In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way to bypass user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 10816.0, "function_hash": "313395618697061706143828738755605122814" }, "id": "ASB-A-210065877-7f44be55", "source": "https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java", "function": "restorePermissionState" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "70337220111095111239554531117300270560", "37680386246374956347998185350697731801", "194092347827170068529915649080525668756", "37904075820297233052904941461534405475" ] }, "id": "ASB-A-210065877-82e03571", "source": "https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "192329061750754579635130939936978434760", "180845804502122717465318985068976461465", "177498258042140996260575903969205252874", "157672850619058297516428766977646296191", "49957728695482223994996026688992799860", "155700006602593996535553090055359115192", "189503656619447869696913099614599607398", "332805842555046017036491288664338011557", "52131025358373768466184263356344105817", "138745309758142223385199693376003711444", "291971255444764233347146488762018284859", "349162356191215844468090734286535060", "163690546655641809481703346611962914311", "173906844637934707168991241424116221235", "171342722970669750398215088449046445017", "293841873522683363379165884003241045615", "156316419184537633419863264451999548929", "198141498415930033094452607809662987630", "60549211253879352751947260189873568675", "191085721430628901071938960134422239855", "236732265184660035366467935863000898408", "75407180318704451699303769443305508093" ] }, "id": "ASB-A-210065877-b9c7d2ac", "source": "https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "140733965518960597410749120412513228337", "133000066657174067784792790976086256649" ] }, "id": "ASB-A-210065877-d5ede725", "source": "https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/android/content/pm/PackageManagerInternal.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4" ], "spl": "2022-11-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "204068925692065732622297449105718764950", "189002681868105969675858536182292719692", "27119499515421481643088173525291392512", "309020344221767103913966043106851831373", "94532263032810138178452766913210053001", "145770841673157355582929213949103756484", "121858566232927313939010965935187168921", "177498258042140996260575903969205252874", "157672850619058297516428766977646296191", "122586252879616957845736246789726967874", "49295243026898906572170636147125349825", "140287879494077765913243099683714685357", "338583801412692770865376243698492200826", "312154753232476171165435569596566928389", "251327487216216132552046834505879001760", "272786978245618890801536400053749027092", "16755325034230407185356123000104119490", "266325398593348129313837249785764061006", "81183483232826653128425546244167158126", "89583781141578730997026421727059260226", "137025581340638661145686941050757022756", "247875880308441436746754417505263827341", "107383290604112603127335460872191143314", "259745650538462562304317647837850807378", "110635991185879868564817031942272871690", "81522928803926506048863656976925063374", "233020365937013684941229783684964983097", "68476467424128480975241919625541521298", "52764643450515969104304985049234796646", "62950841911947415746268478580969992406", "236732265184660035366467935863000898408", "75407180318704451699303769443305508093", "108587633537507210242609878158511307392", "223346374230332314202607025582642319083", "25769565521317829918966238158725570349", "35018291119125253438113329575662430308", "51657818545401116001910514239752911792", "277889238348594391941544173186934120630", "212104117500095294343351554471806212485", "256620539703273529247375758003833936612" ] }, "id": "ASB-A-210065877-0d418034", "source": "https://android.googlesource.com/platform/frameworks/base/+/23aac9cb8eb4545a79bafef3c14864e0aa59e228", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 8765.0, "function_hash": "122957904428876774460389341088842378663" }, "id": "ASB-A-210065877-fe0a9f79", "source": "https://android.googlesource.com/platform/frameworks/base/+/23aac9cb8eb4545a79bafef3c14864e0aa59e228", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java", "function": "restorePermissionState" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/23aac9cb8eb4545a79bafef3c14864e0aa59e228" ], "spl": "2022-11-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 8765.0, "function_hash": "122957904428876774460389341088842378663" }, "id": "ASB-A-210065877-5d9ce940", "source": "https://android.googlesource.com/platform/frameworks/base/+/dd48aab843ff7b19fa5fbde987d84b76c92922f2", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java", "function": "restorePermissionState" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "204068925692065732622297449105718764950", "189002681868105969675858536182292719692", "27119499515421481643088173525291392512", "309020344221767103913966043106851831373", "94532263032810138178452766913210053001", "145770841673157355582929213949103756484", "121858566232927313939010965935187168921", "177498258042140996260575903969205252874", "157672850619058297516428766977646296191", "122586252879616957845736246789726967874", "49295243026898906572170636147125349825", "140287879494077765913243099683714685357", "338583801412692770865376243698492200826", "312154753232476171165435569596566928389", "251327487216216132552046834505879001760", "272786978245618890801536400053749027092", "16755325034230407185356123000104119490", "266325398593348129313837249785764061006", "81183483232826653128425546244167158126", "89583781141578730997026421727059260226", "137025581340638661145686941050757022756", "247875880308441436746754417505263827341", "107383290604112603127335460872191143314", "259745650538462562304317647837850807378", "110635991185879868564817031942272871690", "81522928803926506048863656976925063374", "233020365937013684941229783684964983097", "68476467424128480975241919625541521298", "52764643450515969104304985049234796646", "62950841911947415746268478580969992406", "236732265184660035366467935863000898408", "75407180318704451699303769443305508093", "108587633537507210242609878158511307392", "223346374230332314202607025582642319083", "25769565521317829918966238158725570349", "35018291119125253438113329575662430308", "51657818545401116001910514239752911792", "277889238348594391941544173186934120630", "212104117500095294343351554471806212485", "256620539703273529247375758003833936612" ] }, "id": "ASB-A-210065877-90f2fda1", "source": "https://android.googlesource.com/platform/frameworks/base/+/dd48aab843ff7b19fa5fbde987d84b76c92922f2", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/dd48aab843ff7b19fa5fbde987d84b76c92922f2" ], "spl": "2022-11-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "204068925692065732622297449105718764950", "189002681868105969675858536182292719692", "27119499515421481643088173525291392512", "309020344221767103913966043106851831373", "94532263032810138178452766913210053001", "145770841673157355582929213949103756484", "121858566232927313939010965935187168921", "177498258042140996260575903969205252874", "157672850619058297516428766977646296191", "122586252879616957845736246789726967874", "49295243026898906572170636147125349825", "140287879494077765913243099683714685357", "338583801412692770865376243698492200826", "312154753232476171165435569596566928389", "251327487216216132552046834505879001760", "272786978245618890801536400053749027092", "16755325034230407185356123000104119490", "266325398593348129313837249785764061006", "81183483232826653128425546244167158126", "89583781141578730997026421727059260226", "137025581340638661145686941050757022756", "247875880308441436746754417505263827341", "107383290604112603127335460872191143314", "259745650538462562304317647837850807378", "110635991185879868564817031942272871690", "81522928803926506048863656976925063374", "233020365937013684941229783684964983097", "68476467424128480975241919625541521298", "52764643450515969104304985049234796646", "62950841911947415746268478580969992406", "236732265184660035366467935863000898408", "75407180318704451699303769443305508093", "108587633537507210242609878158511307392", "223346374230332314202607025582642319083", "25769565521317829918966238158725570349", "35018291119125253438113329575662430308", "51657818545401116001910514239752911792", "277889238348594391941544173186934120630", "212104117500095294343351554471806212485", "256620539703273529247375758003833936612" ] }, "id": "ASB-A-210065877-1e2ada85", "source": "https://android.googlesource.com/platform/frameworks/base/+/41dc761e081d8c6de48ddc3b960e12e4fd24c8b7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java" }, "signature_type": "Line" }, { "digest": { "length": 9214.0, "function_hash": "49249527759310573510656247232703678512" }, "id": "ASB-A-210065877-7f63d209", "source": "https://android.googlesource.com/platform/frameworks/base/+/41dc761e081d8c6de48ddc3b960e12e4fd24c8b7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java", "function": "restorePermissionState" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/41dc761e081d8c6de48ddc3b960e12e4fd24c8b7" ], "spl": "2022-11-01", "severity": "High", "types": [ "EoP" ] }