In assertSafeToStartCustomActivity of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 489.0, "function_hash": "230728443153871352391391556050698896647" }, "id": "ASB-A-223578534-bd2fef27", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/b3eecdd13d9f3d9fde99e9881c9e451ff199f7ad", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/settings/users/AppRestrictionsFragment.java", "function": "assertSafeToStartCustomActivity" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "232477022807444841013375170475551310078", "146625305168494414691894218653073493704", "109457721975710769064585912225534305770", "42352054353086035454349671191144762807", "284514082129184479650462996686183383481", "33376965427845241378269936173562622954" ] }, "id": "ASB-A-223578534-f098c976", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/b3eecdd13d9f3d9fde99e9881c9e451ff199f7ad", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/settings/users/AppRestrictionsFragment.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Settings/+/b3eecdd13d9f3d9fde99e9881c9e451ff199f7ad" ], "spl": "2022-07-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 489.0, "function_hash": "230728443153871352391391556050698896647" }, "id": "ASB-A-223578534-70caad6e", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/aeb36e5c282ac9cdfb34e87f68b8d8a5067d644d", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/settings/users/AppRestrictionsFragment.java", "function": "assertSafeToStartCustomActivity" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "232477022807444841013375170475551310078", "146625305168494414691894218653073493704", "109457721975710769064585912225534305770", "42352054353086035454349671191144762807", "284514082129184479650462996686183383481", "33376965427845241378269936173562622954" ] }, "id": "ASB-A-223578534-afaf5a70", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/aeb36e5c282ac9cdfb34e87f68b8d8a5067d644d", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/settings/users/AppRestrictionsFragment.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Settings/+/aeb36e5c282ac9cdfb34e87f68b8d8a5067d644d" ], "spl": "2022-07-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "232477022807444841013375170475551310078", "146625305168494414691894218653073493704", "109457721975710769064585912225534305770", "42352054353086035454349671191144762807", "284514082129184479650462996686183383481", "33376965427845241378269936173562622954" ] }, "id": "ASB-A-223578534-0b473dfc", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/f8f45888e6d20b238b222b95d18898fa1ab81ed4", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/settings/users/AppRestrictionsFragment.java" }, "signature_type": "Line" }, { "digest": { "length": 489.0, "function_hash": "230728443153871352391391556050698896647" }, "id": "ASB-A-223578534-5f63e23f", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/f8f45888e6d20b238b222b95d18898fa1ab81ed4", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/settings/users/AppRestrictionsFragment.java", "function": "assertSafeToStartCustomActivity" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Settings/+/f8f45888e6d20b238b222b95d18898fa1ab81ed4" ], "spl": "2022-07-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 489.0, "function_hash": "230728443153871352391391556050698896647" }, "id": "ASB-A-223578534-6ba22492", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/019eb77224b0671458ad447f15a2a29935c866c6", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/settings/users/AppRestrictionsFragment.java", "function": "assertSafeToStartCustomActivity" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "232477022807444841013375170475551310078", "146625305168494414691894218653073493704", "109457721975710769064585912225534305770", "42352054353086035454349671191144762807", "284514082129184479650462996686183383481", "33376965427845241378269936173562622954" ] }, "id": "ASB-A-223578534-cc55d9bd", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/019eb77224b0671458ad447f15a2a29935c866c6", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/settings/users/AppRestrictionsFragment.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Settings/+/019eb77224b0671458ad447f15a2a29935c866c6" ], "spl": "2022-07-01", "severity": "High", "types": [ "EoP" ] }