747610928324696979176061129654548",
"279260658765857506830230325178678207629",
"179485207995446800727656766953970256323",
"167784268963113179362930219122312644496",
"281817805564705012356313136627439469187",
"130647464686857805216855722063703665654",
"75323933321313771532081015838036645651",
"250131377566475651383186976983704887448",
"215853296336233910372431323307679109967",
"6619378808088534728825262515365547326",
"175929151346973007231099330303207577603",
"42423112775543014511243081025675071865",
"164649599368892808287888606545152284670",
"56703230976113798066592004472291570709",
"326378269591042118602134048380147485699",
"100471330673333361245188010564633314378",
"91330178860709430704607251398660511149"
]
},
"id": "PUB-A-193034683-803aaf79",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/Layer.cpp"
},
"signature_type": "Line"
},
{
"digest": {
"length": 669.0,
"function_hash": "72180255198095941201819186016615005055"
},
"id": "PUB-A-193034683-858e4fa2",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/Layer.cpp",
"function": "Layer::reparent"
},
"signature_type": "Function"
},
{
"digest": {
"length": 340.0,
"function_hash": "295735437818471318240263290444204326115"
},
"id": "PUB-A-193034683-86d47d6e",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/SurfaceFlinger.cpp",
"function": "SurfaceFlinger::fromHandleLocked"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"180459281533515573444194746118978517362",
"77486947446523004351637212510357807146",
"320112465890559239182126150770937284651",
"116848848557501671777503124013747448582",
"1984503516145367709606882907228341434",
"253549876504776358878858375170243429720",
"274925040840188667756074887590989013169",
"38165628023785295340404217939430881346",
"203767377063084735029005355072152820751",
"303057317047828389610248161797019837562",
"270166416322623123507685998952583874592",
"105246265134523999548902035894778709514",
"67345504727149345076752764380236214194",
"280555717421973170297833378305528097463",
"210516112650426618323597342028005221208",
"158632482583122815120188403597333694316",
"309271713042654231707740391729741500941"
]
},
"id": "PUB-A-193034683-a802cff6",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/Layer.h"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"249359015536695073772524735223714475384",
"280468340427400704853703422136017137376",
"186349254690430549925272512297185371446",
"126290562815896788549251162284509452811",
"194809315623446784663537516323511447070",
"162678448710453754531187414328125944771",
"57711654589088292708476087727744893163"
]
},
"id": "PUB-A-193034683-a8220ea0",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/SurfaceInterceptor.h"
},
"signature_type": "Line"
},
{
"digest": {
"length": 293.0,
"function_hash": "277747683752730879581956337285799393658"
},
"id": "PUB-A-193034683-b480d3c2",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/SurfaceInterceptor.cpp",
"function": "SurfaceInterceptor::getLayerIdFromHandle"
},
"signature_type": "Function"
},
{
"digest": {
"length": 10777.0,
"function_hash": "44791309334450844456675503081552095819"
},
"id": "PUB-A-193034683-bf68bfd4",
"source": "https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/surfaceflinger/SurfaceFlinger.cpp",
"function": "SurfaceFlinger::setClientStateLocked"
},
"signature_type": "Function"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"
],
"spl": "2021-12-01",
"severity": "Moderate",
"types": [
"EoP"
]
}