In createPresentationContext of Presentation.java, there is a possible way to start a foreground activity from background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "29840440586258169693462454076158925556", "213396486038452831278377549094169843602", "228445899389099079593691071735995055390", "251578245069968599296638591181347011752", "333900397814330802755872188782388426748", "73164140829396596013584142068435983733", "57908055369602442342969322100064423101", "322529904216023784252135970667632781390", "9750100643542470922863240679374362718", "333122694766293271160191850213446839841", "75798385379077713637207440080716134025" ] }, "id": "ASB-A-205130886-20dedc0b", "source": "https://android.googlesource.com/platform/frameworks/base/+/c97296e9d9d2bad7bdd2d34c9428ba5f092fa8c1", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/RootWindowContainer.java" }, "signature_type": "Line" }, { "digest": { "length": 199.0, "function_hash": "118031723022519068736264188622598971298" }, "id": "ASB-A-205130886-adba426d", "source": "https://android.googlesource.com/platform/frameworks/base/+/c97296e9d9d2bad7bdd2d34c9428ba5f092fa8c1", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/RootWindowContainer.java", "function": "isAnyNonToastWindowVisibleForUid" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/c97296e9d9d2bad7bdd2d34c9428ba5f092fa8c1" ], "spl": "2022-10-01", "severity": "Moderate", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 105.0, "function_hash": "309892185118692997003263110580644362314" }, "id": "ASB-A-205130886-353bac28", "source": "https://android.googlesource.com/platform/frameworks/base/+/778191bdf21661b41030f9308e095c0445dec33c", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/WindowState.java", "function": "isNonToastOrStarting" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "10313335488045220910035931167300170355", "261372803265082561517492750361881604635", "278399851811985462604047126646984147638", "75641407910770251937695312410220914176", "50169372483916373397872568910188853356", "99847271758102256908039258320305980609", "206496492593111140008101430373728818789", "295136802722067114420916440743897339347", "327629897799297319038583944539384123633", "121227489019215725058657148439372717846", "170590786134876909076710201705065516382" ] }, "id": "ASB-A-205130886-fb44b63e", "source": "https://android.googlesource.com/platform/frameworks/base/+/778191bdf21661b41030f9308e095c0445dec33c", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/WindowState.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/778191bdf21661b41030f9308e095c0445dec33c" ], "spl": "2022-10-01", "severity": "Moderate", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "332816131073195698316323346625055011373", "248018738654998027143918272432072286269", "171592344151606292867477664931624942558", "94859399021469200881821990861703741625" ] }, "id": "ASB-A-205130886-14eb8a35", "source": "https://android.googlesource.com/platform/frameworks/base/+/88e98e0a853f7530d61aab13dea2bfc9792e3f32", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/WindowState.java" }, "signature_type": "Line" }, { "digest": { "length": 520.0, "function_hash": "237856969500410895529135917091395492974" }, "id": "ASB-A-205130886-7363d6c3", "source": "https://android.googlesource.com/platform/frameworks/base/+/88e98e0a853f7530d61aab13dea2bfc9792e3f32", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/WindowState.java", "function": "onSurfaceShownChanged" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/88e98e0a853f7530d61aab13dea2bfc9792e3f32" ], "spl": "2022-10-01", "severity": "Moderate", "types": [ "EoP" ] }