In btadmremovedevice of btadm_act.cc, there is a possible way for a BT device to receive a long term trackable identifier due to a permissions bypass. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1391.0, "function_hash": "204128558517839783709342432677193717800" }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-07219777", "signature_version": "v1", "target": { "file": "system/stack/btm/btm_ble.cc", "function": "BTM_SecAddBleDevice" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "199206825782937533551232365465509237488", "162245554832253266569229758359919054331", "280030943942912715544861231547488220574", "155255626714929324460461619589788156528", "264401400468715934409769089728700952309" ] }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-0a0872ac", "signature_version": "v1", "target": { "file": "system/main/shim/btm_api.cc" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "260936490031339040683130593933517257275", "142743158119496288073265439736713886406", "188589391039302863625916775189577302274", "155463368691050041105339485083081990294", "229160748354944167482380962272175182743", "162657397244421107928627160758940443039", "257697859005223496457159838491246062530", "162486628185525773140348330155282810004", "317497588349573823019090169373617671224", "197678382699566474924671531412288140688" ] }, "id": "ASB-A-195410559-37e74eb6", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/3baf1d6fa2b80197fcc278d1d29c6074065e2442", "deprecated": false, "signature_version": "v1", "target": { "file": "system/gd/hci/le_address_manager.cc" }, "signature_type": "Line" }, { "digest": { "length": 1006.0, "function_hash": "332927922331889009813032357513302530237" }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-431d4820", "signature_version": "v1", "target": { "file": "system/btif/src/btif_storage.cc", "function": "btif_storage_remove_bonded_device" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "283215450931985692815317944119360594934", "98561674356244519414908117415864229665", "196466217318339078374083905982701418165" ] }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-566d4af0", "signature_version": "v1", "target": { "file": "system/main/shim/btm_api.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "212104014143301240330176764803906409125" ] }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-6910fcef", "signature_version": "v1", "target": { "file": "system/bta/include/bta_api.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "217706887452652472909775799195184585659", "7413942047572543896195629930365817592", "143537988801541637952581949278506558881", "323341362230084706548388200360759367615", "261618727826124143324747606791276122809", "339386986367096452091942807039990993199", "208763730366055677015352948191630266856", "163781212640301891480969981281341344157", "290682634017117684825497209117873732275", "115531431836093978842194200567957948577", "115851880353199921188587569505730705468", "52585866118260948952531862372656901954", "160798343641663998493326803533422203730", "154500535300184373852153271987818294151", "263326579416680049729673121835394243727" ] }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-84a1216e", "signature_version": "v1", "target": { "file": "system/stack/btm/btm_ble.cc" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "209944026445026882928906945429570963289", "119452501415360073250969970596661204495", "201134992658573217646305852494410693434", "307256859096279817457550280125541939729", "261076564696789657766348420242188411860", "207121853597581238286813107587853561282", "226363678236170877304258953624902987949", "12839450872721808140407113564531235048" ] }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-86c5c50e", "signature_version": "v1", "target": { "file": "system/btif/src/btif_storage.cc" }, "signature_type": "Line" }, { "digest": { "length": 2110.0, "function_hash": "308825382279477027343673241009001519043" }, "id": "ASB-A-195410559-8d715306", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/3baf1d6fa2b80197fcc278d1d29c6074065e2442", "deprecated": false, "signature_version": "v1", "target": { "file": "system/gd/hci/le_address_manager.cc", "function": "LeAddressManager::SetPrivacyPolicyForInitiatorAddress" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "103695966746884301387509814432171521491", "138848410630616513536117343280635902826", "163233651498112236928217491260275814154" ] }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-badf92db", "signature_version": "v1", "target": { "file": "system/bta/dm/bta_dm_int.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "266840716145634852173576008353515407843", "198209986249736171376744745771636965591", "61027019719815398523533801771240725545", "15838550506692246751299107070564602772", "136286208237603093245537361731500968722", "68697064061280841865148834094333747637", "270150413080094228112759586897907511981", "145305823701625950690334138576431346288", "338828588760667391774491374865979683125", "102610417065177397422584866016522791825", "59977367531333076293400756494798240797" ] }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-ca1a4a60", "signature_version": "v1", "target": { "file": "system/bta/dm/bta_dm_act.cc" }, "signature_type": "Line" }, { "digest": { "length": 611.0, "function_hash": "164192346293583884789519873400759218869" }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-ca42779c", "signature_version": "v1", "target": { "file": "system/stack/btm/btm_ble.cc", "function": "btm_ble_reset_id_impl" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "322565623498743490708868610314787224027", "36794438819106040518089597001241498838", "85546890152735325090817608062361500791", "128836914221072246986567779208890253401" ] }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-ce709d53", "signature_version": "v1", "target": { "file": "system/gd/hci/le_address_manager.cc" }, "signature_type": "Line" }, { "digest": { "length": 1470.0, "function_hash": "53644348137777810034779084800532630437" }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-d3edd033", "signature_version": "v1", "target": { "file": "system/bta/dm/bta_dm_act.cc", "function": "bta_dm_remove_device" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "131718699226223782084585985844258401753", "81920284495245439270987233131687053428", "180825386225943766978298971936126813276" ] }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-ebbb1e3f", "signature_version": "v1", "target": { "file": "system/test/mock/mock_bta_dm_act.h" }, "signature_type": "Line" }, { "digest": { "length": 1886.0, "function_hash": "155691105060646540724183956370465455491" }, "exact_target_file_match_only": true, "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "deprecated": false, "id": "ASB-A-195410559-ebeba30e", "signature_version": "v1", "target": { "file": "system/gd/hci/le_address_manager.cc", "function": "LeAddressManager::SetPrivacyPolicyForInitiatorAddress" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4aa35adf8ed2e06a3d1273c18d3a3561644e0a4", "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/3baf1d6fa2b80197fcc278d1d29c6074065e2442" ], "spl": "2022-10-01", "severity": "High", "types": [ "ID" ] }