In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way for an app to keep permissions that should be revoked due to incorrect permission flags cleared during an update. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 8812.0, "function_hash": "142246288412129094408514203199238561948" }, "id": "ASB-A-283006437-b41927e2", "source": "https://android.googlesource.com/platform/frameworks/base/+/75d59e2c837fe80573d005d614b5605f049d670b", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java", "function": "restorePermissionState" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "241855179621913930701588804709780155522", "275479356698363652495977846336318607251", "255741566803734956684115847599940359502", "329511216806155411583397618051815937323", "230890054020277999966381857942827090781", "30743053879712092806019355833439531329", "164061260477018033836468278206461597782", "186425670345635799098268351722874335822", "276325974263410010527862255220314547069", "218520723691657242980782739382052017414", "155526587664885433202374294265209902170", "204856196167746811870896199949595693266", "295885706405182841829403271221225263171", "145729099851963986731834857453604949671", "292148157103032482322089350809150613971", "167382233552830894443080007920035353773", "314429486213177128614653224747932411797", "276325974263410010527862255220314547069", "118032391002288377293566182663078948299", "314595102839975675297811354990239556759", "120323400186829302355158193795315749404", "163986750517143368853988482277776772815", "197201103724724939510754681281531348217", "194974524402462089005617861962819942918", "92828404067021723650658033648695093647", "166946909467751980189952350180328577663", "15866680198536122678978656592794424777", "176595566564772642823644730206600131131", "178686642698283105794922610506754798137", "234428186770411006908902272106075667589", "75963442116464278584509164306047510920", "74776902845116693701746993520768117870", "12555057430024890003862183139881997738", "107490859850623254815892131356663147820", "194923508558333860654626642113920483145", "25435482031621032640164583620808387257", "286001486748147234981313512722507028679", "20353192589936882140155114595647809471", "249850546937422752978060123149387108317", "259493669906692371733530881195881315277", "331702832483086198673641645128446701892", "112187493214145262221793608858508324924", "73191787758393067461880425633411347621", "67881705992814538402892150868489171754" ] }, "id": "ASB-A-283006437-df1c9da6", "source": "https://android.googlesource.com/platform/frameworks/base/+/75d59e2c837fe80573d005d614b5605f049d670b", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/75d59e2c837fe80573d005d614b5605f049d670b" ], "spl": "2023-08-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 8212.0, "function_hash": "245572871958414356327954138591672841843" }, "id": "ASB-A-283006437-1ee35752", "source": "https://android.googlesource.com/platform/frameworks/base/+/0e1ebd84e27f5d4fa8bc6577705293251bcbac4f", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java", "function": "restorePermissionState" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "241855179621913930701588804709780155522", "275479356698363652495977846336318607251", "255741566803734956684115847599940359502", "329511216806155411583397618051815937323", "230890054020277999966381857942827090781", "30743053879712092806019355833439531329", "164061260477018033836468278206461597782", "186425670345635799098268351722874335822", "276325974263410010527862255220314547069", "218520723691657242980782739382052017414", "155526587664885433202374294265209902170", "204856196167746811870896199949595693266", "295885706405182841829403271221225263171", "145729099851963986731834857453604949671", "292148157103032482322089350809150613971", "167382233552830894443080007920035353773", "314429486213177128614653224747932411797", "276325974263410010527862255220314547069", "118032391002288377293566182663078948299", "314595102839975675297811354990239556759", "163722187449539808166127513629106944859", "146762435681937213432946232827403882886", "37911553657853436485296153724958281419", "108645160186932075327622118651056146738", "92828404067021723650658033648695093647", "166946909467751980189952350180328577663", "15866680198536122678978656592794424777", "176595566564772642823644730206600131131", "178686642698283105794922610506754798137", "234428186770411006908902272106075667589", "75963442116464278584509164306047510920", "74776902845116693701746993520768117870", "12555057430024890003862183139881997738", "107490859850623254815892131356663147820", "194923508558333860654626642113920483145", "25435482031621032640164583620808387257", "286001486748147234981313512722507028679", "20353192589936882140155114595647809471", "249850546937422752978060123149387108317", "160578629446369328838463630213056123111", "55800704381838252904979346999253933746", "250265219113820724228197185886707073118", "19782484586458661874039702862718242670", "25424149211409059614636043450427951459" ] }, "id": "ASB-A-283006437-444d16b0", "source": "https://android.googlesource.com/platform/frameworks/base/+/0e1ebd84e27f5d4fa8bc6577705293251bcbac4f", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/0e1ebd84e27f5d4fa8bc6577705293251bcbac4f" ], "spl": "2023-08-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "241855179621913930701588804709780155522", "275479356698363652495977846336318607251", "255741566803734956684115847599940359502", "329511216806155411583397618051815937323", "230890054020277999966381857942827090781", "30743053879712092806019355833439531329", "164061260477018033836468278206461597782", "186425670345635799098268351722874335822", "276325974263410010527862255220314547069", "218520723691657242980782739382052017414", "155526587664885433202374294265209902170", "204856196167746811870896199949595693266", "295885706405182841829403271221225263171", "145729099851963986731834857453604949671", "292148157103032482322089350809150613971", "167382233552830894443080007920035353773", "314429486213177128614653224747932411797", "276325974263410010527862255220314547069", "118032391002288377293566182663078948299", "314595102839975675297811354990239556759", "163722187449539808166127513629106944859", "146762435681937213432946232827403882886", "37911553657853436485296153724958281419", "108645160186932075327622118651056146738", "92828404067021723650658033648695093647", "166946909467751980189952350180328577663", "15866680198536122678978656592794424777", "176595566564772642823644730206600131131", "178686642698283105794922610506754798137", "234428186770411006908902272106075667589", "75963442116464278584509164306047510920", "74776902845116693701746993520768117870", "12555057430024890003862183139881997738", "107490859850623254815892131356663147820", "194923508558333860654626642113920483145", "25435482031621032640164583620808387257", "286001486748147234981313512722507028679", "20353192589936882140155114595647809471", "249850546937422752978060123149387108317", "160578629446369328838463630213056123111", "55800704381838252904979346999253933746", "250265219113820724228197185886707073118", "19782484586458661874039702862718242670", "25424149211409059614636043450427951459" ] }, "id": "ASB-A-283006437-2df8e8a0", "source": "https://android.googlesource.com/platform/frameworks/base/+/0e1ebd84e27f5d4fa8bc6577705293251bcbac4f", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 8212.0, "function_hash": "245572871958414356327954138591672841843" }, "id": "ASB-A-283006437-a3f25229", "source": "https://android.googlesource.com/platform/frameworks/base/+/0e1ebd84e27f5d4fa8bc6577705293251bcbac4f", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java", "function": "restorePermissionState" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/0e1ebd84e27f5d4fa8bc6577705293251bcbac4f" ], "spl": "2023-08-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 8661.0, "function_hash": "145104657252555869640414577518760746497" }, "id": "ASB-A-283006437-11162f0b", "source": "https://android.googlesource.com/platform/frameworks/base/+/4ebd48959ce962b87c3468724ee4d7390714e3f3", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java", "function": "restorePermissionState" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "241855179621913930701588804709780155522", "275479356698363652495977846336318607251", "255741566803734956684115847599940359502", "329511216806155411583397618051815937323", "230890054020277999966381857942827090781", "30743053879712092806019355833439531329", "164061260477018033836468278206461597782", "186425670345635799098268351722874335822", "276325974263410010527862255220314547069", "218520723691657242980782739382052017414", "155526587664885433202374294265209902170", "204856196167746811870896199949595693266", "295885706405182841829403271221225263171", "145729099851963986731834857453604949671", "292148157103032482322089350809150613971", "167382233552830894443080007920035353773", "314429486213177128614653224747932411797", "276325974263410010527862255220314547069", "118032391002288377293566182663078948299", "314595102839975675297811354990239556759", "163722187449539808166127513629106944859", "146762435681937213432946232827403882886", "37911553657853436485296153724958281419", "108645160186932075327622118651056146738", "92828404067021723650658033648695093647", "166946909467751980189952350180328577663", "15866680198536122678978656592794424777", "176595566564772642823644730206600131131", "178686642698283105794922610506754798137", "234428186770411006908902272106075667589", "75963442116464278584509164306047510920", "74776902845116693701746993520768117870", "12555057430024890003862183139881997738", "107490859850623254815892131356663147820", "194923508558333860654626642113920483145", "25435482031621032640164583620808387257", "286001486748147234981313512722507028679", "20353192589936882140155114595647809471", "249850546937422752978060123149387108317", "160578629446369328838463630213056123111", "55800704381838252904979346999253933746", "250265219113820724228197185886707073118", "19782484586458661874039702862718242670", "25424149211409059614636043450427951459" ] }, "id": "ASB-A-283006437-437192db", "source": "https://android.googlesource.com/platform/frameworks/base/+/4ebd48959ce962b87c3468724ee4d7390714e3f3", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/4ebd48959ce962b87c3468724ee4d7390714e3f3" ], "spl": "2023-08-01", "severity": "High", "types": [ "EoP" ] }