ASB-A-235601882

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-235601882.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-235601882
Aliases
  • A-235601882
  • CVE-2022-2209
Published
2022-11-01T00:00:00Z
Modified
2024-08-07T19:29:13.320418Z
Summary
[Race Condition in setSecurityLevel Function in DrmPlugin.cpp in android.hardware.drm@1.4-service.clearkey]
Details

In getSecurityLevel and setSecurityLevel of DrmPlugin.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/av

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10:0
Fixed
10:2022-11-01

Affected versions

Other

10

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "206600570507894073295474146102703197710",
                    "301966792304269357357044127234123894811",
                    "98409775298683549229374608632735293169",
                    "48833439968210638194588226046263100831",
                    "16902199593063859955294065709048515752",
                    "67660272170768565958046819950078030261",
                    "176282012363886912556779996423863090481",
                    "213672981350529598701488189847833251319"
                ]
            },
            "id": "ASB-A-235601882-20a8991b",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 742.0,
                "function_hash": "172008007703609653220403326307218805886"
            },
            "id": "ASB-A-235601882-43fe296c",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp",
                "function": "DrmPlugin::getSecurityLevel"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 847.0,
                "function_hash": "233893227726131803643634104514031723930"
            },
            "id": "ASB-A-235601882-63ba17bf",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp",
                "function": "DrmPlugin::setSecurityLevel"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "314820229105040400079662583446177036582",
                    "297080935891690787293348788050211519934",
                    "137688396380030244563965040015487994622",
                    "183541518758328601432741666417049390870",
                    "309426352547273010318657878085619773160",
                    "297535137879567466290138098861291579926"
                ]
            },
            "id": "ASB-A-235601882-72beb77e",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83"
    ],
    "spl": "2022-11-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/av

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2022-11-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 742.0,
                "function_hash": "172008007703609653220403326307218805886"
            },
            "id": "ASB-A-235601882-2b284b60",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp",
                "function": "DrmPlugin::getSecurityLevel"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "206600570507894073295474146102703197710",
                    "301966792304269357357044127234123894811",
                    "98409775298683549229374608632735293169",
                    "48833439968210638194588226046263100831",
                    "336505106272266033407192897248095407303",
                    "61630820434863502233362681377103359044",
                    "177419212568401062821358697581796607386",
                    "56371828768409685143275251701015511120"
                ]
            },
            "id": "ASB-A-235601882-8831cc97",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "314820229105040400079662583446177036582",
                    "297080935891690787293348788050211519934",
                    "137688396380030244563965040015487994622",
                    "183541518758328601432741666417049390870",
                    "309426352547273010318657878085619773160",
                    "297535137879567466290138098861291579926"
                ]
            },
            "id": "ASB-A-235601882-e637783c",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 847.0,
                "function_hash": "233893227726131803643634104514031723930"
            },
            "id": "ASB-A-235601882-f771dff5",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp",
                "function": "DrmPlugin::setSecurityLevel"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b"
    ],
    "spl": "2022-11-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/av

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2022-11-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 742.0,
                "function_hash": "172008007703609653220403326307218805886"
            },
            "id": "ASB-A-235601882-50e3391a",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp",
                "function": "DrmPlugin::getSecurityLevel"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 847.0,
                "function_hash": "233893227726131803643634104514031723930"
            },
            "id": "ASB-A-235601882-8f1e1397",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp",
                "function": "DrmPlugin::setSecurityLevel"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "314820229105040400079662583446177036582",
                    "297080935891690787293348788050211519934",
                    "137688396380030244563965040015487994622",
                    "183541518758328601432741666417049390870",
                    "309426352547273010318657878085619773160",
                    "297535137879567466290138098861291579926"
                ]
            },
            "id": "ASB-A-235601882-c977a9d1",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "339121784093313502615647951625042949295",
                    "280233560995947677736001774997186362359",
                    "208406105197990708023176398213145631936",
                    "48833439968210638194588226046263100831",
                    "336505106272266033407192897248095407303",
                    "61630820434863502233362681377103359044",
                    "177419212568401062821358697581796607386",
                    "56371828768409685143275251701015511120"
                ]
            },
            "id": "ASB-A-235601882-e50df494",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75"
    ],
    "spl": "2022-11-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/av

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2022-11-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 847.0,
                "function_hash": "233893227726131803643634104514031723930"
            },
            "id": "ASB-A-235601882-1cb2cdd5",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp",
                "function": "DrmPlugin::setSecurityLevel"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 742.0,
                "function_hash": "172008007703609653220403326307218805886"
            },
            "id": "ASB-A-235601882-805b7597",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp",
                "function": "DrmPlugin::getSecurityLevel"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "339121784093313502615647951625042949295",
                    "280233560995947677736001774997186362359",
                    "208406105197990708023176398213145631936",
                    "48833439968210638194588226046263100831",
                    "336505106272266033407192897248095407303",
                    "61630820434863502233362681377103359044",
                    "177419212568401062821358697581796607386",
                    "56371828768409685143275251701015511120"
                ]
            },
            "id": "ASB-A-235601882-d7cb7764",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "314820229105040400079662583446177036582",
                    "297080935891690787293348788050211519934",
                    "137688396380030244563965040015487994622",
                    "183541518758328601432741666417049390870",
                    "309426352547273010318657878085619773160",
                    "297535137879567466290138098861291579926"
                ]
            },
            "id": "ASB-A-235601882-e76be90a",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75"
    ],
    "spl": "2022-11-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/av

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2022-11-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "314820229105040400079662583446177036582",
                    "297080935891690787293348788050211519934",
                    "137688396380030244563965040015487994622",
                    "183541518758328601432741666417049390870",
                    "309426352547273010318657878085619773160",
                    "297535137879567466290138098861291579926"
                ]
            },
            "id": "ASB-A-235601882-6494ce29",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "339121784093313502615647951625042949295",
                    "280233560995947677736001774997186362359",
                    "208406105197990708023176398213145631936",
                    "48833439968210638194588226046263100831",
                    "336505106272266033407192897248095407303",
                    "61630820434863502233362681377103359044",
                    "177419212568401062821358697581796607386",
                    "56371828768409685143275251701015511120"
                ]
            },
            "id": "ASB-A-235601882-85673659",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 742.0,
                "function_hash": "172008007703609653220403326307218805886"
            },
            "id": "ASB-A-235601882-a5552b57",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp",
                "function": "DrmPlugin::getSecurityLevel"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 847.0,
                "function_hash": "233893227726131803643634104514031723930"
            },
            "id": "ASB-A-235601882-cf610d6b",
            "source": "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp",
                "function": "DrmPlugin::setSecurityLevel"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75"
    ],
    "spl": "2022-11-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}