In various functions of CryptoPlugin.cpp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 233.0, "function_hash": "83804324151596417791924039404182904851" }, "id": "ASB-A-176444161-3a4f3261", "source": "https://android.googlesource.com/platform/hardware/interfaces/+/7e4c587ae32aca644254fa206de5131553975f4b", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/1.0/default/CryptoPlugin.cpp", "function": "CryptoPlugin::setSharedBufferBase" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "338734003058650768117569873538913139211", "48334840324752538220133656459956211134", "74219866353171461841539864830050274457", "222290197317652465409581001700111359761", "87089908589932915432556193581794380754", "54706185110868442096262177696595696279", "324607132481506265150981429704786906864", "136556778993816125910016875516885690619", "68342775054458916267650814659772342317", "303034744072508462164836128000890610502", "298561505625679081913440228746743709653", "244686149178940169759062632632814000223", "326167035501015315238203021377548683500", "199164574376375895138658068341247569159", "173622098562518735989600364692111324601", "8820646153323049783395416090839125310", "61786442267307842068128269464010653229", "184832951823819122292927511161264090234", "18208972824218449988403253158397327668" ] }, "id": "ASB-A-176444161-d38c61f9", "source": "https://android.googlesource.com/platform/hardware/interfaces/+/7e4c587ae32aca644254fa206de5131553975f4b", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/1.0/default/CryptoPlugin.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "221586211301701561923541131000659257682", "214302883976724642944160823531773350831", "228857402668709192371015871719057283554", "178009918267011045620188023231884283364", "240019402275460157740975095727168640207", "276498128064374268632420638483112505272", "137378813570596590094778362080755671176", "90106377484174975455564131918402057136", "246524809232248934677036880304414481783", "154143101464377361727192659246603798336", "260209376952421620784922819647176959460", "291141292063522259182343516414589168415", "162480651783845066865615586681150249582", "57312628845008765872537774812971030170" ] }, "id": "ASB-A-176444161-e14e8d49", "source": "https://android.googlesource.com/platform/hardware/interfaces/+/7e4c587ae32aca644254fa206de5131553975f4b", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/1.0/default/CryptoPlugin.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/hardware/interfaces/+/7e4c587ae32aca644254fa206de5131553975f4b" ], "spl": "2021-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 4251.0, "function_hash": "85000199984874211656487740661554914365" }, "id": "ASB-A-176444161-2175abe7", "source": "https://android.googlesource.com/platform/frameworks/av/+/7a398e7291b3da1c9b7c924d2301a749daedbd41", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp", "function": "CryptoPlugin::decrypt" }, "signature_type": "Function" }, { "digest": { "length": 233.0, "function_hash": "83804324151596417791924039404182904851" }, "id": "ASB-A-176444161-24e1e172", "source": "https://android.googlesource.com/platform/frameworks/av/+/7a398e7291b3da1c9b7c924d2301a749daedbd41", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp", "function": "CryptoPlugin::setSharedBufferBase" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "285432182521900766634600937648686519205", "311646540107077145865442442676019847568", "329698376950858297192832384173979819014", "146575468195616159124939044224128084244", "17228299505471295785036823491755842688", "94346791918600999099143623760642518438", "51927084357953575189127312641109951261", "198714713846547538751318032688264765306", "69912771190499630331467339225644523023", "329417660113387093181582154380534886800", "174697306043221093471911081739033742820" ] }, "id": "ASB-A-176444161-50a8ebe0", "source": "https://android.googlesource.com/platform/frameworks/av/+/7a398e7291b3da1c9b7c924d2301a749daedbd41", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "80650755198225489646155818328579013244", "214302883976724642944160823531773350831", "228857402668709192371015871719057283554", "216796585859875414685283691379126266480", "113695410270198154705969279197808309804", "184906685166711465071888600517307342760", "264298949911011163485260866338663751604", "182509013215656757272313039702013762214", "79868785389749169529183912015347522416" ] }, "id": "ASB-A-176444161-511bdc39", "source": "https://android.googlesource.com/platform/frameworks/av/+/7a398e7291b3da1c9b7c924d2301a749daedbd41", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/7a398e7291b3da1c9b7c924d2301a749daedbd41" ], "spl": "2021-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "338734003058650768117569873538913139211", "48334840324752538220133656459956211134", "74219866353171461841539864830050274457", "222290197317652465409581001700111359761", "87089908589932915432556193581794380754", "54706185110868442096262177696595696279", "324607132481506265150981429704786906864", "136556778993816125910016875516885690619", "68342775054458916267650814659772342317", "303034744072508462164836128000890610502", "298561505625679081913440228746743709653", "244686149178940169759062632632814000223", "326167035501015315238203021377548683500", "199164574376375895138658068341247569159", "173622098562518735989600364692111324601", "8820646153323049783395416090839125310", "61786442267307842068128269464010653229", "184832951823819122292927511161264090234", "18208972824218449988403253158397327668" ] }, "id": "ASB-A-176444161-48cf2f56", "source": "https://android.googlesource.com/platform/hardware/interfaces/+/ae1c624ba44ccc43dc8371328a4b3caa017c0ff8", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/1.0/default/CryptoPlugin.h" }, "signature_type": "Line" }, { "digest": { "length": 233.0, "function_hash": "83804324151596417791924039404182904851" }, "id": "ASB-A-176444161-74da0671", "source": "https://android.googlesource.com/platform/hardware/interfaces/+/ae1c624ba44ccc43dc8371328a4b3caa017c0ff8", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/1.0/default/CryptoPlugin.cpp", "function": "CryptoPlugin::setSharedBufferBase" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "221586211301701561923541131000659257682", "214302883976724642944160823531773350831", "228857402668709192371015871719057283554", "178009918267011045620188023231884283364", "240019402275460157740975095727168640207", "276498128064374268632420638483112505272", "114433394657626372821910648266472716077", "291141292063522259182343516414589168415", "973311319970186573685297772982176662", "198449186455470176282285785883624712342" ] }, "id": "ASB-A-176444161-db5cc869", "source": "https://android.googlesource.com/platform/hardware/interfaces/+/ae1c624ba44ccc43dc8371328a4b3caa017c0ff8", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/1.0/default/CryptoPlugin.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/hardware/interfaces/+/ae1c624ba44ccc43dc8371328a4b3caa017c0ff8" ], "spl": "2021-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "80650755198225489646155818328579013244", "214302883976724642944160823531773350831", "228857402668709192371015871719057283554", "216796585859875414685283691379126266480", "133042071211530628408949559588741735994", "314602904450202568066777898281698976547", "264298949911011163485260866338663751604", "182509013215656757272313039702013762214", "79868785389749169529183912015347522416" ] }, "id": "ASB-A-176444161-1474451a", "source": "https://android.googlesource.com/platform/frameworks/av/+/abb7ad47b00ae158eded8813801345d91d2b2671", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp" }, "signature_type": "Line" }, { "digest": { "length": 233.0, "function_hash": "83804324151596417791924039404182904851" }, "id": "ASB-A-176444161-a5af56a1", "source": "https://android.googlesource.com/platform/frameworks/av/+/abb7ad47b00ae158eded8813801345d91d2b2671", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp", "function": "CryptoPlugin::setSharedBufferBase" }, "signature_type": "Function" }, { "digest": { "length": 4254.0, "function_hash": "289247886596900951187087052811627073121" }, "id": "ASB-A-176444161-a72f0b64", "source": "https://android.googlesource.com/platform/frameworks/av/+/abb7ad47b00ae158eded8813801345d91d2b2671", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp", "function": "CryptoPlugin::decrypt_1_2" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "239931648519675499196978260866577697191", "101128053027266173697275272088818991632", "329698376950858297192832384173979819014", "153117273229964002442024244984841189871", "193655110644763919988885454820860265412", "207649455538724743432156768924033261911", "299081592202751204780576662467884825169", "198714713846547538751318032688264765306", "69912771190499630331467339225644523023", "329417660113387093181582154380534886800", "174697306043221093471911081739033742820" ] }, "id": "ASB-A-176444161-e81042d4", "source": "https://android.googlesource.com/platform/frameworks/av/+/abb7ad47b00ae158eded8813801345d91d2b2671", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/abb7ad47b00ae158eded8813801345d91d2b2671" ], "spl": "2021-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "332590428842297416598272175294071262211", "112520708469331746017134768630155321874", "101135519993293756381725003488514858462", "178009918267011045620188023231884283364", "240019402275460157740975095727168640207", "276498128064374268632420638483112505272", "137378813570596590094778362080755671176", "90106377484174975455564131918402057136", "246524809232248934677036880304414481783", "154143101464377361727192659246603798336", "114433394657626372821910648266472716077", "291141292063522259182343516414589168415", "973311319970186573685297772982176662", "198449186455470176282285785883624712342" ] }, "id": "ASB-A-176444161-7b85c8cc", "source": "https://android.googlesource.com/platform/hardware/interfaces/+/9fcd4886a3e1ccbc18acfadd84906400c9882eda", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/1.0/default/CryptoPlugin.cpp" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "338734003058650768117569873538913139211", "48334840324752538220133656459956211134", "74219866353171461841539864830050274457", "222290197317652465409581001700111359761", "87089908589932915432556193581794380754", "54706185110868442096262177696595696279", "324607132481506265150981429704786906864", "136556778993816125910016875516885690619", "68342775054458916267650814659772342317", "303034744072508462164836128000890610502", "298561505625679081913440228746743709653", "244686149178940169759062632632814000223", "326167035501015315238203021377548683500", "199164574376375895138658068341247569159", "173622098562518735989600364692111324601", "8820646153323049783395416090839125310", "61786442267307842068128269464010653229", "184832951823819122292927511161264090234", "18208972824218449988403253158397327668" ] }, "id": "ASB-A-176444161-987653c8", "source": "https://android.googlesource.com/platform/hardware/interfaces/+/9fcd4886a3e1ccbc18acfadd84906400c9882eda", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/1.0/default/CryptoPlugin.h" }, "signature_type": "Line" }, { "digest": { "length": 173.0, "function_hash": "30327710380002908183031134057555754975" }, "id": "ASB-A-176444161-d93090f0", "source": "https://android.googlesource.com/platform/hardware/interfaces/+/9fcd4886a3e1ccbc18acfadd84906400c9882eda", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/1.0/default/CryptoPlugin.cpp", "function": "CryptoPlugin::setSharedBufferBase" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/hardware/interfaces/+/9fcd4886a3e1ccbc18acfadd84906400c9882eda" ], "spl": "2021-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 233.0, "function_hash": "83804324151596417791924039404182904851" }, "id": "ASB-A-176444161-0f2d35ca", "source": "https://android.googlesource.com/platform/frameworks/av/+/79a6ffbdaf14cfbb597efd8545ba401f1da28a4f", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp", "function": "CryptoPlugin::setSharedBufferBase" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "239931648519675499196978260866577697191", "101128053027266173697275272088818991632", "329698376950858297192832384173979819014", "153117273229964002442024244984841189871", "193655110644763919988885454820860265412", "207649455538724743432156768924033261911", "299081592202751204780576662467884825169", "198714713846547538751318032688264765306", "69912771190499630331467339225644523023", "329417660113387093181582154380534886800", "174697306043221093471911081739033742820" ] }, "id": "ASB-A-176444161-1487fb69", "source": "https://android.googlesource.com/platform/frameworks/av/+/79a6ffbdaf14cfbb597efd8545ba401f1da28a4f", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "80650755198225489646155818328579013244", "214302883976724642944160823531773350831", "228857402668709192371015871719057283554", "216796585859875414685283691379126266480", "133042071211530628408949559588741735994", "314602904450202568066777898281698976547", "264298949911011163485260866338663751604", "182509013215656757272313039702013762214", "79868785389749169529183912015347522416" ] }, "id": "ASB-A-176444161-338a86ba", "source": "https://android.googlesource.com/platform/frameworks/av/+/79a6ffbdaf14cfbb597efd8545ba401f1da28a4f", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp" }, "signature_type": "Line" }, { "digest": { "length": 4254.0, "function_hash": "289247886596900951187087052811627073121" }, "id": "ASB-A-176444161-3afce157", "source": "https://android.googlesource.com/platform/frameworks/av/+/79a6ffbdaf14cfbb597efd8545ba401f1da28a4f", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp", "function": "CryptoPlugin::decrypt_1_2" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/79a6ffbdaf14cfbb597efd8545ba401f1da28a4f" ], "spl": "2021-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "338734003058650768117569873538913139211", "48334840324752538220133656459956211134", "74219866353171461841539864830050274457", "222290197317652465409581001700111359761", "87089908589932915432556193581794380754", "54706185110868442096262177696595696279", "324607132481506265150981429704786906864", "136556778993816125910016875516885690619", "68342775054458916267650814659772342317", "303034744072508462164836128000890610502", "298561505625679081913440228746743709653", "244686149178940169759062632632814000223", "326167035501015315238203021377548683500", "199164574376375895138658068341247569159", "173622098562518735989600364692111324601", "8820646153323049783395416090839125310", "61786442267307842068128269464010653229", "184832951823819122292927511161264090234", "18208972824218449988403253158397327668" ] }, "id": "ASB-A-176444161-19f693aa", "source": "https://android.googlesource.com/platform/hardware/interfaces/+/a4e76aab230a565dd0cef11e2e6e2d782b685327", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/1.0/default/CryptoPlugin.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "332590428842297416598272175294071262211", "112520708469331746017134768630155321874", "101135519993293756381725003488514858462", "178009918267011045620188023231884283364", "240019402275460157740975095727168640207", "276498128064374268632420638483112505272", "137378813570596590094778362080755671176", "90106377484174975455564131918402057136", "246524809232248934677036880304414481783", "154143101464377361727192659246603798336", "114433394657626372821910648266472716077", "291141292063522259182343516414589168415", "973311319970186573685297772982176662", "198449186455470176282285785883624712342" ] }, "id": "ASB-A-176444161-d4ae1cc4", "source": "https://android.googlesource.com/platform/hardware/interfaces/+/a4e76aab230a565dd0cef11e2e6e2d782b685327", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/1.0/default/CryptoPlugin.cpp" }, "signature_type": "Line" }, { "digest": { "length": 173.0, "function_hash": "30327710380002908183031134057555754975" }, "id": "ASB-A-176444161-f327aa45", "source": "https://android.googlesource.com/platform/hardware/interfaces/+/a4e76aab230a565dd0cef11e2e6e2d782b685327", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/1.0/default/CryptoPlugin.cpp", "function": "CryptoPlugin::setSharedBufferBase" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/hardware/interfaces/+/a4e76aab230a565dd0cef11e2e6e2d782b685327" ], "spl": "2021-06-01", "severity": "High", "types": [ "EoP" ] }