In getCurrentState of OneTimePermissionUserManager.java, there is a possible way to hold one-time permissions after the app is being killed due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 230.0, "function_hash": "286731377711939635674905074908431232409" }, "id": "ASB-A-254736794-150db067", "source": "https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java", "function": "getCurrentState" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "2012088019728896796373346529697119661", "95794887678244685017967769009345707309", "269473325157219616924923563745773375448", "154820972000404752573118643516014957341", "169098446295692466798229884776274637005", "67219821689456268388489880111183157946", "81611614958380172139615727478591205864", "225201598122517943733666693027874673645", "237205250153135466490122010482236680762", "258373914556850159813516484305773392827", "125910280071661462423652500860628301922", "113538152592414822415748897100386305573", "233144689361163071165913764396211623748", "272268049520737346018390666615642509419", "327200272399841684421769554567479185010", "197512901002234036421909392540332515687", "48230772581453563322002997973370902025", "231488850382554498332132733718306136571", "105095112724300480145608650652271240823", "238399159099680063683957948576794709363", "151419067622790176455733014614730665027", "301034873234891899052665121603635606246", "250514607572004205542612161216221479765", "247503341480896072712975524814651163330" ] }, "id": "ASB-A-254736794-185febc0", "source": "https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java" }, "signature_type": "Line" }, { "digest": { "length": 290.0, "function_hash": "66636180706436326696362511061246090529" }, "id": "ASB-A-254736794-b35f72e7", "source": "https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java", "function": "OneTimePermissionUserManager" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7" ], "spl": "2023-07-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "2012088019728896796373346529697119661", "95794887678244685017967769009345707309", "269473325157219616924923563745773375448", "154820972000404752573118643516014957341", "104213317420452091492353394712202028201", "115008296082753412527057053867333611588", "327946308160344602239660896448104314510", "225201598122517943733666693027874673645", "237205250153135466490122010482236680762", "258373914556850159813516484305773392827", "125910280071661462423652500860628301922", "113538152592414822415748897100386305573", "233144689361163071165913764396211623748", "39614901207402222558656648053840086968", "69252160723633962585538215955562754152", "197512901002234036421909392540332515687", "48230772581453563322002997973370902025", "231488850382554498332132733718306136571", "105095112724300480145608650652271240823", "238399159099680063683957948576794709363", "151419067622790176455733014614730665027", "301034873234891899052665121603635606246", "250514607572004205542612161216221479765", "247503341480896072712975524814651163330" ] }, "id": "ASB-A-254736794-098c99e5", "source": "https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java" }, "signature_type": "Line" }, { "digest": { "length": 230.0, "function_hash": "286731377711939635674905074908431232409" }, "id": "ASB-A-254736794-5294ec01", "source": "https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java", "function": "getCurrentState" }, "signature_type": "Function" }, { "digest": { "length": 265.0, "function_hash": "189535468120640384763674111584510550352" }, "id": "ASB-A-254736794-7993dbd8", "source": "https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java", "function": "OneTimePermissionUserManager" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3" ], "spl": "2023-07-01", "severity": "High", "types": [ "EoP" ] }