In onTaskAppeared of PipTaskOrganizer.java, there is a possible way to bypass background activity launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1410.0, "function_hash": "181491400177493555429237816646891076314" }, "id": "ASB-A-270368476-72527542", "source": "https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java", "function": "onTaskAppeared" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "66409941875196780203679071720485759320", "249825501416818358814829213642476147194", "118699811272894210661265234708291264000", "314904124287885909992861234525384513709", "16119790279244530535461322802107562818", "246494807188314216618621120050554696607", "140513676057509253661067554560652494122", "295050921507719318349337065064110109731", "105045769641888133769977750158259718043", "261734575546930252780250644523880121497", "242913691792290724166339716119192646636", "246781055635329598112787772846097277756", "99438466694255604288644571851072757610" ] }, "id": "ASB-A-270368476-a295b7e7", "source": "https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java" }, "signature_type": "Line" }, { "digest": { "length": 289.0, "function_hash": "39469595170827841739636224664203121629" }, "id": "ASB-A-270368476-ece346bb", "source": "https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java", "function": "getValidSourceHintRect" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2" ], "spl": "2023-10-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "match_only_versions": [ "12" ], "digest": { "threshold": 0.9, "line_hashes": [ "209429025854056159767914066393032300010", "220444712238162245414505967688722991297", "178767500888007998083315743702464392481", "299257603002189761949365254086058776383", "20542107226573851640259004201327613496", "263103364633141960488986345083847579584", "241829706067599882521182732383981463301", "222059183804709081811937293704782343215", "32839148087363786103231288248690155168", "338689995397819220111778241252026700835" ] }, "id": "ASB-A-270368476-0dc830f4", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "63782221699039313840523007087291989928", "45004624479083865885120527292616715238", "97263869434801543928923037464445227885", "71726101960436302332167399892895922560" ] }, "id": "ASB-A-270368476-1914e81d", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java" }, "signature_type": "Line" }, { "digest": { "length": 2119.0, "function_hash": "160389746768882259763309770676722951051" }, "id": "ASB-A-270368476-b6645861", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java", "function": "onTaskAppeared" }, "signature_type": "Function" }, { "digest": { "length": 713.0, "function_hash": "316511690904435827584297228092807432492" }, "id": "ASB-A-270368476-d890dc1c", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java", "function": "onTaskAppearedWithFixedRotation" }, "signature_type": "Function" }, { "digest": { "length": 1088.0, "function_hash": "38289670632256435549636737135832254850" }, "id": "ASB-A-270368476-fd691483", "source": "https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java", "function": "startEnterAnimation" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea" ], "spl": "2023-10-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "match_only_versions": [ "12L" ], "digest": { "threshold": 0.9, "line_hashes": [ "209429025854056159767914066393032300010", "220444712238162245414505967688722991297", "178767500888007998083315743702464392481", "299257603002189761949365254086058776383", "20542107226573851640259004201327613496", "263103364633141960488986345083847579584", "241829706067599882521182732383981463301", "222059183804709081811937293704782343215", "32839148087363786103231288248690155168", "67825956692415463057629696979124117501" ] }, "id": "ASB-A-270368476-45471487", "source": "https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java" }, "signature_type": "Line" }, { "digest": { "length": 752.0, "function_hash": "338005715330227342067705909101533423797" }, "id": "ASB-A-270368476-5b897ade", "source": "https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java", "function": "onTaskAppearedWithFixedRotation" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "63782221699039313840523007087291989928", "45004624479083865885120527292616715238", "97263869434801543928923037464445227885", "236889982355939381297150488357076962895" ] }, "id": "ASB-A-270368476-94384dab", "source": "https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java" }, "signature_type": "Line" }, { "digest": { "length": 2304.0, "function_hash": "56007200615144024626055728707502052307" }, "id": "ASB-A-270368476-a9fc0bf6", "source": "https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java", "function": "onTaskAppeared" }, "signature_type": "Function" }, { "digest": { "length": 2174.0, "function_hash": "110587108648452807324641174991334861851" }, "id": "ASB-A-270368476-ce50b5d1", "source": "https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java", "function": "startEnterAnimation" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074" ], "spl": "2023-10-01", "severity": "High", "types": [ "EoP" ] }