In updatePermissionSourcePackage of PermissionManagerService.java, there is a possible automatic runtime permission grant due to a confused deputy. This could lead to local escalation of privilege allowing a malicious app to silently gain access to a dangerous permission with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "42944500549505635161036987220393129218", "32374468865149567811517005251175270874", "182416145722170882610837408393988471387", "73133442436564090363183519967048906082" ] }, "id": "ASB-A-155648771-4acbd12e", "source": "https://android.googlesource.com/platform/frameworks/base/+/a9f825922e1870575aeab11a2035903c217233c9", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 1646.0, "function_hash": "260801340390853921484827258252259891230" }, "id": "ASB-A-155648771-ea459bf9", "source": "https://android.googlesource.com/platform/frameworks/base/+/a9f825922e1870575aeab11a2035903c217233c9", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java", "function": "updatePermissionSourcePackage" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/a9f825922e1870575aeab11a2035903c217233c9" ], "spl": "2021-01-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 1646.0, "function_hash": "260801340390853921484827258252259891230" }, "id": "ASB-A-155648771-9979c947", "source": "https://android.googlesource.com/platform/frameworks/base/+/a9f825922e1870575aeab11a2035903c217233c9", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java", "function": "updatePermissionSourcePackage" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "42944500549505635161036987220393129218", "32374468865149567811517005251175270874", "182416145722170882610837408393988471387", "73133442436564090363183519967048906082" ] }, "id": "ASB-A-155648771-dcfd25c1", "source": "https://android.googlesource.com/platform/frameworks/base/+/a9f825922e1870575aeab11a2035903c217233c9", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/a9f825922e1870575aeab11a2035903c217233c9" ], "spl": "2021-01-01", "severity": "High", "types": [ "EoP" ] }