ASB-A-270368476

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-270368476.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-270368476
Aliases
  • A-270368476
  • CVE-2023-40116
Published
2023-10-01T00:00:00Z
Modified
2024-08-07T19:29:11.659836Z
Summary
SourceRectHint Animation in PIP Component can cause restriction bypass
Details

In onTaskAppeared of PipTaskOrganizer.java, there is a possible way to bypass background activity launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2023-10-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 1410.0,
                "function_hash": "181491400177493555429237816646891076314"
            },
            "id": "ASB-A-270368476-72527542",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java",
                "function": "onTaskAppeared"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "66409941875196780203679071720485759320",
                    "249825501416818358814829213642476147194",
                    "118699811272894210661265234708291264000",
                    "314904124287885909992861234525384513709",
                    "16119790279244530535461322802107562818",
                    "246494807188314216618621120050554696607",
                    "140513676057509253661067554560652494122",
                    "295050921507719318349337065064110109731",
                    "105045769641888133769977750158259718043",
                    "261734575546930252780250644523880121497",
                    "242913691792290724166339716119192646636",
                    "246781055635329598112787772846097277756",
                    "99438466694255604288644571851072757610"
                ]
            },
            "id": "ASB-A-270368476-a295b7e7",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 289.0,
                "function_hash": "39469595170827841739636224664203121629"
            },
            "id": "ASB-A-270368476-ece346bb",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java",
                "function": "getValidSourceHintRect"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2"
    ],
    "spl": "2023-10-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2023-10-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "match_only_versions": [
                "12"
            ],
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "209429025854056159767914066393032300010",
                    "220444712238162245414505967688722991297",
                    "178767500888007998083315743702464392481",
                    "299257603002189761949365254086058776383",
                    "20542107226573851640259004201327613496",
                    "263103364633141960488986345083847579584",
                    "241829706067599882521182732383981463301",
                    "222059183804709081811937293704782343215",
                    "32839148087363786103231288248690155168",
                    "338689995397819220111778241252026700835"
                ]
            },
            "id": "ASB-A-270368476-0dc830f4",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "63782221699039313840523007087291989928",
                    "45004624479083865885120527292616715238",
                    "97263869434801543928923037464445227885",
                    "71726101960436302332167399892895922560"
                ]
            },
            "id": "ASB-A-270368476-1914e81d",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 2119.0,
                "function_hash": "160389746768882259763309770676722951051"
            },
            "id": "ASB-A-270368476-b6645861",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java",
                "function": "onTaskAppeared"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 713.0,
                "function_hash": "316511690904435827584297228092807432492"
            },
            "id": "ASB-A-270368476-d890dc1c",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java",
                "function": "onTaskAppearedWithFixedRotation"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1088.0,
                "function_hash": "38289670632256435549636737135832254850"
            },
            "id": "ASB-A-270368476-fd691483",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java",
                "function": "startEnterAnimation"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea"
    ],
    "spl": "2023-10-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2023-10-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "match_only_versions": [
                "12L"
            ],
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "209429025854056159767914066393032300010",
                    "220444712238162245414505967688722991297",
                    "178767500888007998083315743702464392481",
                    "299257603002189761949365254086058776383",
                    "20542107226573851640259004201327613496",
                    "263103364633141960488986345083847579584",
                    "241829706067599882521182732383981463301",
                    "222059183804709081811937293704782343215",
                    "32839148087363786103231288248690155168",
                    "67825956692415463057629696979124117501"
                ]
            },
            "id": "ASB-A-270368476-45471487",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 752.0,
                "function_hash": "338005715330227342067705909101533423797"
            },
            "id": "ASB-A-270368476-5b897ade",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java",
                "function": "onTaskAppearedWithFixedRotation"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "63782221699039313840523007087291989928",
                    "45004624479083865885120527292616715238",
                    "97263869434801543928923037464445227885",
                    "236889982355939381297150488357076962895"
                ]
            },
            "id": "ASB-A-270368476-94384dab",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 2304.0,
                "function_hash": "56007200615144024626055728707502052307"
            },
            "id": "ASB-A-270368476-a9fc0bf6",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java",
                "function": "onTaskAppeared"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 2174.0,
                "function_hash": "110587108648452807324641174991334861851"
            },
            "id": "ASB-A-270368476-ce50b5d1",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java",
                "function": "startEnterAnimation"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074"
    ],
    "spl": "2023-10-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}