In lockAllProfileTasks of RootWindowContainer.java, there is a possible way to access the work profile without the profile PIN, after logging in. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 517.0, "function_hash": "4855660856436123241304781519529490434" }, "id": "ASB-A-177457096-0067f0ad", "source": "https://android.googlesource.com/platform/frameworks/base/+/6820d70823930954b723ca39fbf89f17aa0109c6", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActivityStackSupervisor.java", "function": "lockAllProfileTasks" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "192021737400672581641877270999405955725", "73039071290688540158633706206515042375", "309147559616821396789038788992723499278", "191292089719603674539437026468541110724", "174942005298795483561693119114168326621", "311084688386051237094816269953689530313", "272818894994611499796695465280385669736", "179334390174804467717923809511567435591", "178347891408941180451978005556940645786", "184195054321348536997654599256706143098", "252038425751093344002264801221853138186", "175347488161030038103667662572948330309", "197660204161345488301537482785693718230", "249716824330701332574864819688621863398", "212054920075722885839979283448764644250" ] }, "id": "ASB-A-177457096-4b0a9d01", "source": "https://android.googlesource.com/platform/frameworks/base/+/6820d70823930954b723ca39fbf89f17aa0109c6", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActivityStackSupervisor.java" }, "signature_type": "Line" }, { "digest": { "length": 248.0, "function_hash": "254864912248281800225588637663947126537" }, "id": "ASB-A-177457096-fcd63147", "source": "https://android.googlesource.com/platform/frameworks/base/+/6820d70823930954b723ca39fbf89f17aa0109c6", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActivityStackSupervisor.java", "function": "taskTopActivityIsUser" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/6820d70823930954b723ca39fbf89f17aa0109c6" ], "spl": "2021-09-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 248.0, "function_hash": "254864912248281800225588637663947126537" }, "id": "ASB-A-177457096-1e447b31", "source": "https://android.googlesource.com/platform/frameworks/base/+/fe5e1432cf1647373a2975435cae4158ba2ebd03", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActivityStackSupervisor.java", "function": "taskTopActivityIsUser" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "192021737400672581641877270999405955725", "73039071290688540158633706206515042375", "309147559616821396789038788992723499278", "191292089719603674539437026468541110724", "174942005298795483561693119114168326621", "311084688386051237094816269953689530313", "272818894994611499796695465280385669736", "179334390174804467717923809511567435591", "178347891408941180451978005556940645786", "277604412646177940353340369730520052400", "252038425751093344002264801221853138186", "175347488161030038103667662572948330309", "197660204161345488301537482785693718230", "249716824330701332574864819688621863398", "212054920075722885839979283448764644250" ] }, "id": "ASB-A-177457096-2b84d44f", "source": "https://android.googlesource.com/platform/frameworks/base/+/fe5e1432cf1647373a2975435cae4158ba2ebd03", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActivityStackSupervisor.java" }, "signature_type": "Line" }, { "digest": { "length": 646.0, "function_hash": "339274192225462572348193069616623486570" }, "id": "ASB-A-177457096-3d755559", "source": "https://android.googlesource.com/platform/frameworks/base/+/fe5e1432cf1647373a2975435cae4158ba2ebd03", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActivityStackSupervisor.java", "function": "lockAllProfileTasks" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/fe5e1432cf1647373a2975435cae4158ba2ebd03" ], "spl": "2021-09-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "277604412646177940353340369730520052400", "146123511346353839392675505738622529471", "56808386686108766007323114508731096094", "15950608285462239719192515684328958268", "288674534050683282514606313066472544942", "212054920075722885839979283448764644250", "189282877040415916113989760883631061690", "30237743271805077684537835321420641464", "309147559616821396789038788992723499278", "268870487079026157212061959671592979289", "295735312026024789925978890156378769431", "139771212460742327347197770675747411135", "313545061541229314322064863511266081237", "82420105320242612538086852712487443963", "233606178683804348312329066232267120186" ] }, "id": "ASB-A-177457096-1618f294", "source": "https://android.googlesource.com/platform/frameworks/base/+/69b3a3cd046265165699cce5ba7919dad82f95dc", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/RootActivityContainer.java" }, "signature_type": "Line" }, { "digest": { "length": 625.0, "function_hash": "163650862148104871237549214065846493089" }, "id": "ASB-A-177457096-25ca9813", "source": "https://android.googlesource.com/platform/frameworks/base/+/69b3a3cd046265165699cce5ba7919dad82f95dc", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/RootActivityContainer.java", "function": "lockAllProfileTasks" }, "signature_type": "Function" }, { "digest": { "length": 252.0, "function_hash": "9648489986748666073639995239133248570" }, "id": "ASB-A-177457096-3cbca619", "source": "https://android.googlesource.com/platform/frameworks/base/+/69b3a3cd046265165699cce5ba7919dad82f95dc", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/RootActivityContainer.java", "function": "taskTopActivityIsUser" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/69b3a3cd046265165699cce5ba7919dad82f95dc" ], "spl": "2021-09-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 321.0, "function_hash": "185895161836423113035887623365041844040" }, "id": "ASB-A-177457096-1dcbd078", "source": "https://android.googlesource.com/platform/frameworks/base/+/499234d859d4a12a0856951b71ebf57015913ffa", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/RootWindowContainer.java", "function": "lockAllProfileTasks" }, "signature_type": "Function" }, { "digest": { "length": 317.0, "function_hash": "185279748318193687508660551856617094769" }, "id": "ASB-A-177457096-3423934d", "source": "https://android.googlesource.com/platform/frameworks/base/+/27a2a5f986286f0d5c6e77255ab372cb8e3c1ee2", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/RootWindowContainer.java", "function": "lockAllProfileTasks" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "319608302694632907987015588302028173500", "71104645019518032852234958660540256913", "39084522148782807022073402604275156885", "274500282555431043407044120150719225023", "101000517727186249794777501689120986493", "164720539729702487821169671738632815799" ] }, "id": "ASB-A-177457096-7bb69fde", "source": "https://android.googlesource.com/platform/frameworks/base/+/499234d859d4a12a0856951b71ebf57015913ffa", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/RootWindowContainer.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "6762681846288472724534545145394328814", "296154101629914364746059458676721331263", "153346612157339284077856995674896544154", "46896822558337203880620434730346038424", "170777066521450703429607142552320466338", "81542952029366208062690531367598471464", "50460310744535150821030270168936316437", "181441755685569856279120290215320893655", "160957180412488600639850327574641904612", "36444319916529994402205714998780777869", "26752043797441743126965748206169588068", "159812801165570696198462748537071251706", "10109517777115667435630484410620411345", "217539346545856158404423193175634561395", "327179519301917169643766698126779751664", "20921838778528004006836252599907107467", "251464589380188636569400445173535578516", "328889437993415541037793802502407387391", "177771744446488315553661449576976055593", "10801729857621772858429441003938545952", "257922284721193446386592634453704648532", "235659630788916977802180541881589843374", "110205745882659660246278947459087055740", "114572191128365493447633417077947796392" ] }, "id": "ASB-A-177457096-82003137", "source": "https://android.googlesource.com/platform/frameworks/base/+/27a2a5f986286f0d5c6e77255ab372cb8e3c1ee2", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/RootWindowContainer.java" }, "signature_type": "Line" }, { "digest": { "length": 319.0, "function_hash": "59580655210471875483611790500128974108" }, "id": "ASB-A-177457096-fa7c0fd5", "source": "https://android.googlesource.com/platform/frameworks/base/+/27a2a5f986286f0d5c6e77255ab372cb8e3c1ee2", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/RootWindowContainer.java", "function": "taskTopActivityIsUser" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/27a2a5f986286f0d5c6e77255ab372cb8e3c1ee2", "https://android.googlesource.com/platform/frameworks/base/+/499234d859d4a12a0856951b71ebf57015913ffa" ], "spl": "2021-09-01", "severity": "High", "types": [ "EoP" ] }