PUB-A-245727875

See a problem?
Import Source
https://storage.googleapis.com/android-osv/PUB-A-245727875.json
JSON Data
https://api.osv.dev/v1/vulns/PUB-A-245727875
Aliases
A-245727875
CVE-2022-20514
Published
2022-12-01T00:00:00Z
Modified
2025-07-10T15:11:05.955812Z
Summary
[none]
Details
In acquireFabricatedOverlayIterator, nextFabricatedOverlayInfos, and releaseFabricatedOverlayIterator of Idmap2Service.cpp, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
References
https://source.android.com/security/bulletin/2022-12-01
Affected packages

Android / platform/frameworks/base

Package

Name: platform/frameworks/base
Affected ranges

Type: ECOSYSTEM
Events: Introduced

13:0

Fixed

13:2022-12-01
Affected versions

Other

Ecosystem specific

{
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/7b4d4ca5e91442ddbfcccb55715d75a67caf3eff"
    ],
    "vanir_signatures": [
        {
            "id": "PUB-A-245727875-0c9cf060",
            "deprecated": false,
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "202144605245939720251509576265784988526",
                    "330769806256285511734640313767817607067",
                    "259150600434666024271713942170730307963",
                    "161197007327016784247419469716286819883",
                    "213649559135418921952722414716867649745",
                    "110997725776607251104688224660060920790",
                    "269110589052959533129509137817997698823",
                    "134033327854937878005143378424563197206",
                    "98557741935767421530475903653237422025",
                    "129721126637824583780146227853750890791",
                    "315455738768515044972829036375890502656",
                    "76097017087085971618204101969736470696",
                    "263591436060064920975406788388328235747",
                    "293266033177949486040250603326668613039",
                    "195458246910038704047738189155196304942"
                ]
            },
            "match_only_versions": [
                "13"
            ],
            "signature_type": "Line",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/7b4d4ca5e91442ddbfcccb55715d75a67caf3eff",
            "target": {
                "file": "cmds/idmap2/idmap2d/Idmap2Service.h"
            },
            "signature_version": "v1"
        },
        {
            "id": "PUB-A-245727875-18d69b9e",
            "deprecated": false,
            "digest": {
                "length": 188.0,
                "function_hash": "128238835769563262526376303371421509067"
            },
            "match_only_versions": [
                "13"
            ],
            "signature_type": "Function",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/7b4d4ca5e91442ddbfcccb55715d75a67caf3eff",
            "target": {
                "file": "cmds/idmap2/idmap2d/Idmap2Service.cpp",
                "function": "Idmap2Service::releaseFabricatedOverlayIterator"
            },
            "signature_version": "v1"
        },
        {
            "id": "PUB-A-245727875-32aa3481",
            "signature_type": "Line",
            "deprecated": false,
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "173878378130585961525477744600721970319",
                    "132074071168239705163824294383011427837",
                    "138532562503580825919421853115472906121",
                    "200591613810910865680879981254494159797",
                    "103625173946191337680417769958015073879",
                    "84489702151922584588412848252929004219",
                    "331853712388543601573301003843828083558",
                    "266566864798860293020067439539612057357",
                    "173348021665044163013060332967203523662",
                    "233520430412045177845837276516993102823",
                    "172972815455062368100957108325688654431",
                    "181843542997600225454872314804627202521",
                    "80643085619206638811849638644354893598",
                    "245888006204501543980229829218930029851",
                    "177880368932349782704836823432995736125"
                ]
            },
            "target": {
                "file": "services/core/java/com/android/server/om/IdmapDaemon.java"
            },
            "signature_version": "v1",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/7b4d4ca5e91442ddbfcccb55715d75a67caf3eff"
        },
        {
            "id": "PUB-A-245727875-73029bb1",
            "deprecated": false,
            "digest": {
                "length": 274.0,
                "function_hash": "277250484928001438501085393364757954445"
            },
            "match_only_versions": [
                "13"
            ],
            "signature_type": "Function",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/7b4d4ca5e91442ddbfcccb55715d75a67caf3eff",
            "target": {
                "file": "cmds/idmap2/idmap2d/Idmap2Service.cpp",
                "function": "Idmap2Service::acquireFabricatedOverlayIterator"
            },
            "signature_version": "v1"
        },
        {
            "id": "PUB-A-245727875-ab08fb95",
            "deprecated": false,
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "335508212848529320130941775471281471375",
                    "247010988445414438717903323833902769671",
                    "260760833771983472096629041183133918732",
                    "338455860354854258872681810071073314449",
                    "188449024047390492033308208183224108094",
                    "89524368815610759066779601728809994683",
                    "147864111382000992897210086620323889117",
                    "327954751995803708693263382213534917852",
                    "200884567399239735045801691860803941260",
                    "6364661984164964455001201932440196778",
                    "239481236222271477415707817173310200851",
                    "154873128487390619554655325990734213463",
                    "240224622319562219863306758965397646916",
                    "38779568061203223543066628845586147923",
                    "290878488430807259587714893807331004872",
                    "150286024051241244633676608811541583944",
                    "96650879885008780849898948048915521728",
                    "332927081150394699326047317358717119083",
                    "243851370226385090765940737223011728989",
                    "245327289110595502084535914678414045764",
                    "336810405225418341033146821859695862309",
                    "93715516425450273436580435156234171918",
                    "126297971039372035158051589720007182590",
                    "328806490951645775192167325286591572112",
                    "19229873875247842330421251070778814492",
                    "105812658327017990407615533547707082148",
                    "310851104083474568931001323637425571376",
                    "233084245510637938935777208594406398867",
                    "102766038453801880087343436490123823625",
                    "71632389433556724631427781716457297300",
                    "194128946610251710817123531446458163491",
                    "189088734584751374825048766943343137829",
                    "128561949479291513620375721409925184235",
                    "218778291065677745332137247709455180508",
                    "53063973147780853482482498525914283210",
                    "91406492069376375065078964027522298810",
                    "89325681585622757088111002792049813293",
                    "67942476515526239342243379962795884170",
                    "21635385864238047163522585406220539239",
                    "327182057370524198866758476226645656853",
                    "142822100010796637443203338934302204420",
                    "126342001370789589283304247172094116688"
                ]
            },
            "match_only_versions": [
                "13"
            ],
            "signature_type": "Line",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/7b4d4ca5e91442ddbfcccb55715d75a67caf3eff",
            "target": {
                "file": "cmds/idmap2/idmap2d/Idmap2Service.cpp"
            },
            "signature_version": "v1"
        },
        {
            "id": "PUB-A-245727875-fea677b1",
            "signature_type": "Function",
            "deprecated": false,
            "digest": {
                "length": 690.0,
                "function_hash": "338104360767757828585167012306991980203"
            },
            "target": {
                "file": "services/core/java/com/android/server/om/IdmapDaemon.java",
                "function": "getFabricatedOverlayInfos"
            },
            "signature_version": "v1",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/7b4d4ca5e91442ddbfcccb55715d75a67caf3eff"
        }
    ],
    "spl": "2022-12-01",
    "types": [
        "EoP"
    ],
    "severity": "Moderate"
}