ASB-A-213644870

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-213644870.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-213644870
Aliases
  • A-213644870
  • CVE-2022-20226
Published
2022-07-01T00:00:00Z
Modified
2024-08-16T00:42:06.869034Z
Summary
SF Security Vulnerability, Privilege Escalation through transaction merging
Details

In finishDrawingWindow of WindowManagerService.java, there is a possible tapjacking due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2022-07-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "10283689925970767745039467515145839613",
                    "262447069286773819783877630469413526772",
                    "42710371276610711414791601201715173153",
                    "166183720595856650804928134883908547633",
                    "30102194167949942252975857073123632582",
                    "123398118123314661349505762760018517105",
                    "204405425560196390556035502911962567381"
                ]
            },
            "id": "ASB-A-213644870-040d226c",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "core/jni/android_view_SurfaceControl.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "109308593953997389863375467451930133254",
                    "94699768790438915482765790682681872288",
                    "110023916072507408757555310022252388335",
                    "215111910697632882604036026239049292193"
                ]
            },
            "id": "ASB-A-213644870-2c31844f",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowManagerService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "38968290403228463353837298513432406102",
                    "304528173058242274849033339504350305354",
                    "101157398416841870061643836720504773637",
                    "113105747347854439447263763515229602544",
                    "291314025743564295420860371659408652795",
                    "314047888469450165801136092425354257071",
                    "189991891994099775720685819681100013572"
                ]
            },
            "id": "ASB-A-213644870-30b72434",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "core/java/android/view/SurfaceControl.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 639.0,
                "function_hash": "83958915429775838570512321188110188733"
            },
            "id": "ASB-A-213644870-712e9848",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowManagerService.java",
                "function": "finishDrawingWindow"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208"
    ],
    "spl": "2022-07-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/native

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2022-07-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "158316474625177380927379967336735792071",
                    "210021420014394732488362221031205883846",
                    "331030268047125451190618899420805559668"
                ]
            },
            "id": "ASB-A-213644870-74f915ea",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/gui/LayerState.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "332381021113198560895429062369073948349",
                    "44331992766085121825441615548065094219",
                    "88217928992512580016909342481436155673",
                    "160599368510002579484529369188586086302"
                ]
            },
            "id": "ASB-A-213644870-d16defad",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/gui/include/gui/SurfaceComposerClient.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "205641342065023842371091921530500723954",
                    "278129404744689785468040558095339977043",
                    "168828413441837664234458638552152734678",
                    "12733264191246206875023833473909259006",
                    "321795751002210282708716128041769480703",
                    "91632105569992995968658733557942439857",
                    "79537943416717662722743741558961208950",
                    "157395701064132088622923284380667498154"
                ]
            },
            "id": "ASB-A-213644870-e9482da3",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/gui/include/gui/LayerState.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "17440762063016278011988741857659065229",
                    "106802602803923500112653028896911190638",
                    "335430823114812336836988704439893870037",
                    "103400400102260454088510578413313457032",
                    "310169275428447047405242217820035451",
                    "240320211232283025739686553089665140019"
                ]
            },
            "id": "ASB-A-213644870-eceff298",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/gui/SurfaceComposerClient.cpp"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b"
    ],
    "spl": "2022-07-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2022-07-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 639.0,
                "function_hash": "83958915429775838570512321188110188733"
            },
            "id": "ASB-A-213644870-2d1f9dbf",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowManagerService.java",
                "function": "finishDrawingWindow"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "109308593953997389863375467451930133254",
                    "94699768790438915482765790682681872288",
                    "110023916072507408757555310022252388335",
                    "215111910697632882604036026239049292193"
                ]
            },
            "id": "ASB-A-213644870-3ba944f6",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowManagerService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "206710912623225518822118118418562316887",
                    "308209011028749043628053711427160371938",
                    "12209304743745958707138099709119970222",
                    "292317412448276784155305856665001322196",
                    "291314025743564295420860371659408652795",
                    "314047888469450165801136092425354257071",
                    "189991891994099775720685819681100013572"
                ]
            },
            "id": "ASB-A-213644870-480a01eb",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "core/java/android/view/SurfaceControl.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "10283689925970767745039467515145839613",
                    "262447069286773819783877630469413526772",
                    "42710371276610711414791601201715173153",
                    "149154735167034948074364255221988351201",
                    "291211340028722230894985854103626517125",
                    "117274481847790116195683706567649776575",
                    "214026053996811510671851429925048764"
                ]
            },
            "id": "ASB-A-213644870-a62fa883",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "core/jni/android_view_SurfaceControl.cpp"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905"
    ],
    "spl": "2022-07-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/native

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2022-07-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "332381021113198560895429062369073948349",
                    "44331992766085121825441615548065094219",
                    "88217928992512580016909342481436155673",
                    "160599368510002579484529369188586086302"
                ]
            },
            "id": "ASB-A-213644870-20040708",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/gui/include/gui/SurfaceComposerClient.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "158316474625177380927379967336735792071",
                    "210021420014394732488362221031205883846",
                    "331030268047125451190618899420805559668"
                ]
            },
            "id": "ASB-A-213644870-3e24d18f",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/gui/LayerState.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "205641342065023842371091921530500723954",
                    "278129404744689785468040558095339977043",
                    "168828413441837664234458638552152734678",
                    "12733264191246206875023833473909259006",
                    "321795751002210282708716128041769480703",
                    "91632105569992995968658733557942439857",
                    "79537943416717662722743741558961208950",
                    "157395701064132088622923284380667498154"
                ]
            },
            "id": "ASB-A-213644870-4c807467",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/gui/include/gui/LayerState.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "17440762063016278011988741857659065229",
                    "106802602803923500112653028896911190638",
                    "335430823114812336836988704439893870037",
                    "103400400102260454088510578413313457032",
                    "310169275428447047405242217820035451",
                    "240320211232283025739686553089665140019"
                ]
            },
            "id": "ASB-A-213644870-575bf847",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/gui/SurfaceComposerClient.cpp"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67"
    ],
    "spl": "2022-07-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}