In avrcparsvendorcmd of avrcpars_tg.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 6883.0, "function_hash": "124405311670877030883599687544204952" }, "id": "ASB-A-168802990-4d3523c5", "source": "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_pars_tg.cc", "function": "avrc_pars_vendor_cmd" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "304297521142496603265053671498398544393", "196849927725121048719279673018861978368", "310733482542310402760765843212954607050", "22515287008392193236497768212461137106" ] }, "id": "ASB-A-168802990-d85464e0", "source": "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_pars_tg.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e" ], "spl": "2021-01-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "304297521142496603265053671498398544393", "196849927725121048719279673018861978368", "310733482542310402760765843212954607050", "22515287008392193236497768212461137106" ] }, "id": "ASB-A-168802990-ebd28ce2", "source": "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_pars_tg.cc" }, "signature_type": "Line" }, { "digest": { "length": 6883.0, "function_hash": "124405311670877030883599687544204952" }, "id": "ASB-A-168802990-ec3fda42", "source": "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_pars_tg.cc", "function": "avrc_pars_vendor_cmd" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e" ], "spl": "2021-01-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "length": 6883.0, "function_hash": "124405311670877030883599687544204952" }, "id": "ASB-A-168802990-1e77f619", "source": "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_pars_tg.cc", "function": "avrc_pars_vendor_cmd" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "304297521142496603265053671498398544393", "196849927725121048719279673018861978368", "310733482542310402760765843212954607050", "22515287008392193236497768212461137106" ] }, "id": "ASB-A-168802990-2752028e", "source": "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_pars_tg.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e" ], "spl": "2021-01-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "304297521142496603265053671498398544393", "196849927725121048719279673018861978368", "310733482542310402760765843212954607050", "22515287008392193236497768212461137106" ] }, "id": "ASB-A-168802990-906a3e07", "source": "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_pars_tg.cc" }, "signature_type": "Line" }, { "digest": { "length": 6883.0, "function_hash": "124405311670877030883599687544204952" }, "id": "ASB-A-168802990-cdcf762b", "source": "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_pars_tg.cc", "function": "avrc_pars_vendor_cmd" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e" ], "spl": "2021-01-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "length": 6883.0, "function_hash": "124405311670877030883599687544204952" }, "id": "ASB-A-168802990-049b8cd4", "source": "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_pars_tg.cc", "function": "avrc_pars_vendor_cmd" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "304297521142496603265053671498398544393", "196849927725121048719279673018861978368", "310733482542310402760765843212954607050", "22515287008392193236497768212461137106" ] }, "id": "ASB-A-168802990-886b571a", "source": "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_pars_tg.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/f328ab46d5419632aec221f95b186ec71077176e" ], "spl": "2021-01-01", "severity": "Critical", "types": [ "RCE" ] }