In several functions of MemoryFileSystem.cpp and related files, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "match_only_versions": [ "10" ], "digest": { "threshold": 0.9, "line_hashes": [ "307566612184893186510305798813647127224", "285298985623636682568305391053296096877", "111376868104747373946296790355126321067", "218155673646380593431406910228724813348", "169163152333455150952813660206241474972", "214416941494875041276942103755170253978", "22979584127819604067779458927804977041" ] }, "id": "ASB-A-176237595-2284b73a", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/include/MemoryFileSystem.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "98016313766012792984877754816329625159", "207975132946194396972298201588891122375", "132397567202481039594741100467746445713", "14036518118138290610104113776833174842" ] }, "id": "ASB-A-176237595-36da587a", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h" }, "signature_type": "Line" }, { "match_only_versions": [ "10" ], "digest": { "length": 304.0, "function_hash": "280414717969698508767893960612810316362" }, "id": "ASB-A-176237595-3a22ef36", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::RemoveFile" }, "signature_type": "Function" }, { "match_only_versions": [ "10" ], "digest": { "length": 293.0, "function_hash": "56377441534790650884365848959255683274" }, "id": "ASB-A-176237595-49c5f155", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::removeOfflineLicense" }, "signature_type": "Function" }, { "match_only_versions": [ "10" ], "digest": { "length": 380.0, "function_hash": "290170483095585134446400290876693945376" }, "id": "ASB-A-176237595-4c941966", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::Read" }, "signature_type": "Function" }, { "match_only_versions": [ "10" ], "digest": { "length": 699.0, "function_hash": "259186125320602506857942297194105161950" }, "id": "ASB-A-176237595-5731f3e4", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::makeKeySetId" }, "signature_type": "Function" }, { "match_only_versions": [ "10" ], "digest": { "threshold": 0.9, "line_hashes": [ "167465959188102214322272343717963764420", "91584336904149886579656651327175374708", "111882419373869863115197327925109713295", "248554840161429144642399717796597924346", "130257098166118111868450049785264725529", "200728120008924478975019041916647228029", "197762471420842100313592897005482908960", "230955576510512387849990911300949649243", "246202988748263719246793088594557981184", "188306764338768351529267083783696580151", "128647143365315867171041227725098227357", "103491703471494470090646333865959584902", "34199310167999064311337238664197961261", "333786853609218891768890328428370663824", "101249072103650608403192788092491573414", "154763545970702227246749488656853431283", "198891738745409233078538996972589098132", "127280881261712206774592481470803407712", "186642185276642447379237466515748883511", "25808546729381193470950803477781075864", "251456678047814088429341038922289497910", "32928382785518256223984650300891616054", "4927573504111776904915316152951837767", "74453851442280720895303201575646880107", "257809563614014242675045255171750097453", "231055277446217611567926498609551633231", "71787708119133698920989109757160784465", "51859937721698357060834271275165908449", "298498318454108610644965677884402538419", "103646664411705008328423378213441857759", "199718428122209125429859400629808047468" ] }, "id": "ASB-A-176237595-5bd9cbd7", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp" }, "signature_type": "Line" }, { "match_only_versions": [ "10" ], "digest": { "threshold": 0.9, "line_hashes": [ "172055581127389310259934318737046658125", "237934238854497305784749969755755666332", "108702744614423496725138917566598870107", "120909401969203372801902388078382209366", "215706619906718557676336491136595107920", "28114112168387778999516361594979865550", "300670624045693819691773835443945850780", "296219072534950563784970069115622800808", "225492542353939975283411755767080912260", "126973419718923725152884021559843478673", "98657534283665685325632298025510903744", "301546277590160819383323967239547086488", "67513860305216349735575240149948264000", "155463808617527160055289338288777893678", "83045826910925264387955343333630756249", "185754663068956153323480480116516796035", "76240649137872141943478552388908529661", "195155558315510671368344975816843661750", "262145407576888433690543640702495865740", "80513796829160959222100576279623566038", "110228077831682683802145820264071089636", "79863566905860225096629040609344408127", "329440250993985645288885042066130145809", "215583046705652153191522537616831777585", "310169722159967636069871653581932546952", "282404697480065614289763315374938389013", "148795970676421281788586270900887306014", "215933811881003252697697833481313315053" ] }, "id": "ASB-A-176237595-67746931", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp" }, "signature_type": "Line" }, { "match_only_versions": [ "10" ], "digest": { "length": 190.0, "function_hash": "279455669684810869968631840568798576538" }, "id": "ASB-A-176237595-6867d8bb", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::ListFiles" }, "signature_type": "Function" }, { "match_only_versions": [ "10" ], "digest": { "length": 360.0, "function_hash": "313620152516000522070536905650735857976" }, "id": "ASB-A-176237595-6a2d49b8", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::Write" }, "signature_type": "Function" }, { "match_only_versions": [ "10" ], "digest": { "length": 119.0, "function_hash": "132402728794421139756730851525794072824" }, "id": "ASB-A-176237595-7999a9c1", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::RemoveAllFiles" }, "signature_type": "Function" }, { "match_only_versions": [ "10" ], "digest": { "length": 447.0, "function_hash": "130934893610876758725476876475271221009" }, "id": "ASB-A-176237595-7a7d14a6", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::getOfflineLicenseKeySetIds" }, "signature_type": "Function" }, { "match_only_versions": [ "10" ], "digest": { "length": 929.0, "function_hash": "223629748653852921757471305225719004757" }, "id": "ASB-A-176237595-92c0bc0e", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::restoreKeys" }, "signature_type": "Function" }, { "match_only_versions": [ "10" ], "digest": { "length": 318.0, "function_hash": "150221699405232435931457032128476032032" }, "id": "ASB-A-176237595-b435f4e6", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::GetFileSize" }, "signature_type": "Function" }, { "match_only_versions": [ "10" ], "digest": { "length": 163.0, "function_hash": "290242603042890076920768315108514407060" }, "id": "ASB-A-176237595-c3f98c9a", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::FileExists" }, "signature_type": "Function" }, { "match_only_versions": [ "10" ], "digest": { "length": 712.0, "function_hash": "42007760991788800081274188316115233021" }, "id": "ASB-A-176237595-d78d3a9d", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::getOfflineLicenseState" }, "signature_type": "Function" }, { "digest": { "length": 1821.0, "function_hash": "155457508089819586038033155395758281951" }, "id": "ASB-A-176237595-eaa1f187", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::getKeyRequestCommon" }, "signature_type": "Function" }, { "digest": { "length": 2330.0, "function_hash": "232176693834341067388549305246891873670" }, "id": "ASB-A-176237595-ffce63fe", "source": "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::provideKeyResponse" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/9ba33b35860503814ed02bf5bcf5ff24e4056f6d" ], "spl": "2021-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "match_only_versions": [ "11" ], "digest": { "length": 2566.0, "function_hash": "171188128310989098483596192589988727746" }, "id": "ASB-A-176237595-0cfdccad", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::provideKeyResponse" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "length": 119.0, "function_hash": "132402728794421139756730851525794072824" }, "id": "ASB-A-176237595-15f67416", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::RemoveAllFiles" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "length": 360.0, "function_hash": "313620152516000522070536905650735857976" }, "id": "ASB-A-176237595-1d0ac4ea", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::Write" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "threshold": 0.9, "line_hashes": [ "167465959188102214322272343717963764420", "91584336904149886579656651327175374708", "111882419373869863115197327925109713295", "248554840161429144642399717796597924346", "130257098166118111868450049785264725529", "200728120008924478975019041916647228029", "197762471420842100313592897005482908960", "230955576510512387849990911300949649243", "246202988748263719246793088594557981184", "188306764338768351529267083783696580151", "116950445027025853348666456636947746246", "70531637217183646788154326965574807032", "34199310167999064311337238664197961261", "333786853609218891768890328428370663824", "101249072103650608403192788092491573414", "154763545970702227246749488656853431283", "198891738745409233078538996972589098132", "127280881261712206774592481470803407712", "186642185276642447379237466515748883511", "25808546729381193470950803477781075864", "251456678047814088429341038922289497910", "32928382785518256223984650300891616054", "4927573504111776904915316152951837767", "74453851442280720895303201575646880107", "257809563614014242675045255171750097453", "231055277446217611567926498609551633231", "71787708119133698920989109757160784465", "51859937721698357060834271275165908449", "298498318454108610644965677884402538419", "103646664411705008328423378213441857759", "199718428122209125429859400629808047468" ] }, "id": "ASB-A-176237595-2a397919", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp" }, "signature_type": "Line" }, { "match_only_versions": [ "11" ], "digest": { "length": 163.0, "function_hash": "290242603042890076920768315108514407060" }, "id": "ASB-A-176237595-382732a0", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::FileExists" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "length": 304.0, "function_hash": "280414717969698508767893960612810316362" }, "id": "ASB-A-176237595-394053d4", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::RemoveFile" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "length": 293.0, "function_hash": "56377441534790650884365848959255683274" }, "id": "ASB-A-176237595-531e5d76", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::removeOfflineLicense" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "length": 929.0, "function_hash": "223629748653852921757471305225719004757" }, "id": "ASB-A-176237595-5d5b8640", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::restoreKeys" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "length": 190.0, "function_hash": "279455669684810869968631840568798576538" }, "id": "ASB-A-176237595-5df29985", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::ListFiles" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "98016313766012792984877754816329625159", "93009046433394417834197826338471062670", "299832356352725215931248843431150227810", "187419567163982050424601048561626171280" ] }, "id": "ASB-A-176237595-6dacc013", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h" }, "signature_type": "Line" }, { "match_only_versions": [ "11" ], "digest": { "length": 447.0, "function_hash": "130934893610876758725476876475271221009" }, "id": "ASB-A-176237595-7b295d23", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::getOfflineLicenseKeySetIds" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "threshold": 0.9, "line_hashes": [ "307566612184893186510305798813647127224", "285298985623636682568305391053296096877", "111376868104747373946296790355126321067", "218155673646380593431406910228724813348", "169163152333455150952813660206241474972", "214416941494875041276942103755170253978", "22979584127819604067779458927804977041" ] }, "id": "ASB-A-176237595-7c0dbbcb", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/include/MemoryFileSystem.h" }, "signature_type": "Line" }, { "match_only_versions": [ "11" ], "digest": { "length": 318.0, "function_hash": "150221699405232435931457032128476032032" }, "id": "ASB-A-176237595-8dfeae7f", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::GetFileSize" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "length": 712.0, "function_hash": "42007760991788800081274188316115233021" }, "id": "ASB-A-176237595-9f2ad667", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::getOfflineLicenseState" }, "signature_type": "Function" }, { "digest": { "length": 1821.0, "function_hash": "155457508089819586038033155395758281951" }, "id": "ASB-A-176237595-a02e4642", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::getKeyRequestCommon" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "length": 699.0, "function_hash": "259186125320602506857942297194105161950" }, "id": "ASB-A-176237595-bdc31474", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::makeKeySetId" }, "signature_type": "Function" }, { "match_only_versions": [ "11" ], "digest": { "threshold": 0.9, "line_hashes": [ "172055581127389310259934318737046658125", "237934238854497305784749969755755666332", "108702744614423496725138917566598870107", "120909401969203372801902388078382209366", "215706619906718557676336491136595107920", "28114112168387778999516361594979865550", "300670624045693819691773835443945850780", "296219072534950563784970069115622800808", "225492542353939975283411755767080912260", "126973419718923725152884021559843478673", "98657534283665685325632298025510903744", "301546277590160819383323967239547086488", "67513860305216349735575240149948264000", "155463808617527160055289338288777893678", "83045826910925264387955343333630756249", "185754663068956153323480480116516796035", "76240649137872141943478552388908529661", "195155558315510671368344975816843661750", "262145407576888433690543640702495865740", "80513796829160959222100576279623566038", "110228077831682683802145820264071089636", "79863566905860225096629040609344408127", "329440250993985645288885042066130145809", "215583046705652153191522537616831777585", "310169722159967636069871653581932546952", "282404697480065614289763315374938389013", "148795970676421281788586270900887306014", "215933811881003252697697833481313315053" ] }, "id": "ASB-A-176237595-e0ca1351", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp" }, "signature_type": "Line" }, { "match_only_versions": [ "11" ], "digest": { "length": 380.0, "function_hash": "290170483095585134446400290876693945376" }, "id": "ASB-A-176237595-f75a4f1b", "source": "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/MemoryFileSystem.cpp", "function": "MemoryFileSystem::Read" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d" ], "spl": "2021-06-01", "severity": "High", "types": [ "EoP" ] }