In changepterange of mprotect.c , there is a possible way to make a shared mmap writable due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "26388385448768045903197744812104900847", "36848866001086906351986369137777488679", "246381734631290278259577314290080014830", "292025356104246184942351641166927029170", "289032966299733574939041913647164321221", "319749281976369751617148559791401543651", "173617174932993894428545678489161053335", "18478977818009636697733348297525703618", "303987600062360137456225274697869082737", "211703503418122648368873319370856317786", "223625824251537869180662648970918386677", "155514278188575556479937656422010026274", "262711827158317387919649248485093544159", "320867407498125824499487342931925626326", "262335409017011549160765450881081438972", "43836447096542978042347064419286815983", "212684369356434056530843624369581884882", "290947890044958423638068943395238387273", "205158834634470643564971834578313775589", "234046542991262528636222952799151665572", "116507045666393588100525777585550737554", "316784880375472124503082284181148452803", "183340213450978201184302600116670826334", "213618678633237511562215363816140982358", "298653192486935056634878306779187032061", "74809617335122515717546167645423972713", "27012292030432713556413204819171617142", "41745544533253503058633185501129737274", "120725726624912948596832818613445911804", "98535640408614503003517352597131437199", "98041784561752972404940356950574569322" ] }, "id": "ASB-A-213339151-233930ca", "source": "https://android.googlesource.com/kernel/common/+/ac4488815518c", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/mprotect.c" }, "signature_type": "Line" }, { "digest": { "length": 2061.0, "function_hash": "40956230839441199247362622370650186968" }, "id": "ASB-A-213339151-40f58064", "source": "https://android.googlesource.com/kernel/common/+/ac4488815518c", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/mprotect.c", "function": "change_pte_range" }, "signature_type": "Function" }, { "digest": { "length": 2161.0, "function_hash": "172667158180238430828807650673675159960" }, "id": "ASB-A-213339151-453c7d84", "source": "https://android.googlesource.com/kernel/common/+/6f9aba5a20b84", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/mprotect.c", "function": "change_pte_range" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "183032221916153193182329789789079350147", "95381081053243779011811631504261460723", "295187802818044511120661050196951502232", "106843078633827551088870984421675393694", "328527994405515199974374174615856915895", "83846046281272957785594002941606216354", "164571244075822472549494859400642303646", "294140762355725933546093490834746029535", "314550388758617286576045305298864095241" ] }, "id": "ASB-A-213339151-594bff79", "source": "https://android.googlesource.com/kernel/common/+/6f9aba5a20b84", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/mprotect.c" }, "signature_type": "Line" }, { "digest": { "length": 491.0, "function_hash": "38692348679089118757001497010520826709" }, "id": "ASB-A-213339151-b7eb8f69", "source": "https://android.googlesource.com/kernel/common/+/ac4488815518c", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/mprotect.c", "function": "may_avoid_write_fault" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "128860355205528359091590660948147595541", "247731958661459105443647129325283961533", "53033447453478338200424833580008824070", "124534619553369977728910052496879958773", "316080425527770938972761145275704448032", "258480643095600329837128299039529690021", "183032221916153193182329789789079350147", "40058328818126488230781505731627049449", "124786915141688956432099356590562712532", "215305075731189509433518994006740494531", "328527994405515199974374174615856915895", "83846046281272957785594002941606216354", "164571244075822472549494859400642303646", "294140762355725933546093490834746029535", "314550388758617286576045305298864095241" ] }, "id": "ASB-A-213339151-cca6a438", "source": "https://android.googlesource.com/kernel/common/+/b44e46bb047d1", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/mprotect.c" }, "signature_type": "Line" }, { "digest": { "length": 2161.0, "function_hash": "172667158180238430828807650673675159960" }, "id": "ASB-A-213339151-f3d50201", "source": "https://android.googlesource.com/kernel/common/+/b44e46bb047d1", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/mprotect.c", "function": "change_pte_range" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/ac4488815518c", "https://android.googlesource.com/kernel/common/+/b44e46bb047d1", "https://android.googlesource.com/kernel/common/+/67d075d23a8bc", "https://android.googlesource.com/kernel/common/+/6f9aba5a20b84" ], "spl": "2022-04-05", "severity": "High", "types": [ "EoP" ] }