In test of ResetTargetTaskHelper.java, there is a possible hijacking of any app which sets allowTaskReparenting="true" due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1839.0, "function_hash": "79367335984536868683060388927323698399" }, "id": "ASB-A-240663194-31871ecc", "source": "https://android.googlesource.com/platform/frameworks/base/+/7da08c6bd31584744e91eb6b3914166344ecae33", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java", "function": "processActivity" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "156696531665261001840361105050140513977", "141577864991975549992388657836996666940", "176173783978772524694805082768982610046", "40656254098996569909265033914126337733", "6035741319983973340794305195343138500", "106076101888920704290679117356166803734", "174141138331974519528807865623126836579", "333588990833629625277664792135720220197" ] }, "id": "ASB-A-240663194-b69388b4", "source": "https://android.googlesource.com/platform/frameworks/base/+/7da08c6bd31584744e91eb6b3914166344ecae33", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/7da08c6bd31584744e91eb6b3914166344ecae33" ], "spl": "2022-12-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 1839.0, "function_hash": "79367335984536868683060388927323698399" }, "id": "ASB-A-240663194-689311e5", "source": "https://android.googlesource.com/platform/frameworks/base/+/7af50c4d5f0354438872167b0e446930caca9deb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java", "function": "processActivity" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "156696531665261001840361105050140513977", "141577864991975549992388657836996666940", "176173783978772524694805082768982610046", "40656254098996569909265033914126337733", "6035741319983973340794305195343138500", "106076101888920704290679117356166803734", "174141138331974519528807865623126836579", "333588990833629625277664792135720220197" ] }, "id": "ASB-A-240663194-6c5655b0", "source": "https://android.googlesource.com/platform/frameworks/base/+/7af50c4d5f0354438872167b0e446930caca9deb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/7af50c4d5f0354438872167b0e446930caca9deb" ], "spl": "2022-12-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "156696531665261001840361105050140513977", "141577864991975549992388657836996666940", "176173783978772524694805082768982610046", "40656254098996569909265033914126337733", "6035741319983973340794305195343138500", "106076101888920704290679117356166803734", "174141138331974519528807865623126836579", "333588990833629625277664792135720220197" ] }, "id": "ASB-A-240663194-6ab63711", "source": "https://android.googlesource.com/platform/frameworks/base/+/7af50c4d5f0354438872167b0e446930caca9deb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java" }, "signature_type": "Line" }, { "digest": { "length": 1839.0, "function_hash": "79367335984536868683060388927323698399" }, "id": "ASB-A-240663194-ae0b3db2", "source": "https://android.googlesource.com/platform/frameworks/base/+/7af50c4d5f0354438872167b0e446930caca9deb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java", "function": "processActivity" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/7af50c4d5f0354438872167b0e446930caca9deb" ], "spl": "2022-12-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 1833.0, "function_hash": "196881039074853251030040489618889753042" }, "id": "ASB-A-240663194-115ef8b1", "source": "https://android.googlesource.com/platform/frameworks/base/+/f63ee3bb84b6a6ebf34475f433471cf4c28fb3c7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java", "function": "test" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "156696531665261001840361105050140513977", "141577864991975549992388657836996666940", "176173783978772524694805082768982610046", "40656254098996569909265033914126337733", "6035741319983973340794305195343138500", "106076101888920704290679117356166803734", "174141138331974519528807865623126836579", "333588990833629625277664792135720220197" ] }, "id": "ASB-A-240663194-24f3ed21", "source": "https://android.googlesource.com/platform/frameworks/base/+/f63ee3bb84b6a6ebf34475f433471cf4c28fb3c7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/f63ee3bb84b6a6ebf34475f433471cf4c28fb3c7" ], "spl": "2022-12-01", "severity": "High", "types": [ "EoP" ] }