ASB-A-162627132

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-162627132.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-162627132
Aliases
  • A-162627132
  • CVE-2020-0440
Published
2020-12-01T00:00:00Z
Modified
2024-08-07T19:29:41.220941Z
Summary
Untrusted entity can create a trusted virtual display
Details

In createVirtualDisplay of DisplayManagerService.java, there is a possible way to create a trusted virtual display due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2020-12-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 620.0,
                "function_hash": "239371168474435106705549436577521379820"
            },
            "id": "ASB-A-162627132-423248a4",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "core/java/android/app/ActivityView.java",
                "function": "ActivityView"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "250896370136357360299701666135463075360",
                    "201686686013155060205738386991483530780",
                    "312711583752047043129679056824365673054",
                    "189122960153261462874005845203010359948",
                    "286399048268168781185554467120798134232",
                    "106083281954009616223228637256462267615",
                    "25850704806361255751968423519166396887",
                    "12967322972079511881275869331236320072",
                    "147716021270222420492105860109471466604",
                    "131276406187877410944642951580088492827",
                    "63377060841528466725544497714051852830"
                ]
            },
            "id": "ASB-A-162627132-65d2d104",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/display/DisplayManagerService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "258553771971410405841084262629681100491",
                    "7401628291545135932660139539553619545",
                    "242204327715555293190831521448470172486",
                    "92939128731960973492346651811509168753",
                    "314433566844467450865012753231334211740",
                    "274368783212763415446615146683375695911",
                    "204010551266933520204560819755870222846",
                    "203391213251224488244764204613584365300",
                    "258366518084438667083298462982327040781",
                    "323913289008743989267380426453474823230",
                    "260321854692399135256547868646927935704",
                    "205346645043153278868991523410521507592",
                    "22316378711438805155223441773216217046",
                    "288419990617274279659441749515198568054",
                    "81949748116057554335464500557729565413",
                    "269178950074266937729074231395410186816",
                    "17744133001399994430564946342714323148",
                    "307467135462894795426734241007414458866",
                    "167262242747670297908136728001729126263"
                ]
            },
            "id": "ASB-A-162627132-6b4eacfa",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "core/java/android/window/VirtualDisplayTaskEmbedder.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "195379310623476678710410218490563778316",
                    "319199624462453366552246890649462496261",
                    "80218908142020543923972804654231410495",
                    "303522696637731085215683590697967519853"
                ]
            },
            "id": "ASB-A-162627132-7efdb6d8",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "packages/SystemUI/src/com/android/systemui/bubbles/BubbleExpandedView.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 2507.0,
                "function_hash": "121327654351840086936967050863261341871"
            },
            "id": "ASB-A-162627132-90e6a927",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/display/DisplayManagerService.java",
                "function": "createVirtualDisplay"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 161.0,
                "function_hash": "209332261248657150809766734052562692292"
            },
            "id": "ASB-A-162627132-ab7c7fc2",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "core/java/android/window/VirtualDisplayTaskEmbedder.java",
                "function": "VirtualDisplayTaskEmbedder"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1338.0,
                "function_hash": "43726405350117188276488369128079194231"
            },
            "id": "ASB-A-162627132-cf11ce92",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/534bbaeead15bc3c540efd947b3a5ade62cf27be",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/vr/Vr2dDisplay.java",
                "function": "startVirtualDisplay"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 2350.0,
                "function_hash": "249708782117754009439509511991058852838"
            },
            "id": "ASB-A-162627132-d081ff13",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "packages/SystemUI/src/com/android/systemui/bubbles/BubbleExpandedView.java",
                "function": "onFinishInflate"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "96089115919927883009817411414754204204",
                    "168523404340466835887044445921646800663",
                    "294037072454595404292982144317110578447",
                    "126970483900217361288029711032128925081",
                    "278734129672993415439047871053023539114",
                    "205633361048188683437656721048153866684",
                    "305995911117668165260433079536015939528",
                    "316001025617636284700875619530730735172",
                    "222647459581260635751040637918951188586",
                    "333153351279358913954905767948003468291",
                    "78534315695932223970272974659965922195",
                    "51482359258682009475703155298937932777",
                    "4234172063000335714751786394933520430",
                    "289396799751130489717411796309020430709"
                ]
            },
            "id": "ASB-A-162627132-ea5889e1",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "core/java/android/app/ActivityView.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1103.0,
                "function_hash": "217285014179210020151564900447951640456"
            },
            "id": "ASB-A-162627132-f16c942b",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "core/java/android/window/VirtualDisplayTaskEmbedder.java",
                "function": "onInitialize"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "130344569746675618631350674811462547750",
                    "49170604162311517459516755728915256969",
                    "137912597979153709748025113541476231099",
                    "210888633868301561718554373832830691966"
                ]
            },
            "id": "ASB-A-162627132-f5f154c6",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/534bbaeead15bc3c540efd947b3a5ade62cf27be",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/vr/Vr2dDisplay.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/11725e1206645e567cfdd70100d64d1e0a85180d",
        "https://android.googlesource.com/platform/frameworks/base/+/534bbaeead15bc3c540efd947b3a5ade62cf27be"
    ],
    "spl": "2020-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}