ASB-A-184963385

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-184963385.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-184963385
Aliases
  • A-184963385
  • CVE-2021-0585
Published
2021-07-01T00:00:00Z
Modified
2024-08-07T19:29:07.143026Z
Summary
[HIDL] libfmq security bug - a client may cause misaligned store and/or buffer overrun
Details

In beginWrite and beginRead of MessageQueueBase.h, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/system/libfmq

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.1:0
Fixed
8.1:2021-07-01

Affected versions

8.*

8.1

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "300022660320167551308862749013558626121",
                    "254649352422238151419608266615740997635",
                    "53657500343593482583714925289490764735",
                    "292970735981558875510801691438496921814",
                    "250292387344981924642512342354457729211",
                    "339156788682527144629979745978484334149",
                    "271850609831749251151038958195363888005",
                    "288871552498701704663384623211518767190",
                    "61593552060179744651164239855191336885",
                    "92802034542751339213119156295249367201",
                    "168538043508961032340963671571992798762",
                    "42247331127913660586074889430481403667",
                    "79088654464790524357252826744186188969",
                    "112624877699840080183006125848811958253",
                    "12429203616456136708920844482689329677",
                    "181592415355305386570539476014158765742",
                    "317687778973974435522516822096999496081",
                    "40910131920625444190999795801859453116",
                    "302802101381875735461446465709124607644",
                    "178979752920340011727083479353157198063",
                    "216928357803509634681769277560485086209",
                    "107310925987573623907065954361058072137"
                ]
            },
            "id": "ASB-A-184963385-0f71992c",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/3f308c6acfcb65f393edbd6116b22b533ef326b2",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/fmq/MessageQueue.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 789.0,
                "function_hash": "25814852906500043335487120437247780942"
            },
            "id": "ASB-A-184963385-287fbee7",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/3f308c6acfcb65f393edbd6116b22b533ef326b2",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/fmq/MessageQueue.h",
                "function": "beginRead"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 647.0,
                "function_hash": "1132215189128848320662267450900731733"
            },
            "id": "ASB-A-184963385-96422510",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/3f308c6acfcb65f393edbd6116b22b533ef326b2",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/fmq/MessageQueue.h",
                "function": "beginWrite"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "86464080605561577303249332346361936345",
                    "200842590254382353602991587513115428166",
                    "331990379976521815974052574618971388267"
                ]
            },
            "id": "ASB-A-184963385-cb25342e",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/3f308c6acfcb65f393edbd6116b22b533ef326b2",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "tests/msgq_test_client.cpp"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/libfmq/+/3f308c6acfcb65f393edbd6116b22b533ef326b2"
    ],
    "spl": "2021-07-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/system/libfmq

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9:0
Fixed
9:2021-07-01

Affected versions

Other

9

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 647.0,
                "function_hash": "1132215189128848320662267450900731733"
            },
            "id": "ASB-A-184963385-1ce32c61",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/c7d5f09188ed79704bcf740ec22a5f762ae3d941",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/fmq/MessageQueue.h",
                "function": "beginWrite"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "300022660320167551308862749013558626121",
                    "254649352422238151419608266615740997635",
                    "53657500343593482583714925289490764735",
                    "292970735981558875510801691438496921814",
                    "250292387344981924642512342354457729211",
                    "339156788682527144629979745978484334149",
                    "271850609831749251151038958195363888005",
                    "288871552498701704663384623211518767190",
                    "61593552060179744651164239855191336885",
                    "92802034542751339213119156295249367201",
                    "168538043508961032340963671571992798762",
                    "42247331127913660586074889430481403667",
                    "79088654464790524357252826744186188969",
                    "112624877699840080183006125848811958253",
                    "12429203616456136708920844482689329677",
                    "181592415355305386570539476014158765742",
                    "317687778973974435522516822096999496081",
                    "40910131920625444190999795801859453116",
                    "302802101381875735461446465709124607644",
                    "178979752920340011727083479353157198063",
                    "216928357803509634681769277560485086209",
                    "107310925987573623907065954361058072137"
                ]
            },
            "id": "ASB-A-184963385-3b8caeb0",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/c7d5f09188ed79704bcf740ec22a5f762ae3d941",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/fmq/MessageQueue.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 789.0,
                "function_hash": "25814852906500043335487120437247780942"
            },
            "id": "ASB-A-184963385-c77506cd",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/c7d5f09188ed79704bcf740ec22a5f762ae3d941",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/fmq/MessageQueue.h",
                "function": "beginRead"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "86464080605561577303249332346361936345",
                    "200842590254382353602991587513115428166",
                    "331990379976521815974052574618971388267"
                ]
            },
            "id": "ASB-A-184963385-cd3a437b",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/c7d5f09188ed79704bcf740ec22a5f762ae3d941",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "tests/msgq_test_client.cpp"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/libfmq/+/c7d5f09188ed79704bcf740ec22a5f762ae3d941"
    ],
    "spl": "2021-07-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/av

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10:0
Fixed
10:2021-07-01

Affected versions

Other

10

Ecosystem specific

{
    "vanir_signatures": [
        {
            "match_only_versions": [
                "10"
            ],
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "320969485079306349290330415981021442138",
                    "15124061242647060976983700580520203911",
                    "57939858987354665103425629076016381741"
                ]
            },
            "id": "ASB-A-184963385-dd1f2afc",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/b0e09634903a73908b84361564215a79f1f6bdb1",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "media/bufferpool/2.0/BufferStatus.cpp"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/av/+/b0e09634903a73908b84361564215a79f1f6bdb1"
    ],
    "spl": "2021-07-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/system/libfmq

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10:0
Fixed
10:2021-07-01

Affected versions

Other

10

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "227302126195856825414451364477443874828",
                    "247158300231320596903620852611188645202",
                    "300022660320167551308862749013558626121",
                    "254649352422238151419608266615740997635",
                    "53657500343593482583714925289490764735",
                    "292970735981558875510801691438496921814",
                    "250292387344981924642512342354457729211",
                    "339156788682527144629979745978484334149",
                    "271850609831749251151038958195363888005",
                    "288871552498701704663384623211518767190",
                    "61593552060179744651164239855191336885",
                    "92802034542751339213119156295249367201",
                    "168538043508961032340963671571992798762",
                    "42247331127913660586074889430481403667",
                    "79088654464790524357252826744186188969",
                    "112624877699840080183006125848811958253",
                    "12429203616456136708920844482689329677",
                    "181592415355305386570539476014158765742",
                    "317687778973974435522516822096999496081",
                    "40910131920625444190999795801859453116",
                    "302802101381875735461446465709124607644",
                    "178979752920340011727083479353157198063",
                    "216928357803509634681769277560485086209",
                    "107310925987573623907065954361058072137"
                ]
            },
            "id": "ASB-A-184963385-57eb5add",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/4dfdd1b76d0c3dc95bf0cbc7fb815e7216fa1f94",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/fmq/MessageQueue.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 789.0,
                "function_hash": "25814852906500043335487120437247780942"
            },
            "id": "ASB-A-184963385-8e061e22",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/4dfdd1b76d0c3dc95bf0cbc7fb815e7216fa1f94",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/fmq/MessageQueue.h",
                "function": "beginRead"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "304724205008051771174038391144772804717",
                    "9431047653358304405740597187304665060",
                    "330652359866260078959063697446346183067",
                    "63834971338319188425783480848334362287",
                    "86464080605561577303249332346361936345",
                    "200842590254382353602991587513115428166",
                    "331990379976521815974052574618971388267"
                ]
            },
            "id": "ASB-A-184963385-a79b1f2d",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/4dfdd1b76d0c3dc95bf0cbc7fb815e7216fa1f94",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "tests/msgq_test_client.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 405.0,
                "function_hash": "213862884393298803354305101504209452764"
            },
            "id": "ASB-A-184963385-c98807db",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/4dfdd1b76d0c3dc95bf0cbc7fb815e7216fa1f94",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "tests/msgq_test_client.cpp",
                "function": "SetUp"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 647.0,
                "function_hash": "1132215189128848320662267450900731733"
            },
            "id": "ASB-A-184963385-d8febe24",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/4dfdd1b76d0c3dc95bf0cbc7fb815e7216fa1f94",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/fmq/MessageQueue.h",
                "function": "beginWrite"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/libfmq/+/4dfdd1b76d0c3dc95bf0cbc7fb815e7216fa1f94"
    ],
    "spl": "2021-07-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/system/libfmq

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2021-07-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "300022660320167551308862749013558626121",
                    "254649352422238151419608266615740997635",
                    "53657500343593482583714925289490764735",
                    "292970735981558875510801691438496921814",
                    "250292387344981924642512342354457729211",
                    "339156788682527144629979745978484334149",
                    "271850609831749251151038958195363888005",
                    "288871552498701704663384623211518767190",
                    "61593552060179744651164239855191336885",
                    "92802034542751339213119156295249367201",
                    "168538043508961032340963671571992798762",
                    "42247331127913660586074889430481403667",
                    "79088654464790524357252826744186188969",
                    "112624877699840080183006125848811958253",
                    "12429203616456136708920844482689329677",
                    "181592415355305386570539476014158765742",
                    "317687778973974435522516822096999496081",
                    "40910131920625444190999795801859453116",
                    "302802101381875735461446465709124607644",
                    "178979752920340011727083479353157198063",
                    "216928357803509634681769277560485086209",
                    "107310925987573623907065954361058072137"
                ]
            },
            "id": "ASB-A-184963385-11190517",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/4ed31d5a6c5c48a2f9fc3e812600093f81c33d27",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/fmq/MessageQueue.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 789.0,
                "function_hash": "25814852906500043335487120437247780942"
            },
            "id": "ASB-A-184963385-1183c25b",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/4ed31d5a6c5c48a2f9fc3e812600093f81c33d27",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/fmq/MessageQueue.h",
                "function": "beginRead"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 405.0,
                "function_hash": "213862884393298803354305101504209452764"
            },
            "id": "ASB-A-184963385-68b4fc85",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/4ed31d5a6c5c48a2f9fc3e812600093f81c33d27",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "tests/msgq_test_client.cpp",
                "function": "SetUp"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "304724205008051771174038391144772804717",
                    "9431047653358304405740597187304665060",
                    "330652359866260078959063697446346183067",
                    "63834971338319188425783480848334362287",
                    "86464080605561577303249332346361936345",
                    "200842590254382353602991587513115428166",
                    "331990379976521815974052574618971388267"
                ]
            },
            "id": "ASB-A-184963385-c013d075",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/4ed31d5a6c5c48a2f9fc3e812600093f81c33d27",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "tests/msgq_test_client.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 647.0,
                "function_hash": "1132215189128848320662267450900731733"
            },
            "id": "ASB-A-184963385-fe2e0e51",
            "source": "https://android.googlesource.com/platform/system/libfmq/+/4ed31d5a6c5c48a2f9fc3e812600093f81c33d27",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/fmq/MessageQueue.h",
                "function": "beginWrite"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/libfmq/+/4ed31d5a6c5c48a2f9fc3e812600093f81c33d27"
    ],
    "spl": "2021-07-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}