In FindOrCreatePeer of btif_av.cc, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 238.0, "function_hash": "149876918045358504370956173241248993079" }, "id": "ASB-A-169252501-15d8ddc1", "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSource::BtaHandleRegistered" }, "signature_type": "Function" }, { "digest": { "length": 236.0, "function_hash": "127846889590340415951834049465418819456" }, "id": "ASB-A-169252501-285769eb", "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSink::BtaHandleRegistered" }, "signature_type": "Function" }, { "match_only_versions": [ "9" ], "digest": { "length": 174.0, "function_hash": "65528912344716834826589416087978685088" }, "id": "ASB-A-169252501-374d3e5a", "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSource::DeregisterAllBtaHandles" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "331293078526016562404328689888141899854", "2322497238627235144961727125087970630", "203648937355433518573128439932761124777", "25212691223185803066718930812061936369", "66936168821043562254163845472727638335", "235104917484205533977032500277690320780", "267201269717841092028825668417157367496", "75978771785860844122118265499495747857", "66936168821043562254163845472727638335", "235104917484205533977032500277690320780", "173569485101204284895449963033278039481", "21721513700559348382673603846927763618", "105693334848323409289971173846162312904", "255217769913288710609696394077196581389", "4384637297730988857126802801291282735", "26672876250087487240984185801548000381", "48727072518112051530940429775497435846", "304546366998825079381700039783930145396", "81964408864056496411746589272296610514", "211776590200393861532864587028871615658", "126867683735155193271630160450672618658", "326101455198965394955974023546275441965", "9071875010004526267855058804911097608", "112322295493807377885673840050434155023", "89920879861773771452513663279140829048", "227538133683789425713924827535890684293", "149233445817964970468812921719314436276", "26672876250087487240984185801548000381", "234659527700712118863467554668560540893", "287965408633361319571044857821250093537", "279590714065217830466403121878877668117", "335935096673570273337876886832130065823", "244958522067952797573893982748380823527", "334988230763470955820707789938215014877", "232033678032022769000728351318862788994", "191895866305495185361903928815781935142" ] }, "id": "ASB-A-169252501-a758358b", "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc" }, "signature_type": "Line" }, { "digest": { "length": 1048.0, "function_hash": "329174392347763179983427046306926867425" }, "id": "ASB-A-169252501-ab29ddde", "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSink::FindOrCreatePeer" }, "signature_type": "Function" }, { "match_only_versions": [ "9" ], "digest": { "length": 172.0, "function_hash": "43140690224603685116810835061539601341" }, "id": "ASB-A-169252501-e9eb27b3", "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSink::DeregisterAllBtaHandles" }, "signature_type": "Function" }, { "digest": { "length": 1050.0, "function_hash": "218766263198388952194430734699468708722" }, "id": "ASB-A-169252501-f9a695a4", "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSource::FindOrCreatePeer" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4" ], "spl": "2021-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "331293078526016562404328689888141899854", "2322497238627235144961727125087970630", "203648937355433518573128439932761124777", "25212691223185803066718930812061936369", "242867435571651341606309218580176787629", "315116305912593237881129245693820990073", "267201269717841092028825668417157367496", "75978771785860844122118265499495747857", "66936168821043562254163845472727638335", "235104917484205533977032500277690320780", "173569485101204284895449963033278039481", "21721513700559348382673603846927763618", "105693334848323409289971173846162312904", "255217769913288710609696394077196581389", "4384637297730988857126802801291282735", "26672876250087487240984185801548000381", "48727072518112051530940429775497435846", "304546366998825079381700039783930145396", "81964408864056496411746589272296610514", "211776590200393861532864587028871615658", "126867683735155193271630160450672618658", "326101455198965394955974023546275441965", "9071875010004526267855058804911097608", "112322295493807377885673840050434155023", "89920879861773771452513663279140829048", "227538133683789425713924827535890684293", "149233445817964970468812921719314436276", "26672876250087487240984185801548000381", "234659527700712118863467554668560540893", "287965408633361319571044857821250093537", "279590714065217830466403121878877668117", "335935096673570273337876886832130065823", "244958522067952797573893982748380823527", "334988230763470955820707789938215014877", "232033678032022769000728351318862788994", "191895866305495185361903928815781935142" ] }, "id": "ASB-A-169252501-1f13d38a", "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc" }, "signature_type": "Line" }, { "match_only_versions": [ "10" ], "digest": { "length": 174.0, "function_hash": "65528912344716834826589416087978685088" }, "id": "ASB-A-169252501-202caa8b", "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSource::DeregisterAllBtaHandles" }, "signature_type": "Function" }, { "digest": { "length": 238.0, "function_hash": "149876918045358504370956173241248993079" }, "id": "ASB-A-169252501-2dd436a9", "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSource::BtaHandleRegistered" }, "signature_type": "Function" }, { "digest": { "length": 1109.0, "function_hash": "46617459757280629262567702798985189903" }, "id": "ASB-A-169252501-96f5657e", "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSink::FindOrCreatePeer" }, "signature_type": "Function" }, { "digest": { "length": 1050.0, "function_hash": "218766263198388952194430734699468708722" }, "id": "ASB-A-169252501-973dda73", "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSource::FindOrCreatePeer" }, "signature_type": "Function" }, { "match_only_versions": [ "10" ], "digest": { "length": 172.0, "function_hash": "43140690224603685116810835061539601341" }, "id": "ASB-A-169252501-b9ca15d3", "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSink::DeregisterAllBtaHandles" }, "signature_type": "Function" }, { "digest": { "length": 236.0, "function_hash": "127846889590340415951834049465418819456" }, "id": "ASB-A-169252501-bf738abc", "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSink::BtaHandleRegistered" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e" ], "spl": "2021-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "match_only_versions": [ "11" ], "digest": { "length": 172.0, "function_hash": "43140690224603685116810835061539601341" }, "id": "ASB-A-169252501-1960f265", "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSink::DeregisterAllBtaHandles" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "length": 695.0, "function_hash": "230495465556589350163812101599905675235" }, "id": "ASB-A-169252501-3d92bb4a", "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSink::BtaHandleRegistered" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "length": 697.0, "function_hash": "139062621193383159984482973910761356616" }, "id": "ASB-A-169252501-6aaafe93", "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSource::BtaHandleRegistered" }, "signature_type": "Function" }, { "digest": { "length": 1290.0, "function_hash": "142231195491519073520493206282996531695" }, "id": "ASB-A-169252501-6c68d8a0", "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSource::FindOrCreatePeer" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "length": 174.0, "function_hash": "65528912344716834826589416087978685088" }, "id": "ASB-A-169252501-91afdc6f", "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSource::DeregisterAllBtaHandles" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "331293078526016562404328689888141899854", "2322497238627235144961727125087970630", "203648937355433518573128439932761124777", "25212691223185803066718930812061936369", "242867435571651341606309218580176787629", "315116305912593237881129245693820990073", "267201269717841092028825668417157367496", "75978771785860844122118265499495747857", "66936168821043562254163845472727638335", "235104917484205533977032500277690320780", "173569485101204284895449963033278039481", "21721513700559348382673603846927763618", "105693334848323409289971173846162312904", "255217769913288710609696394077196581389", "4384637297730988857126802801291282735", "26672876250087487240984185801548000381", "48727072518112051530940429775497435846", "304546366998825079381700039783930145396", "81964408864056496411746589272296610514", "211776590200393861532864587028871615658", "126867683735155193271630160450672618658", "326101455198965394955974023546275441965", "9071875010004526267855058804911097608", "102271672906487167265963398051837337197", "89920879861773771452513663279140829048", "227538133683789425713924827535890684293", "149233445817964970468812921719314436276", "26672876250087487240984185801548000381", "234659527700712118863467554668560540893", "287965408633361319571044857821250093537", "279590714065217830466403121878877668117", "335935096673570273337876886832130065823", "244958522067952797573893982748380823527", "334988230763470955820707789938215014877", "232033678032022769000728351318862788994", "323272362925700860830954035651760506206" ] }, "id": "ASB-A-169252501-a9f129e9", "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc" }, "signature_type": "Line" }, { "digest": { "length": 1349.0, "function_hash": "229860356068028072949086883197902121591" }, "id": "ASB-A-169252501-f48b765e", "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff", "deprecated": true, "signature_version": "v1", "target": { "file": "btif/src/btif_av.cc", "function": "BtifAvSink::FindOrCreatePeer" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff" ], "spl": "2021-05-01", "severity": "High", "types": [ "EoP" ] }