In onPackageAddedInternal of PermissionManagerService.java, there is possible access to external storage due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "203799557057885294476407273107735822783", "211997841520199736137396992106972137189", "188722628729278527148131203906199780997", "36902899805615447171364628021912654715" ] }, "id": "ASB-A-171430330-5f140975", "source": "https://android.googlesource.com/platform/frameworks/base/+/ed2ff0f5da52fc81aa03e01dbcd0baa45103026a", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "117430531420934236008829177034011720369", "137017242176146793140213877893338370297", "238592249542262199672629469576105406264", "4728796575661810231772839396161417256", "254976905268686039723149656960585013015", "31263376187200905455715142387253777982", "220092271561843487688364360298772264595", "219250610322782406052673363796892809280", "334585086700258879484247490887382542111", "301300295050894068260670477853128615682", "258873392732703721066931777941225975184", "131422428792151020597567757352130424320", "213587895929827077375398772036233664127", "113451309638946934384433577538131867590", "314519187194929485475762574350454304878", "181131780916804653553877445845977436446", "41855057278416843580858561094340083175", "42237760986996534542912864232371382157" ] }, "id": "ASB-A-171430330-8567a535", "source": "https://android.googlesource.com/platform/frameworks/base/+/387182eb494e596ef670d6fd919f85e92d156c79", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 1292.0, "function_hash": "26579715750128057442159848841234782058" }, "id": "ASB-A-171430330-d882749c", "source": "https://android.googlesource.com/platform/frameworks/base/+/387182eb494e596ef670d6fd919f85e92d156c79", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java", "function": "revokeStoragePermissionsIfScopeExpanded" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "130315303156992307097129954046692329428", "256433138757982101604750259286390732024", "232110505397518020236051104407262205911", "288893012833461809843370412427564067639", "34625302209907835456002506675696236385", "54873771113191700228056861457622027501", "10165474535582284001018294178613793574", "75176057345746188768812124420376046253", "289639713368949142238715194128770248722", "310101259512340412240859814242151780590", "333795029320198455249478234972922325911", "280243168152612513923607368223796994009", "53959520725969512597347635189928983070", "183014723573180513908656372232344841309" ] }, "id": "ASB-A-171430330-dbde9924", "source": "https://android.googlesource.com/platform/frameworks/base/+/ed2ff0f5da52fc81aa03e01dbcd0baa45103026a", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "25311708761924139212959323740465510441", "259303074138557059967308942679280997508", "136090511548321216003532997672598405615" ] }, "id": "ASB-A-171430330-e300b4f9", "source": "https://android.googlesource.com/platform/frameworks/base/+/ed2ff0f5da52fc81aa03e01dbcd0baa45103026a", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java" }, "signature_type": "Line" }, { "digest": { "length": 5784.0, "function_hash": "7692690987346384978471905099979629606" }, "id": "ASB-A-171430330-fa063b7d", "source": "https://android.googlesource.com/platform/frameworks/base/+/ed2ff0f5da52fc81aa03e01dbcd0baa45103026a", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java", "function": "commitPackageSettings" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/ed2ff0f5da52fc81aa03e01dbcd0baa45103026a", "https://android.googlesource.com/platform/frameworks/base/+/387182eb494e596ef670d6fd919f85e92d156c79" ], "spl": "2021-07-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 5006.0, "function_hash": "210709569709789089480645302977905322756" }, "id": "ASB-A-171430330-36e6bfbe", "source": "https://android.googlesource.com/platform/frameworks/base/+/09080dc177288035c4694690a0f2dcd752acb3ba", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java", "function": "commitPackageSettings" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "232213533365563227525291669346162955214", "338545193427156760198067550199680530983", "59599772741656183467375078938096117298" ] }, "id": "ASB-A-171430330-51bf0229", "source": "https://android.googlesource.com/platform/frameworks/base/+/09080dc177288035c4694690a0f2dcd752acb3ba", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "130315303156992307097129954046692329428", "256433138757982101604750259286390732024", "232110505397518020236051104407262205911", "288893012833461809843370412427564067639", "34625302209907835456002506675696236385", "54873771113191700228056861457622027501", "10165474535582284001018294178613793574", "75176057345746188768812124420376046253", "65561186693940596219135369835081658030", "66617370866194042534636165393138419215", "61940106037166278254713343469731643139", "223204272487881232099272919303921597836", "53959520725969512597347635189928983070", "80879277292638886615080913027510501208" ] }, "id": "ASB-A-171430330-9c01ae48", "source": "https://android.googlesource.com/platform/frameworks/base/+/09080dc177288035c4694690a0f2dcd752acb3ba", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 1144.0, "function_hash": "164536810280478633853928920576223604737" }, "id": "ASB-A-171430330-a3043b7e", "source": "https://android.googlesource.com/platform/frameworks/base/+/37acd7ee52a732c9e9cf839611677195430fafe9", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java", "function": "revokeStoragePermissionsIfScopeExpanded" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "101383814151195122333233703118074256060", "43070815716538065403281985879619252433", "2490113635718637964761351665705044958", "12735886263741535848634284769848325688" ] }, "id": "ASB-A-171430330-d0917be2", "source": "https://android.googlesource.com/platform/frameworks/base/+/09080dc177288035c4694690a0f2dcd752acb3ba", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "279730248525723893813315857405475009677", "250405025630660505171595864392049517738", "285415156998313954663684658538951208347", "63967797277994079306334254906542223836", "293855516144312621726906737086050264644", "216267394801198637755202179869471057044", "38470827194117504847246816679227987965", "6678215690977928041676518905339096594", "335323047419773828873692426693128078955", "149363629152114355372515683174969046767", "136655389221216274328710805443700175482", "251873937438620510515325848028954684387", "209404337359548176040777186825185018981", "251715746053104758843301071670618131481", "288847288208233257349729649498757708275", "318056698080980109559916235958876082607", "166074277038181231564277027735955574324", "142606330422984909115688119814822246345" ] }, "id": "ASB-A-171430330-feefe25c", "source": "https://android.googlesource.com/platform/frameworks/base/+/37acd7ee52a732c9e9cf839611677195430fafe9", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/09080dc177288035c4694690a0f2dcd752acb3ba", "https://android.googlesource.com/platform/frameworks/base/+/37acd7ee52a732c9e9cf839611677195430fafe9" ], "spl": "2021-07-01", "severity": "High", "types": [ "EoP" ] }