In validateApkInstallLocked of PackageInstallerSession.java, there is a way to force a mismatch between running code and a parsed APK . This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 6954.0, "function_hash": "231990516022432859515481353455776451874" }, "id": "ASB-A-219044664-1a69041b", "source": "https://android.googlesource.com/platform/frameworks/base/+/a5dd59db6d1889ae0aa95ef01bbf8c98e360a2f2", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java", "function": "validateApkInstallLocked" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "180540424809410108203819155674178703077", "310192941804949544849809573407891877990", "119835757437939988808744406930910971941", "70541103374231375402887502243412630152", "33594561195262327339142717655851560430", "155927009038804990930832153736923090981", "250405756640230757845653727125355385240", "203884490892640686155713902095510326404", "99683244548145421579673942579196578890", "240835686705695241023296524170794580937", "250527447965076997283029578436906981614", "117468068627482448288391961128067969669" ] }, "id": "ASB-A-219044664-837b635c", "source": "https://android.googlesource.com/platform/frameworks/base/+/a5dd59db6d1889ae0aa95ef01bbf8c98e360a2f2", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/a5dd59db6d1889ae0aa95ef01bbf8c98e360a2f2" ], "spl": "2022-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "180540424809410108203819155674178703077", "310192941804949544849809573407891877990", "119835757437939988808744406930910971941", "70541103374231375402887502243412630152", "33594561195262327339142717655851560430", "155927009038804990930832153736923090981", "250405756640230757845653727125355385240", "203884490892640686155713902095510326404", "99683244548145421579673942579196578890", "30731540922810736168728098478051819998", "234229738927911877615018910976101797115", "247795310976460709509992912805621675362" ] }, "id": "ASB-A-219044664-8b7c1747", "source": "https://android.googlesource.com/platform/frameworks/base/+/52a4337a4790350e8270b0712d9977159c07e096", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java" }, "signature_type": "Line" }, { "digest": { "length": 7728.0, "function_hash": "182370216373814584356638447485313003128" }, "id": "ASB-A-219044664-f8cfcde2", "source": "https://android.googlesource.com/platform/frameworks/base/+/52a4337a4790350e8270b0712d9977159c07e096", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java", "function": "validateApkInstallLocked" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/52a4337a4790350e8270b0712d9977159c07e096" ], "spl": "2022-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "126649318037345343753490697120452954107", "194773562856015092151238496551787168544", "232480445117399624084228075804858210752", "70541103374231375402887502243412630152", "171320219436343288127093230170613975268", "241106788494647486170183478616371241689", "286485087625539031559168727923564794757", "119023713081308280265343167240695200326", "99683244548145421579673942579196578890", "30731540922810736168728098478051819998", "234229738927911877615018910976101797115", "247795310976460709509992912805621675362" ] }, "id": "ASB-A-219044664-71a43813", "source": "https://android.googlesource.com/platform/frameworks/base/+/5b2e8af805e559c484f4c17d96459a3284d48824", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java" }, "signature_type": "Line" }, { "digest": { "length": 8530.0, "function_hash": "208139483470825842445175165543268099324" }, "id": "ASB-A-219044664-81a2541b", "source": "https://android.googlesource.com/platform/frameworks/base/+/5b2e8af805e559c484f4c17d96459a3284d48824", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java", "function": "validateApkInstallLocked" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/5b2e8af805e559c484f4c17d96459a3284d48824" ], "spl": "2022-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 8530.0, "function_hash": "208139483470825842445175165543268099324" }, "id": "ASB-A-219044664-5262c664", "source": "https://android.googlesource.com/platform/frameworks/base/+/36b0e9e94c3af7e5f81b88d68447c890d1126498", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java", "function": "validateApkInstallLocked" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "126649318037345343753490697120452954107", "194773562856015092151238496551787168544", "232480445117399624084228075804858210752", "70541103374231375402887502243412630152", "171320219436343288127093230170613975268", "241106788494647486170183478616371241689", "286485087625539031559168727923564794757", "119023713081308280265343167240695200326", "99683244548145421579673942579196578890", "30731540922810736168728098478051819998", "234229738927911877615018910976101797115", "247795310976460709509992912805621675362" ] }, "id": "ASB-A-219044664-967ee436", "source": "https://android.googlesource.com/platform/frameworks/base/+/36b0e9e94c3af7e5f81b88d68447c890d1126498", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/36b0e9e94c3af7e5f81b88d68447c890d1126498" ], "spl": "2022-05-01", "severity": "High", "types": [ "EoP" ] }