ASB-A-169252501

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-169252501.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-169252501
Aliases
  • A-169252501
  • CVE-2021-0476
Published
2021-05-01T00:00:00Z
Modified
2024-08-07T19:30:21.466201Z
Summary
Use after free in libbluetooth.so
Details

In FindOrCreatePeer of btif_av.cc, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/system/bt

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9:0
Fixed
9:2021-05-01

Affected versions

Other

9

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 238.0,
                "function_hash": "149876918045358504370956173241248993079"
            },
            "id": "ASB-A-169252501-15d8ddc1",
            "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSource::BtaHandleRegistered"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 236.0,
                "function_hash": "127846889590340415951834049465418819456"
            },
            "id": "ASB-A-169252501-285769eb",
            "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSink::BtaHandleRegistered"
            },
            "signature_type": "Function"
        },
        {
            "match_only_versions": [
                "9"
            ],
            "digest": {
                "length": 174.0,
                "function_hash": "65528912344716834826589416087978685088"
            },
            "id": "ASB-A-169252501-374d3e5a",
            "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSource::DeregisterAllBtaHandles"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "331293078526016562404328689888141899854",
                    "2322497238627235144961727125087970630",
                    "203648937355433518573128439932761124777",
                    "25212691223185803066718930812061936369",
                    "66936168821043562254163845472727638335",
                    "235104917484205533977032500277690320780",
                    "267201269717841092028825668417157367496",
                    "75978771785860844122118265499495747857",
                    "66936168821043562254163845472727638335",
                    "235104917484205533977032500277690320780",
                    "173569485101204284895449963033278039481",
                    "21721513700559348382673603846927763618",
                    "105693334848323409289971173846162312904",
                    "255217769913288710609696394077196581389",
                    "4384637297730988857126802801291282735",
                    "26672876250087487240984185801548000381",
                    "48727072518112051530940429775497435846",
                    "304546366998825079381700039783930145396",
                    "81964408864056496411746589272296610514",
                    "211776590200393861532864587028871615658",
                    "126867683735155193271630160450672618658",
                    "326101455198965394955974023546275441965",
                    "9071875010004526267855058804911097608",
                    "112322295493807377885673840050434155023",
                    "89920879861773771452513663279140829048",
                    "227538133683789425713924827535890684293",
                    "149233445817964970468812921719314436276",
                    "26672876250087487240984185801548000381",
                    "234659527700712118863467554668560540893",
                    "287965408633361319571044857821250093537",
                    "279590714065217830466403121878877668117",
                    "335935096673570273337876886832130065823",
                    "244958522067952797573893982748380823527",
                    "334988230763470955820707789938215014877",
                    "232033678032022769000728351318862788994",
                    "191895866305495185361903928815781935142"
                ]
            },
            "id": "ASB-A-169252501-a758358b",
            "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1048.0,
                "function_hash": "329174392347763179983427046306926867425"
            },
            "id": "ASB-A-169252501-ab29ddde",
            "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSink::FindOrCreatePeer"
            },
            "signature_type": "Function"
        },
        {
            "match_only_versions": [
                "9"
            ],
            "digest": {
                "length": 172.0,
                "function_hash": "43140690224603685116810835061539601341"
            },
            "id": "ASB-A-169252501-e9eb27b3",
            "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSink::DeregisterAllBtaHandles"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1050.0,
                "function_hash": "218766263198388952194430734699468708722"
            },
            "id": "ASB-A-169252501-f9a695a4",
            "source": "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSource::FindOrCreatePeer"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/bt/+/9ca4c62ce5aaff3b6ebf564d796913b230370fb4"
    ],
    "spl": "2021-05-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/system/bt

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10:0
Fixed
10:2021-05-01

Affected versions

Other

10

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "331293078526016562404328689888141899854",
                    "2322497238627235144961727125087970630",
                    "203648937355433518573128439932761124777",
                    "25212691223185803066718930812061936369",
                    "242867435571651341606309218580176787629",
                    "315116305912593237881129245693820990073",
                    "267201269717841092028825668417157367496",
                    "75978771785860844122118265499495747857",
                    "66936168821043562254163845472727638335",
                    "235104917484205533977032500277690320780",
                    "173569485101204284895449963033278039481",
                    "21721513700559348382673603846927763618",
                    "105693334848323409289971173846162312904",
                    "255217769913288710609696394077196581389",
                    "4384637297730988857126802801291282735",
                    "26672876250087487240984185801548000381",
                    "48727072518112051530940429775497435846",
                    "304546366998825079381700039783930145396",
                    "81964408864056496411746589272296610514",
                    "211776590200393861532864587028871615658",
                    "126867683735155193271630160450672618658",
                    "326101455198965394955974023546275441965",
                    "9071875010004526267855058804911097608",
                    "112322295493807377885673840050434155023",
                    "89920879861773771452513663279140829048",
                    "227538133683789425713924827535890684293",
                    "149233445817964970468812921719314436276",
                    "26672876250087487240984185801548000381",
                    "234659527700712118863467554668560540893",
                    "287965408633361319571044857821250093537",
                    "279590714065217830466403121878877668117",
                    "335935096673570273337876886832130065823",
                    "244958522067952797573893982748380823527",
                    "334988230763470955820707789938215014877",
                    "232033678032022769000728351318862788994",
                    "191895866305495185361903928815781935142"
                ]
            },
            "id": "ASB-A-169252501-1f13d38a",
            "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc"
            },
            "signature_type": "Line"
        },
        {
            "match_only_versions": [
                "10"
            ],
            "digest": {
                "length": 174.0,
                "function_hash": "65528912344716834826589416087978685088"
            },
            "id": "ASB-A-169252501-202caa8b",
            "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSource::DeregisterAllBtaHandles"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 238.0,
                "function_hash": "149876918045358504370956173241248993079"
            },
            "id": "ASB-A-169252501-2dd436a9",
            "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSource::BtaHandleRegistered"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1109.0,
                "function_hash": "46617459757280629262567702798985189903"
            },
            "id": "ASB-A-169252501-96f5657e",
            "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSink::FindOrCreatePeer"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1050.0,
                "function_hash": "218766263198388952194430734699468708722"
            },
            "id": "ASB-A-169252501-973dda73",
            "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSource::FindOrCreatePeer"
            },
            "signature_type": "Function"
        },
        {
            "match_only_versions": [
                "10"
            ],
            "digest": {
                "length": 172.0,
                "function_hash": "43140690224603685116810835061539601341"
            },
            "id": "ASB-A-169252501-b9ca15d3",
            "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSink::DeregisterAllBtaHandles"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 236.0,
                "function_hash": "127846889590340415951834049465418819456"
            },
            "id": "ASB-A-169252501-bf738abc",
            "source": "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSink::BtaHandleRegistered"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/bt/+/f230ef243e3b9abad4608cf5be1b5eab26193a3e"
    ],
    "spl": "2021-05-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/system/bt

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2021-05-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "match_only_versions": [
                "11"
            ],
            "digest": {
                "length": 172.0,
                "function_hash": "43140690224603685116810835061539601341"
            },
            "id": "ASB-A-169252501-1960f265",
            "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSink::DeregisterAllBtaHandles"
            },
            "signature_type": "Function"
        },
        {
            "match_only_versions": [
                "11"
            ],
            "digest": {
                "length": 695.0,
                "function_hash": "230495465556589350163812101599905675235"
            },
            "id": "ASB-A-169252501-3d92bb4a",
            "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSink::BtaHandleRegistered"
            },
            "signature_type": "Function"
        },
        {
            "match_only_versions": [
                "11"
            ],
            "digest": {
                "length": 697.0,
                "function_hash": "139062621193383159984482973910761356616"
            },
            "id": "ASB-A-169252501-6aaafe93",
            "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSource::BtaHandleRegistered"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1290.0,
                "function_hash": "142231195491519073520493206282996531695"
            },
            "id": "ASB-A-169252501-6c68d8a0",
            "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSource::FindOrCreatePeer"
            },
            "signature_type": "Function"
        },
        {
            "match_only_versions": [
                "11"
            ],
            "digest": {
                "length": 174.0,
                "function_hash": "65528912344716834826589416087978685088"
            },
            "id": "ASB-A-169252501-91afdc6f",
            "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSource::DeregisterAllBtaHandles"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "331293078526016562404328689888141899854",
                    "2322497238627235144961727125087970630",
                    "203648937355433518573128439932761124777",
                    "25212691223185803066718930812061936369",
                    "242867435571651341606309218580176787629",
                    "315116305912593237881129245693820990073",
                    "267201269717841092028825668417157367496",
                    "75978771785860844122118265499495747857",
                    "66936168821043562254163845472727638335",
                    "235104917484205533977032500277690320780",
                    "173569485101204284895449963033278039481",
                    "21721513700559348382673603846927763618",
                    "105693334848323409289971173846162312904",
                    "255217769913288710609696394077196581389",
                    "4384637297730988857126802801291282735",
                    "26672876250087487240984185801548000381",
                    "48727072518112051530940429775497435846",
                    "304546366998825079381700039783930145396",
                    "81964408864056496411746589272296610514",
                    "211776590200393861532864587028871615658",
                    "126867683735155193271630160450672618658",
                    "326101455198965394955974023546275441965",
                    "9071875010004526267855058804911097608",
                    "102271672906487167265963398051837337197",
                    "89920879861773771452513663279140829048",
                    "227538133683789425713924827535890684293",
                    "149233445817964970468812921719314436276",
                    "26672876250087487240984185801548000381",
                    "234659527700712118863467554668560540893",
                    "287965408633361319571044857821250093537",
                    "279590714065217830466403121878877668117",
                    "335935096673570273337876886832130065823",
                    "244958522067952797573893982748380823527",
                    "334988230763470955820707789938215014877",
                    "232033678032022769000728351318862788994",
                    "323272362925700860830954035651760506206"
                ]
            },
            "id": "ASB-A-169252501-a9f129e9",
            "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1349.0,
                "function_hash": "229860356068028072949086883197902121591"
            },
            "id": "ASB-A-169252501-f48b765e",
            "source": "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff",
            "deprecated": true,
            "signature_version": "v1",
            "target": {
                "file": "btif/src/btif_av.cc",
                "function": "BtifAvSink::FindOrCreatePeer"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/bt/+/1be5b0d94068e47ecaa0a00b2f40ef520850f6ff"
    ],
    "spl": "2021-05-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}