In shouldLockKeyguard of LockTaskController.java, there is a possible way to exit App Pinning without a PIN due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "333206736053784449997950458316207344618", "177501676282529422575091223791797187624", "195623526685068679907378400787276389162", "8793843408600877299954437603954247770", "227176187817627969131496652035734614052", "292822901749107478384115330747627590133", "33476972354651022683635018391521878750", "199448010274548126106604302597564977362", "16410069294663650241074469509424729034", "3427055710480261165322600908100880180", "34684988134253483853347573803248605069", "285222174706486376030386267210185218243", "206908798015865156358514396576575361238", "116160001774032930655826964205071309215", "190860459215093907816863412950412546964", "154243755782907292700055415175132763430", "109204748140482433149491213881790762911", "76410927641618677596252496532218979994", "38541416400708422052910691037617107863" ] }, "id": "ASB-A-176801033-1d9c6ed1", "source": "https://android.googlesource.com/platform/frameworks/base/+/26a90c2b820ba40755f9c28efaad2173133868b5", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/LockTaskController.java" }, "signature_type": "Line" }, { "digest": { "length": 343.0, "function_hash": "201055512508727973607262584861113119280" }, "id": "ASB-A-176801033-62b46a74", "source": "https://android.googlesource.com/platform/frameworks/base/+/26a90c2b820ba40755f9c28efaad2173133868b5", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/LockTaskController.java", "function": "shouldLockKeyguard" }, "signature_type": "Function" }, { "digest": { "length": 166.0, "function_hash": "108825034237750492749678710967939808094" }, "id": "ASB-A-176801033-6f673b72", "source": "https://android.googlesource.com/platform/frameworks/base/+/26a90c2b820ba40755f9c28efaad2173133868b5", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/LockTaskController.java", "function": "lockKeyguardIfNeeded" }, "signature_type": "Function" }, { "digest": { "length": 540.0, "function_hash": "103792366027275352106326334034155196847" }, "id": "ASB-A-176801033-ce990c1a", "source": "https://android.googlesource.com/platform/frameworks/base/+/26a90c2b820ba40755f9c28efaad2173133868b5", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/LockTaskController.java", "function": "performStopLockTask" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/26a90c2b820ba40755f9c28efaad2173133868b5" ], "spl": "2021-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 343.0, "function_hash": "201055512508727973607262584861113119280" }, "id": "ASB-A-176801033-0965656c", "source": "https://android.googlesource.com/platform/frameworks/base/+/bb4eded37926916f8f9c45dede6bc6315cf15b18", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/LockTaskController.java", "function": "shouldLockKeyguard" }, "signature_type": "Function" }, { "digest": { "length": 166.0, "function_hash": "108825034237750492749678710967939808094" }, "id": "ASB-A-176801033-12172b95", "source": "https://android.googlesource.com/platform/frameworks/base/+/bb4eded37926916f8f9c45dede6bc6315cf15b18", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/LockTaskController.java", "function": "lockKeyguardIfNeeded" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "333206736053784449997950458316207344618", "177501676282529422575091223791797187624", "195623526685068679907378400787276389162", "8793843408600877299954437603954247770", "157724621926064235821062892275194029529", "292822901749107478384115330747627590133", "33476972354651022683635018391521878750", "199448010274548126106604302597564977362", "16410069294663650241074469509424729034", "3427055710480261165322600908100880180", "34684988134253483853347573803248605069", "285222174706486376030386267210185218243", "206908798015865156358514396576575361238", "116160001774032930655826964205071309215", "190860459215093907816863412950412546964", "154243755782907292700055415175132763430", "109204748140482433149491213881790762911", "76410927641618677596252496532218979994", "38541416400708422052910691037617107863" ] }, "id": "ASB-A-176801033-57ae3c31", "source": "https://android.googlesource.com/platform/frameworks/base/+/bb4eded37926916f8f9c45dede6bc6315cf15b18", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/LockTaskController.java" }, "signature_type": "Line" }, { "digest": { "length": 540.0, "function_hash": "103792366027275352106326334034155196847" }, "id": "ASB-A-176801033-caad4831", "source": "https://android.googlesource.com/platform/frameworks/base/+/bb4eded37926916f8f9c45dede6bc6315cf15b18", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/LockTaskController.java", "function": "performStopLockTask" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/bb4eded37926916f8f9c45dede6bc6315cf15b18" ], "spl": "2021-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 534.0, "function_hash": "283440389493530536439999781748583463681" }, "id": "ASB-A-176801033-30d5f371", "source": "https://android.googlesource.com/platform/frameworks/base/+/7a974a5468b8760daeae1890a9c8c52eeed19d87", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/LockTaskController.java", "function": "performStopLockTask" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "28263170677722799021350252788901767036", "260414619764934154283058983224203389993", "220200691912143438853125641529135494693", "8793843408600877299954437603954247770", "157724621926064235821062892275194029529", "292822901749107478384115330747627590133", "33476972354651022683635018391521878750", "199448010274548126106604302597564977362", "16410069294663650241074469509424729034", "3427055710480261165322600908100880180", "34684988134253483853347573803248605069", "285222174706486376030386267210185218243", "206908798015865156358514396576575361238", "116160001774032930655826964205071309215", "190860459215093907816863412950412546964", "154243755782907292700055415175132763430", "109204748140482433149491213881790762911", "76410927641618677596252496532218979994", "38541416400708422052910691037617107863" ] }, "id": "ASB-A-176801033-57cc0444", "source": "https://android.googlesource.com/platform/frameworks/base/+/7a974a5468b8760daeae1890a9c8c52eeed19d87", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/LockTaskController.java" }, "signature_type": "Line" }, { "digest": { "length": 343.0, "function_hash": "201055512508727973607262584861113119280" }, "id": "ASB-A-176801033-d89fc19e", "source": "https://android.googlesource.com/platform/frameworks/base/+/7a974a5468b8760daeae1890a9c8c52eeed19d87", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/LockTaskController.java", "function": "shouldLockKeyguard" }, "signature_type": "Function" }, { "digest": { "length": 166.0, "function_hash": "108825034237750492749678710967939808094" }, "id": "ASB-A-176801033-e2bbce40", "source": "https://android.googlesource.com/platform/frameworks/base/+/7a974a5468b8760daeae1890a9c8c52eeed19d87", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/LockTaskController.java", "function": "lockKeyguardIfNeeded" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/7a974a5468b8760daeae1890a9c8c52eeed19d87" ], "spl": "2021-05-01", "severity": "High", "types": [ "EoP" ] }