ASB-A-281061287

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-281061287.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-281061287
Aliases
  • A-281061287
  • CVE-2023-40075
Published
2023-12-01T00:00:00Z
Modified
2024-08-07T19:29:54.582073Z
Summary
PDoS using addDynamicShortcuts to bypass app-level shortcut limits
Details

In forceReplaceShortcutInner of ShortcutPackage.java, there is a possible way to register unlimited packages due to a missing bounds check. This could lead to local denial of service which results in a boot loop with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14-next:0
Fixed
14-next:2023-12-01

Affected versions

Other

14-next

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "16700796221960876658047075062901820845",
                    "308728855881366338611251931444619050660",
                    "188289724923926477708120317160316156172",
                    "44614394285164625813598547672783867506",
                    "206105765535832684862210061196108387550",
                    "129098121925743220798425757674504911517",
                    "165883179787575822188781207300394552354",
                    "45358171669273888812659535669192814796"
                ]
            },
            "id": "ASB-A-281061287-83788f56",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1528.0,
                "function_hash": "334976330244219875878723607817575569924"
            },
            "id": "ASB-A-281061287-987a18fd",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java",
                "function": "pushDynamicShortcut"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 200.0,
                "function_hash": "25517847561716758263126889563997043673"
            },
            "id": "ASB-A-281061287-ef716b0c",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java",
                "function": "forceReplaceShortcutInner"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227"
    ],
    "spl": "2023-12-01",
    "severity": "High",
    "types": [
        "DoS"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2023-12-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "16700796221960876658047075062901820845",
                    "203701812653124260786088409224808533408",
                    "303542053167480856875165221117970394146",
                    "190853302074390725425840266950682255074",
                    "206105765535832684862210061196108387550",
                    "129098121925743220798425757674504911517",
                    "165883179787575822188781207300394552354",
                    "245015905893707368514028808955757503038"
                ]
            },
            "id": "ASB-A-281061287-0c1f105c",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/2d93aabdc4905b36ee684533904029cfc61533b7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 236.0,
                "function_hash": "159109076582546941070176486697659532569"
            },
            "id": "ASB-A-281061287-2a07e5e2",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/2d93aabdc4905b36ee684533904029cfc61533b7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java",
                "function": "forceReplaceShortcutInner"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1171.0,
                "function_hash": "287786783413334123543829213843353028849"
            },
            "id": "ASB-A-281061287-6352b9f5",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/2d93aabdc4905b36ee684533904029cfc61533b7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java",
                "function": "pushDynamicShortcut"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/2d93aabdc4905b36ee684533904029cfc61533b7"
    ],
    "spl": "2023-12-01",
    "severity": "High",
    "types": [
        "DoS"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2023-12-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "16700796221960876658047075062901820845",
                    "308728855881366338611251931444619050660",
                    "188289724923926477708120317160316156172",
                    "44614394285164625813598547672783867506",
                    "206105765535832684862210061196108387550",
                    "129098121925743220798425757674504911517",
                    "165883179787575822188781207300394552354",
                    "45358171669273888812659535669192814796"
                ]
            },
            "id": "ASB-A-281061287-3006c118",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1528.0,
                "function_hash": "334976330244219875878723607817575569924"
            },
            "id": "ASB-A-281061287-a79e7589",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java",
                "function": "pushDynamicShortcut"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 200.0,
                "function_hash": "25517847561716758263126889563997043673"
            },
            "id": "ASB-A-281061287-bf1fe3d4",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java",
                "function": "forceReplaceShortcutInner"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227"
    ],
    "spl": "2023-12-01",
    "severity": "High",
    "types": [
        "DoS"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2023-12-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "16700796221960876658047075062901820845",
                    "308728855881366338611251931444619050660",
                    "188289724923926477708120317160316156172",
                    "44614394285164625813598547672783867506",
                    "206105765535832684862210061196108387550",
                    "129098121925743220798425757674504911517",
                    "165883179787575822188781207300394552354",
                    "45358171669273888812659535669192814796"
                ]
            },
            "id": "ASB-A-281061287-724219f5",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 200.0,
                "function_hash": "25517847561716758263126889563997043673"
            },
            "id": "ASB-A-281061287-a3cdd939",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java",
                "function": "forceReplaceShortcutInner"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1528.0,
                "function_hash": "334976330244219875878723607817575569924"
            },
            "id": "ASB-A-281061287-d644e870",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java",
                "function": "pushDynamicShortcut"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227"
    ],
    "spl": "2023-12-01",
    "severity": "High",
    "types": [
        "DoS"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2023-12-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 1528.0,
                "function_hash": "334976330244219875878723607817575569924"
            },
            "id": "ASB-A-281061287-2c308b4c",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java",
                "function": "pushDynamicShortcut"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "16700796221960876658047075062901820845",
                    "308728855881366338611251931444619050660",
                    "188289724923926477708120317160316156172",
                    "44614394285164625813598547672783867506",
                    "206105765535832684862210061196108387550",
                    "129098121925743220798425757674504911517",
                    "165883179787575822188781207300394552354",
                    "45358171669273888812659535669192814796"
                ]
            },
            "id": "ASB-A-281061287-9e99c298",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 200.0,
                "function_hash": "25517847561716758263126889563997043673"
            },
            "id": "ASB-A-281061287-af13675e",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java",
                "function": "forceReplaceShortcutInner"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227"
    ],
    "spl": "2023-12-01",
    "severity": "High",
    "types": [
        "DoS"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14:0
Fixed
14:2023-12-01

Affected versions

Other

14

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 200.0,
                "function_hash": "25517847561716758263126889563997043673"
            },
            "id": "ASB-A-281061287-b4a3fb74",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java",
                "function": "forceReplaceShortcutInner"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1528.0,
                "function_hash": "334976330244219875878723607817575569924"
            },
            "id": "ASB-A-281061287-b71264d0",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java",
                "function": "pushDynamicShortcut"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "16700796221960876658047075062901820845",
                    "308728855881366338611251931444619050660",
                    "188289724923926477708120317160316156172",
                    "44614394285164625813598547672783867506",
                    "206105765535832684862210061196108387550",
                    "129098121925743220798425757674504911517",
                    "165883179787575822188781207300394552354",
                    "45358171669273888812659535669192814796"
                ]
            },
            "id": "ASB-A-281061287-dd9e0748",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/ShortcutPackage.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227"
    ],
    "spl": "2023-12-01",
    "severity": "High",
    "types": [
        "DoS"
    ]
}