In getSecurityLevel and setSecurityLevel of DrmPlugin.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "206600570507894073295474146102703197710", "301966792304269357357044127234123894811", "98409775298683549229374608632735293169", "48833439968210638194588226046263100831", "16902199593063859955294065709048515752", "67660272170768565958046819950078030261", "176282012363886912556779996423863090481", "213672981350529598701488189847833251319" ] }, "id": "ASB-A-235601882-20a8991b", "source": "https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h" }, "signature_type": "Line" }, { "digest": { "length": 742.0, "function_hash": "172008007703609653220403326307218805886" }, "id": "ASB-A-235601882-43fe296c", "source": "https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::getSecurityLevel" }, "signature_type": "Function" }, { "digest": { "length": 847.0, "function_hash": "233893227726131803643634104514031723930" }, "id": "ASB-A-235601882-63ba17bf", "source": "https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::setSecurityLevel" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "314820229105040400079662583446177036582", "297080935891690787293348788050211519934", "137688396380030244563965040015487994622", "183541518758328601432741666417049390870", "309426352547273010318657878085619773160", "297535137879567466290138098861291579926" ] }, "id": "ASB-A-235601882-72beb77e", "source": "https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83" ], "spl": "2022-11-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 742.0, "function_hash": "172008007703609653220403326307218805886" }, "id": "ASB-A-235601882-2b284b60", "source": "https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::getSecurityLevel" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "206600570507894073295474146102703197710", "301966792304269357357044127234123894811", "98409775298683549229374608632735293169", "48833439968210638194588226046263100831", "336505106272266033407192897248095407303", "61630820434863502233362681377103359044", "177419212568401062821358697581796607386", "56371828768409685143275251701015511120" ] }, "id": "ASB-A-235601882-8831cc97", "source": "https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "314820229105040400079662583446177036582", "297080935891690787293348788050211519934", "137688396380030244563965040015487994622", "183541518758328601432741666417049390870", "309426352547273010318657878085619773160", "297535137879567466290138098861291579926" ] }, "id": "ASB-A-235601882-e637783c", "source": "https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp" }, "signature_type": "Line" }, { "digest": { "length": 847.0, "function_hash": "233893227726131803643634104514031723930" }, "id": "ASB-A-235601882-f771dff5", "source": "https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::setSecurityLevel" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b" ], "spl": "2022-11-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 742.0, "function_hash": "172008007703609653220403326307218805886" }, "id": "ASB-A-235601882-50e3391a", "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::getSecurityLevel" }, "signature_type": "Function" }, { "digest": { "length": 847.0, "function_hash": "233893227726131803643634104514031723930" }, "id": "ASB-A-235601882-8f1e1397", "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::setSecurityLevel" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "314820229105040400079662583446177036582", "297080935891690787293348788050211519934", "137688396380030244563965040015487994622", "183541518758328601432741666417049390870", "309426352547273010318657878085619773160", "297535137879567466290138098861291579926" ] }, "id": "ASB-A-235601882-c977a9d1", "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "339121784093313502615647951625042949295", "280233560995947677736001774997186362359", "208406105197990708023176398213145631936", "48833439968210638194588226046263100831", "336505106272266033407192897248095407303", "61630820434863502233362681377103359044", "177419212568401062821358697581796607386", "56371828768409685143275251701015511120" ] }, "id": "ASB-A-235601882-e50df494", "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75" ], "spl": "2022-11-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 847.0, "function_hash": "233893227726131803643634104514031723930" }, "id": "ASB-A-235601882-1cb2cdd5", "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::setSecurityLevel" }, "signature_type": "Function" }, { "digest": { "length": 742.0, "function_hash": "172008007703609653220403326307218805886" }, "id": "ASB-A-235601882-805b7597", "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::getSecurityLevel" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "339121784093313502615647951625042949295", "280233560995947677736001774997186362359", "208406105197990708023176398213145631936", "48833439968210638194588226046263100831", "336505106272266033407192897248095407303", "61630820434863502233362681377103359044", "177419212568401062821358697581796607386", "56371828768409685143275251701015511120" ] }, "id": "ASB-A-235601882-d7cb7764", "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "314820229105040400079662583446177036582", "297080935891690787293348788050211519934", "137688396380030244563965040015487994622", "183541518758328601432741666417049390870", "309426352547273010318657878085619773160", "297535137879567466290138098861291579926" ] }, "id": "ASB-A-235601882-e76be90a", "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75" ], "spl": "2022-11-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "314820229105040400079662583446177036582", "297080935891690787293348788050211519934", "137688396380030244563965040015487994622", "183541518758328601432741666417049390870", "309426352547273010318657878085619773160", "297535137879567466290138098861291579926" ] }, "id": "ASB-A-235601882-6494ce29", "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "339121784093313502615647951625042949295", "280233560995947677736001774997186362359", "208406105197990708023176398213145631936", "48833439968210638194588226046263100831", "336505106272266033407192897248095407303", "61630820434863502233362681377103359044", "177419212568401062821358697581796607386", "56371828768409685143275251701015511120" ] }, "id": "ASB-A-235601882-85673659", "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h" }, "signature_type": "Line" }, { "digest": { "length": 742.0, "function_hash": "172008007703609653220403326307218805886" }, "id": "ASB-A-235601882-a5552b57", "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::getSecurityLevel" }, "signature_type": "Function" }, { "digest": { "length": 847.0, "function_hash": "233893227726131803643634104514031723930" }, "id": "ASB-A-235601882-cf610d6b", "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75", "deprecated": false, "signature_version": "v1", "target": { "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp", "function": "DrmPlugin::setSecurityLevel" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75" ], "spl": "2022-11-01", "severity": "High", "types": [ "EoP" ] }