ASB-A-232023771

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-232023771.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-232023771
Aliases
  • A-232023771
  • CVE-2022-20411
Published
2022-12-01T00:00:00Z
Modified
2024-08-07T19:29:05.723343Z
Summary
[Bluetooth avrcp/avdtp heap overflow] part 2: avdt_msg_asmbl
Details

In avdtmsgasmbl of avdt_msg.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/system/bt

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10:0
Fixed
10:2022-12-01

Affected versions

Other

10

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 2269.0,
                "function_hash": "31651622261620113666886604573074119865"
            },
            "id": "ASB-A-232023771-24b295aa",
            "source": "https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avdt/avdt_msg.cc",
                "function": "avdt_msg_asmbl"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 2079.0,
                "function_hash": "215894916147553160587423900392199587617"
            },
            "id": "ASB-A-232023771-321a029d",
            "source": "https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avct/avct_lcb_act.cc",
                "function": "avct_lcb_msg_asmbl"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "70120848165161273781258461032605334239",
                    "103868281249314003293679143785339859589",
                    "278968636750065012184485026436445418276",
                    "55401410856980922119019680032701604430"
                ]
            },
            "id": "ASB-A-232023771-4166c182",
            "source": "https://android.googlesource.com/platform/system/bt/+/07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avdt/avdt_msg.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "173584054749471213542059671671466609370",
                    "218272014920384491034865323393805809107",
                    "213647027907871969227418315119428298185",
                    "9928675793482950772906846926328496605",
                    "299567162013897171384820515506672829954",
                    "303197354449278179794684350283057267623",
                    "28531630504339552654429710756820330137",
                    "327271937418312844391748711278984965058"
                ]
            },
            "id": "ASB-A-232023771-815881f1",
            "source": "https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avct/avct_lcb_act.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 2129.0,
                "function_hash": "160853215269139646123064996311532757850"
            },
            "id": "ASB-A-232023771-b21cbf2c",
            "source": "https://android.googlesource.com/platform/system/bt/+/07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avdt/avdt_msg.cc",
                "function": "avdt_msg_asmbl"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "70120848165161273781258461032605334239",
                    "215507649221945670645596187650782013637",
                    "23877860105343681440705075309397570792",
                    "310567960305520675214271535015287563817",
                    "88934782529621464372846023753636423842",
                    "219719858263803852531280969617611252898",
                    "137818675491998040360743622437184545376",
                    "265765237446791770549679568004270914313"
                ]
            },
            "id": "ASB-A-232023771-f7b85ac5",
            "source": "https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avdt/avdt_msg.cc"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/bt/+/07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f",
        "https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12"
    ],
    "spl": "2022-12-01",
    "severity": "Critical",
    "types": [
        "RCE"
    ]
}

Android / platform/system/bt

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2022-12-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 2269.0,
                "function_hash": "31651622261620113666886604573074119865"
            },
            "id": "ASB-A-232023771-1ac3aad0",
            "source": "https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avdt/avdt_msg.cc",
                "function": "avdt_msg_asmbl"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 2079.0,
                "function_hash": "215894916147553160587423900392199587617"
            },
            "id": "ASB-A-232023771-a30ae265",
            "source": "https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avct/avct_lcb_act.cc",
                "function": "avct_lcb_msg_asmbl"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "70120848165161273781258461032605334239",
                    "215507649221945670645596187650782013637",
                    "23877860105343681440705075309397570792",
                    "310567960305520675214271535015287563817",
                    "88934782529621464372846023753636423842",
                    "219719858263803852531280969617611252898",
                    "137818675491998040360743622437184545376",
                    "265765237446791770549679568004270914313"
                ]
            },
            "id": "ASB-A-232023771-ad6e5cb0",
            "source": "https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avdt/avdt_msg.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "173584054749471213542059671671466609370",
                    "218272014920384491034865323393805809107",
                    "213647027907871969227418315119428298185",
                    "9928675793482950772906846926328496605",
                    "299567162013897171384820515506672829954",
                    "303197354449278179794684350283057267623",
                    "28531630504339552654429710756820330137",
                    "327271937418312844391748711278984965058"
                ]
            },
            "id": "ASB-A-232023771-c52f64b9",
            "source": "https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avct/avct_lcb_act.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "70120848165161273781258461032605334239",
                    "103868281249314003293679143785339859589",
                    "278968636750065012184485026436445418276",
                    "55401410856980922119019680032701604430"
                ]
            },
            "id": "ASB-A-232023771-e07377b5",
            "source": "https://android.googlesource.com/platform/system/bt/+/324c3065f863b8484847bbdfd91ef4709d407c8c",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avdt/avdt_msg.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 2129.0,
                "function_hash": "160853215269139646123064996311532757850"
            },
            "id": "ASB-A-232023771-ea12604b",
            "source": "https://android.googlesource.com/platform/system/bt/+/324c3065f863b8484847bbdfd91ef4709d407c8c",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avdt/avdt_msg.cc",
                "function": "avdt_msg_asmbl"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/bt/+/324c3065f863b8484847bbdfd91ef4709d407c8c",
        "https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653"
    ],
    "spl": "2022-12-01",
    "severity": "Critical",
    "types": [
        "RCE"
    ]
}

Android / platform/system/bt

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2022-12-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 2079.0,
                "function_hash": "215894916147553160587423900392199587617"
            },
            "id": "ASB-A-232023771-285f19e5",
            "source": "https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avct/avct_lcb_act.cc",
                "function": "avct_lcb_msg_asmbl"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 2129.0,
                "function_hash": "160853215269139646123064996311532757850"
            },
            "id": "ASB-A-232023771-377d1e1d",
            "source": "https://android.googlesource.com/platform/system/bt/+/a75b650a2a4b6b62be1ceb2040c598b0feb0dacb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avdt/avdt_msg.cc",
                "function": "avdt_msg_asmbl"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "70120848165161273781258461032605334239",
                    "215507649221945670645596187650782013637",
                    "23877860105343681440705075309397570792",
                    "310567960305520675214271535015287563817",
                    "88934782529621464372846023753636423842",
                    "219719858263803852531280969617611252898",
                    "137818675491998040360743622437184545376",
                    "265765237446791770549679568004270914313"
                ]
            },
            "id": "ASB-A-232023771-6cef8960",
            "source": "https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avdt/avdt_msg.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 2269.0,
                "function_hash": "31651622261620113666886604573074119865"
            },
            "id": "ASB-A-232023771-6f9faae4",
            "source": "https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avdt/avdt_msg.cc",
                "function": "avdt_msg_asmbl"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "70120848165161273781258461032605334239",
                    "103868281249314003293679143785339859589",
                    "278968636750065012184485026436445418276",
                    "55401410856980922119019680032701604430"
                ]
            },
            "id": "ASB-A-232023771-a9d2d372",
            "source": "https://android.googlesource.com/platform/system/bt/+/a75b650a2a4b6b62be1ceb2040c598b0feb0dacb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avdt/avdt_msg.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "299567162013897171384820515506672829954",
                    "303197354449278179794684350283057267623",
                    "28531630504339552654429710756820330137",
                    "327271937418312844391748711278984965058"
                ]
            },
            "id": "ASB-A-232023771-c106511b",
            "source": "https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "stack/avct/avct_lcb_act.cc"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/bt/+/a75b650a2a4b6b62be1ceb2040c598b0feb0dacb",
        "https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176"
    ],
    "spl": "2022-12-01",
    "severity": "Critical",
    "types": [
        "RCE"
    ]
}

Android / platform/packages/modules/Bluetooth

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2022-12-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "70120848165161273781258461032605334239",
                    "103868281249314003293679143785339859589",
                    "278968636750065012184485026436445418276",
                    "55401410856980922119019680032701604430"
                ]
            },
            "id": "ASB-A-232023771-7977fdf2",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ed9a843cf147bbfa1a80f2507769014958940eb4",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/stack/avdt/avdt_msg.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 2269.0,
                "function_hash": "31651622261620113666886604573074119865"
            },
            "id": "ASB-A-232023771-9cacfddc",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/stack/avdt/avdt_msg.cc",
                "function": "avdt_msg_asmbl"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 2079.0,
                "function_hash": "215894916147553160587423900392199587617"
            },
            "id": "ASB-A-232023771-c94e61f4",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/stack/avct/avct_lcb_act.cc",
                "function": "avct_lcb_msg_asmbl"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "299567162013897171384820515506672829954",
                    "303197354449278179794684350283057267623",
                    "28531630504339552654429710756820330137",
                    "327271937418312844391748711278984965058"
                ]
            },
            "id": "ASB-A-232023771-dac224cf",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/stack/avct/avct_lcb_act.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 2129.0,
                "function_hash": "160853215269139646123064996311532757850"
            },
            "id": "ASB-A-232023771-f0b5ebf2",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ed9a843cf147bbfa1a80f2507769014958940eb4",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/stack/avdt/avdt_msg.cc",
                "function": "avdt_msg_asmbl"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "70120848165161273781258461032605334239",
                    "215507649221945670645596187650782013637",
                    "23877860105343681440705075309397570792",
                    "310567960305520675214271535015287563817",
                    "88934782529621464372846023753636423842",
                    "219719858263803852531280969617611252898",
                    "137818675491998040360743622437184545376",
                    "265765237446791770549679568004270914313"
                ]
            },
            "id": "ASB-A-232023771-f4290a62",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/stack/avdt/avdt_msg.cc"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ed9a843cf147bbfa1a80f2507769014958940eb4",
        "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb"
    ],
    "spl": "2022-12-01",
    "severity": "Critical",
    "types": [
        "RCE"
    ]
}