In updatePackageMappingsData of UsageStatsService.java, there is a possible way to bypass security and privacy settings of app usage due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "161288774986468459565598269355725474126", "329396616622648099673251094480453682320", "82919312261015283337183742791808614994", "284289165421573062469083324324379657460" ] }, "id": "ASB-A-197399948-263482e7", "source": "https://android.googlesource.com/platform/frameworks/base/+/b5fa0a6c5e96c420c1f6d808be603c4579f9a1ba", "deprecated": false, "signature_version": "v1", "target": { "file": "services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "295747577431459138783214723720080232905", "284102654686353315162191421088996306752", "205811105208257373080435321540328406603", "24006742917773354257830731092932731825" ] }, "id": "ASB-A-197399948-319aceca", "source": "https://android.googlesource.com/platform/frameworks/base/+/d95ce6779da8410c5835385cb5785fb5b3a51d83", "deprecated": false, "signature_version": "v1", "target": { "file": "services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 548.0, "function_hash": "64069718129752272757733867112281767204" }, "id": "ASB-A-197399948-492d3891", "source": "https://android.googlesource.com/platform/frameworks/base/+/b5fa0a6c5e96c420c1f6d808be603c4579f9a1ba", "deprecated": false, "signature_version": "v1", "target": { "file": "services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java", "function": "getProfileOwnerOrDeviceOwnerSupervisionComponent" }, "signature_type": "Function" }, { "digest": { "length": 1078.0, "function_hash": "50669996759498033534389717371549312843" }, "id": "ASB-A-197399948-6fb884aa", "source": "https://android.googlesource.com/platform/frameworks/base/+/d95ce6779da8410c5835385cb5785fb5b3a51d83", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UsageStatsService.java", "function": "onUserUnlocked" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "15739382261802027219805524109958553171", "83055523982731680864442203307070783829", "249381843647272814530559664511844422731", "143445173573346503148343587426827100370", "225465234577136177189757495045717378526", "226899043618569941573107987308122350282", "51983829634456079565805743014984841708", "244849471679284245038178134250138285525", "218820991025253401821410482186891620670", "331949163597479799158265316572296283876", "39186085366517114522806795243763238682", "15633697030816666283926675216609553680", "228090997483910925565025739251462788499", "197745402981386281872755660143205306586", "239363138978407201000673741134613025674", "256963025264698054208211999444657656656", "31315585709597617104668309672027895373", "106201848419137870731740730809753017104", "267364722753785665518956730195524321916", "99564816612558946276983966100947043631", "300474009991802540557028093826625215306", "322468563243676142441922248531886555564", "211940618594829629862818398484546639629", "416264071013621142915355892345999272", "243716861918668127527609794798764688213", "273720738432000563901986357892796216409", "60942699856907583210476725975665242144", "171733751866352277524439972633375272027", "302855100772343148077561813406514953986", "79889171199037347484830656693083135322" ] }, "id": "ASB-A-197399948-79139123", "source": "https://android.googlesource.com/platform/frameworks/base/+/d95ce6779da8410c5835385cb5785fb5b3a51d83", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UsageStatsService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "336200022059160673240919356441507459810", "36906959071589781806062529309887947352", "233643822989951525812035392603806752462", "166409102187358587779608842692043076865" ] }, "id": "ASB-A-197399948-887a32b5", "source": "https://android.googlesource.com/platform/frameworks/base/+/d95ce6779da8410c5835385cb5785fb5b3a51d83", "deprecated": false, "signature_version": "v1", "target": { "file": "core/java/android/app/admin/DevicePolicyManagerInternal.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "294000136547875564545556699428084151041", "211297050413554240476058039634847173079", "143313904946101124634068262691300295460", "255571295653408443153054036156108007627", "334925152493268290078990351438316343278", "213753662072708839768878308899966299679", "28955006826260217234658032458366402310", "265849404837441911542066898713137355573", "248196663749833259145235904742724346881", "105752448507465380360905222333222051508", "109576485519562356834803063396979496656" ] }, "id": "ASB-A-197399948-957ff780", "source": "https://android.googlesource.com/platform/frameworks/base/+/d95ce6779da8410c5835385cb5785fb5b3a51d83", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UserUsageStatsService.java" }, "signature_type": "Line" }, { "digest": { "length": 336.0, "function_hash": "102687475184540260045167994145509247762" }, "id": "ASB-A-197399948-a1b312bc", "source": "https://android.googlesource.com/platform/frameworks/base/+/d95ce6779da8410c5835385cb5785fb5b3a51d83", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UsageStatsService.java", "function": "updatePackageMappingsData" }, "signature_type": "Function" }, { "digest": { "length": 173.0, "function_hash": "221615865002871341262882931611708328409" }, "id": "ASB-A-197399948-a665c563", "source": "https://android.googlesource.com/platform/frameworks/base/+/d95ce6779da8410c5835385cb5785fb5b3a51d83", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UsageStatsService.java", "function": "onPackageRemoved" }, "signature_type": "Function" }, { "digest": { "length": 129.0, "function_hash": "281705368494756598023915314414454137099" }, "id": "ASB-A-197399948-aaa12215", "source": "https://android.googlesource.com/platform/frameworks/base/+/d95ce6779da8410c5835385cb5785fb5b3a51d83", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UserUsageStatsService.java", "function": "readPackageMappingsLocked" }, "signature_type": "Function" }, { "digest": { "length": 1030.0, "function_hash": "126774655612492578839911798546135594086" }, "id": "ASB-A-197399948-df25a0a0", "source": "https://android.googlesource.com/platform/frameworks/base/+/d95ce6779da8410c5835385cb5785fb5b3a51d83", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UserUsageStatsService.java", "function": "init" }, "signature_type": "Function" }, { "digest": { "length": 559.0, "function_hash": "43948881933829829712620205739512579887" }, "id": "ASB-A-197399948-e27a7867", "source": "https://android.googlesource.com/platform/frameworks/base/+/d95ce6779da8410c5835385cb5785fb5b3a51d83", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UsageStatsService.java", "function": "initializeUserUsageStatsServiceLocked" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/d95ce6779da8410c5835385cb5785fb5b3a51d83", "https://android.googlesource.com/platform/frameworks/base/+/b5fa0a6c5e96c420c1f6d808be603c4579f9a1ba" ], "spl": "2022-02-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 173.0, "function_hash": "221615865002871341262882931611708328409" }, "id": "ASB-A-197399948-034f8b90", "source": "https://android.googlesource.com/platform/frameworks/base/+/157fbcfbe4b38075391aef5b4977d45702a06936", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UsageStatsService.java", "function": "onPackageRemoved" }, "signature_type": "Function" }, { "digest": { "length": 129.0, "function_hash": "281705368494756598023915314414454137099" }, "id": "ASB-A-197399948-4b90d552", "source": "https://android.googlesource.com/platform/frameworks/base/+/157fbcfbe4b38075391aef5b4977d45702a06936", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UserUsageStatsService.java", "function": "readPackageMappingsLocked" }, "signature_type": "Function" }, { "digest": { "length": 1030.0, "function_hash": "126774655612492578839911798546135594086" }, "id": "ASB-A-197399948-50313b31", "source": "https://android.googlesource.com/platform/frameworks/base/+/157fbcfbe4b38075391aef5b4977d45702a06936", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UserUsageStatsService.java", "function": "init" }, "signature_type": "Function" }, { "digest": { "length": 559.0, "function_hash": "43948881933829829712620205739512579887" }, "id": "ASB-A-197399948-56f35fea", "source": "https://android.googlesource.com/platform/frameworks/base/+/157fbcfbe4b38075391aef5b4977d45702a06936", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UsageStatsService.java", "function": "initializeUserUsageStatsServiceLocked" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "223646346993315910025240562215812420112", "110703602815063758305781773348771812583", "162588307292105271166375227178807872428", "220240408338143051924735606130638831438" ] }, "id": "ASB-A-197399948-5e7a2dcd", "source": "https://android.googlesource.com/platform/frameworks/base/+/157fbcfbe4b38075391aef5b4977d45702a06936", "deprecated": false, "signature_version": "v1", "target": { "file": "core/java/android/app/admin/DevicePolicyManagerInternal.java" }, "signature_type": "Line" }, { "digest": { "length": 1071.0, "function_hash": "267254102727102143179115606751468653269" }, "id": "ASB-A-197399948-776a0c56", "source": "https://android.googlesource.com/platform/frameworks/base/+/157fbcfbe4b38075391aef5b4977d45702a06936", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UsageStatsService.java", "function": "onUserUnlocked" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "294000136547875564545556699428084151041", "211297050413554240476058039634847173079", "143313904946101124634068262691300295460", "255571295653408443153054036156108007627", "334925152493268290078990351438316343278", "213753662072708839768878308899966299679", "28955006826260217234658032458366402310", "265849404837441911542066898713137355573", "248196663749833259145235904742724346881", "105752448507465380360905222333222051508", "109576485519562356834803063396979496656" ] }, "id": "ASB-A-197399948-8683d7a6", "source": "https://android.googlesource.com/platform/frameworks/base/+/157fbcfbe4b38075391aef5b4977d45702a06936", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UserUsageStatsService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "295747577431459138783214723720080232905", "280439223326171210138082892347267803714", "57239724231739173197057376658607875646", "168335576442741944574395425002770237373" ] }, "id": "ASB-A-197399948-8f282f12", "source": "https://android.googlesource.com/platform/frameworks/base/+/157fbcfbe4b38075391aef5b4977d45702a06936", "deprecated": false, "signature_version": "v1", "target": { "file": "services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 336.0, "function_hash": "102687475184540260045167994145509247762" }, "id": "ASB-A-197399948-b21db239", "source": "https://android.googlesource.com/platform/frameworks/base/+/157fbcfbe4b38075391aef5b4977d45702a06936", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UsageStatsService.java", "function": "updatePackageMappingsData" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "15739382261802027219805524109958553171", "83055523982731680864442203307070783829", "221589340389745726470519205209280265657", "101513283102489886137992453619082761320", "225465234577136177189757495045717378526", "210564825910831840877352262484962317423", "106433831250179573380334664304378785811", "168111487789716588099930351368084743894", "218820991025253401821410482186891620670", "331949163597479799158265316572296283876", "39186085366517114522806795243763238682", "15633697030816666283926675216609553680", "228090997483910925565025739251462788499", "197745402981386281872755660143205306586", "239363138978407201000673741134613025674", "256963025264698054208211999444657656656", "31315585709597617104668309672027895373", "106201848419137870731740730809753017104", "267364722753785665518956730195524321916", "99564816612558946276983966100947043631", "300474009991802540557028093826625215306", "152884693162892210560404995673133831473", "256401372802382245587432424746463345892", "416264071013621142915355892345999272", "243716861918668127527609794798764688213", "273720738432000563901986357892796216409", "60942699856907583210476725975665242144", "171733751866352277524439972633375272027", "302855100772343148077561813406514953986", "79889171199037347484830656693083135322" ] }, "id": "ASB-A-197399948-eb5123cd", "source": "https://android.googlesource.com/platform/frameworks/base/+/157fbcfbe4b38075391aef5b4977d45702a06936", "deprecated": false, "signature_version": "v1", "target": { "file": "services/usage/java/com/android/server/usage/UsageStatsService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/157fbcfbe4b38075391aef5b4977d45702a06936" ], "spl": "2022-02-01", "severity": "High", "types": [ "EoP" ] }