In onUidStateChanged of AppOpsService.java, there is a possible way to access location without a visible indicator due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1235.0, "function_hash": "315538145376716360253371471486438683231" }, "id": "ASB-A-208662370-acba7904", "source": "https://android.googlesource.com/platform/frameworks/base/+/f14e212d82b32053d151eedf97ac59a4b5b18369", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/appop/AppOpsService.java", "function": "onUidStateChanged" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "37134809959087956661517944958170528644", "328764706330746749091075703301307103179", "6457097028563598592615406195549245715" ] }, "id": "ASB-A-208662370-ae70cc6f", "source": "https://android.googlesource.com/platform/frameworks/base/+/f14e212d82b32053d151eedf97ac59a4b5b18369", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/appop/AppOpsService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/f14e212d82b32053d151eedf97ac59a4b5b18369" ], "spl": "2022-03-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 1235.0, "function_hash": "315538145376716360253371471486438683231" }, "id": "ASB-A-208662370-0602e1fe", "source": "https://android.googlesource.com/platform/frameworks/base/+/2623d2792bb56bd81cfeec0430cb0c024ddaf684", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/appop/AppOpsService.java", "function": "onUidStateChanged" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "37134809959087956661517944958170528644", "328764706330746749091075703301307103179", "6457097028563598592615406195549245715" ] }, "id": "ASB-A-208662370-73172252", "source": "https://android.googlesource.com/platform/frameworks/base/+/2623d2792bb56bd81cfeec0430cb0c024ddaf684", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/appop/AppOpsService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/2623d2792bb56bd81cfeec0430cb0c024ddaf684" ], "spl": "2022-03-01", "severity": "High", "types": [ "EoP" ] }