In createVirtualDisplay of DisplayManagerService.java, there is a possible way to create a trusted virtual display due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 620.0, "function_hash": "239371168474435106705549436577521379820" }, "id": "ASB-A-162627132-423248a4", "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d", "deprecated": false, "signature_version": "v1", "target": { "file": "core/java/android/app/ActivityView.java", "function": "ActivityView" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "250896370136357360299701666135463075360", "201686686013155060205738386991483530780", "312711583752047043129679056824365673054", "189122960153261462874005845203010359948", "286399048268168781185554467120798134232", "106083281954009616223228637256462267615", "25850704806361255751968423519166396887", "12967322972079511881275869331236320072", "147716021270222420492105860109471466604", "131276406187877410944642951580088492827", "63377060841528466725544497714051852830" ] }, "id": "ASB-A-162627132-65d2d104", "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/display/DisplayManagerService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "258553771971410405841084262629681100491", "7401628291545135932660139539553619545", "242204327715555293190831521448470172486", "92939128731960973492346651811509168753", "314433566844467450865012753231334211740", "274368783212763415446615146683375695911", "204010551266933520204560819755870222846", "203391213251224488244764204613584365300", "258366518084438667083298462982327040781", "323913289008743989267380426453474823230", "260321854692399135256547868646927935704", "205346645043153278868991523410521507592", "22316378711438805155223441773216217046", "288419990617274279659441749515198568054", "81949748116057554335464500557729565413", "269178950074266937729074231395410186816", "17744133001399994430564946342714323148", "307467135462894795426734241007414458866", "167262242747670297908136728001729126263" ] }, "id": "ASB-A-162627132-6b4eacfa", "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d", "deprecated": false, "signature_version": "v1", "target": { "file": "core/java/android/window/VirtualDisplayTaskEmbedder.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "195379310623476678710410218490563778316", "319199624462453366552246890649462496261", "80218908142020543923972804654231410495", "303522696637731085215683590697967519853" ] }, "id": "ASB-A-162627132-7efdb6d8", "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/bubbles/BubbleExpandedView.java" }, "signature_type": "Line" }, { "digest": { "length": 2507.0, "function_hash": "121327654351840086936967050863261341871" }, "id": "ASB-A-162627132-90e6a927", "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/display/DisplayManagerService.java", "function": "createVirtualDisplay" }, "signature_type": "Function" }, { "digest": { "length": 161.0, "function_hash": "209332261248657150809766734052562692292" }, "id": "ASB-A-162627132-ab7c7fc2", "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d", "deprecated": false, "signature_version": "v1", "target": { "file": "core/java/android/window/VirtualDisplayTaskEmbedder.java", "function": "VirtualDisplayTaskEmbedder" }, "signature_type": "Function" }, { "digest": { "length": 1338.0, "function_hash": "43726405350117188276488369128079194231" }, "id": "ASB-A-162627132-cf11ce92", "source": "https://android.googlesource.com/platform/frameworks/base/+/534bbaeead15bc3c540efd947b3a5ade62cf27be", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/vr/Vr2dDisplay.java", "function": "startVirtualDisplay" }, "signature_type": "Function" }, { "digest": { "length": 2350.0, "function_hash": "249708782117754009439509511991058852838" }, "id": "ASB-A-162627132-d081ff13", "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/bubbles/BubbleExpandedView.java", "function": "onFinishInflate" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "96089115919927883009817411414754204204", "168523404340466835887044445921646800663", "294037072454595404292982144317110578447", "126970483900217361288029711032128925081", "278734129672993415439047871053023539114", "205633361048188683437656721048153866684", "305995911117668165260433079536015939528", "316001025617636284700875619530730735172", "222647459581260635751040637918951188586", "333153351279358913954905767948003468291", "78534315695932223970272974659965922195", "51482359258682009475703155298937932777", "4234172063000335714751786394933520430", "289396799751130489717411796309020430709" ] }, "id": "ASB-A-162627132-ea5889e1", "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d", "deprecated": false, "signature_version": "v1", "target": { "file": "core/java/android/app/ActivityView.java" }, "signature_type": "Line" }, { "digest": { "length": 1103.0, "function_hash": "217285014179210020151564900447951640456" }, "id": "ASB-A-162627132-f16c942b", "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d", "deprecated": false, "signature_version": "v1", "target": { "file": "core/java/android/window/VirtualDisplayTaskEmbedder.java", "function": "onInitialize" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "130344569746675618631350674811462547750", "49170604162311517459516755728915256969", "137912597979153709748025113541476231099", "210888633868301561718554373832830691966" ] }, "id": "ASB-A-162627132-f5f154c6", "source": "https://android.googlesource.com/platform/frameworks/base/+/534bbaeead15bc3c540efd947b3a5ade62cf27be", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/vr/Vr2dDisplay.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d", "https://android.googlesource.com/platform/frameworks/base/+/534bbaeead15bc3c540efd947b3a5ade62cf27be" ], "spl": "2020-12-01", "severity": "High", "types": [ "EoP" ] }