ASB-A-294609150

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-294609150.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-294609150
Aliases
  • A-294609150
  • CVE-2024-0033
Published
2024-02-01T00:00:00Z
Modified
2024-08-07T19:29:20.430249Z
Summary
[Binder MemoryHeapBase] - Need to SEAL file size on memfd mapped region
Details

In multiple functions of ashmem-dev.cpp, there is a possible missing seal due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/native

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14-next:0
Fixed
14-next:2024-02-01

Affected versions

Other

14-next

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "218321599948717590714487254783163945621",
                    "45588506461727005894535084985380218720",
                    "124855805480593868214252434885215660663",
                    "304130721794607915852323038872467968267",
                    "323667575840971434249975967998125264912"
                ]
            },
            "id": "ASB-A-294609150-58741196",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/3d9f1e3b0a135b784b9ffa0e65d6a699c7ed1f8e",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/binder/MemoryHeapBase.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1361.0,
                "function_hash": "187671776888294417156935036257939364166"
            },
            "id": "ASB-A-294609150-fb3091e1",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/3d9f1e3b0a135b784b9ffa0e65d6a699c7ed1f8e",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/binder/MemoryHeapBase.cpp",
                "function": "MemoryHeapBase::MemoryHeapBase"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/native/+/3d9f1e3b0a135b784b9ffa0e65d6a699c7ed1f8e"
    ],
    "spl": "2024-02-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/system/core

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14-next:0
Fixed
14-next:2024-02-01

Affected versions

Other

14-next

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "261156310786695644581642584175879933835",
                    "180811507382681509562895906386789842283",
                    "207842613690740056545347470374413932687",
                    "191196209844926916100865936626187733986",
                    "235807140696617410489558382673550515034",
                    "162574758249669744246306361414159655520",
                    "101840385824538227903280020879843624924",
                    "117185873691115811326861917347887040936",
                    "324678747457288162797933506071644273953",
                    "299325987141489419938834652528185645879",
                    "309801869721460638901119034333604737846",
                    "73966523449701301462376068364524983548"
                ]
            },
            "id": "ASB-A-294609150-6b722d23",
            "source": "https://android.googlesource.com/platform/system/core/+/f83c5c8fecf89d9315945368aa20350c2f235cc0",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 316.0,
                "function_hash": "113970752469977986086479737717709044364"
            },
            "id": "ASB-A-294609150-72f80b7a",
            "source": "https://android.googlesource.com/platform/system/core/+/f83c5c8fecf89d9315945368aa20350c2f235cc0",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp",
                "function": "memfd_set_prot_region"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 573.0,
                "function_hash": "291495214528864181825778639720026738285"
            },
            "id": "ASB-A-294609150-a175e426",
            "source": "https://android.googlesource.com/platform/system/core/+/f83c5c8fecf89d9315945368aa20350c2f235cc0",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp",
                "function": "memfd_create_region"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/core/+/f83c5c8fecf89d9315945368aa20350c2f235cc0"
    ],
    "spl": "2024-02-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/system/core

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2024-02-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 316.0,
                "function_hash": "113970752469977986086479737717709044364"
            },
            "id": "ASB-A-294609150-269ceb79",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp",
                "function": "memfd_set_prot_region"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "261156310786695644581642584175879933835",
                    "180811507382681509562895906386789842283",
                    "207842613690740056545347470374413932687",
                    "191196209844926916100865936626187733986",
                    "235807140696617410489558382673550515034",
                    "162574758249669744246306361414159655520",
                    "101840385824538227903280020879843624924",
                    "117185873691115811326861917347887040936",
                    "324678747457288162797933506071644273953",
                    "299325987141489419938834652528185645879",
                    "309801869721460638901119034333604737846",
                    "73966523449701301462376068364524983548"
                ]
            },
            "id": "ASB-A-294609150-a701bf38",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 559.0,
                "function_hash": "195215426006106713982080118962166354165"
            },
            "id": "ASB-A-294609150-f00b7765",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp",
                "function": "memfd_create_region"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"
    ],
    "spl": "2024-02-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/system/core

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2024-02-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 559.0,
                "function_hash": "195215426006106713982080118962166354165"
            },
            "id": "ASB-A-294609150-0bced3c9",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp",
                "function": "memfd_create_region"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 316.0,
                "function_hash": "113970752469977986086479737717709044364"
            },
            "id": "ASB-A-294609150-368122f0",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp",
                "function": "memfd_set_prot_region"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "261156310786695644581642584175879933835",
                    "180811507382681509562895906386789842283",
                    "207842613690740056545347470374413932687",
                    "191196209844926916100865936626187733986",
                    "235807140696617410489558382673550515034",
                    "162574758249669744246306361414159655520",
                    "101840385824538227903280020879843624924",
                    "117185873691115811326861917347887040936",
                    "324678747457288162797933506071644273953",
                    "299325987141489419938834652528185645879",
                    "309801869721460638901119034333604737846",
                    "73966523449701301462376068364524983548"
                ]
            },
            "id": "ASB-A-294609150-8d7535b2",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"
    ],
    "spl": "2024-02-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/system/core

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2024-02-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "261156310786695644581642584175879933835",
                    "180811507382681509562895906386789842283",
                    "207842613690740056545347470374413932687",
                    "191196209844926916100865936626187733986",
                    "235807140696617410489558382673550515034",
                    "162574758249669744246306361414159655520",
                    "101840385824538227903280020879843624924",
                    "117185873691115811326861917347887040936",
                    "324678747457288162797933506071644273953",
                    "299325987141489419938834652528185645879",
                    "309801869721460638901119034333604737846",
                    "73966523449701301462376068364524983548"
                ]
            },
            "id": "ASB-A-294609150-571df3c0",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 559.0,
                "function_hash": "195215426006106713982080118962166354165"
            },
            "id": "ASB-A-294609150-b412d294",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp",
                "function": "memfd_create_region"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 316.0,
                "function_hash": "113970752469977986086479737717709044364"
            },
            "id": "ASB-A-294609150-ef4af1bd",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp",
                "function": "memfd_set_prot_region"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"
    ],
    "spl": "2024-02-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/native

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2024-02-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "218321599948717590714487254783163945621",
                    "34036627689076654165346954968650927935",
                    "177528396368070132329863857794330917805",
                    "135261448792827151031508216050454184951",
                    "321031115397245363340750465791525223961"
                ]
            },
            "id": "ASB-A-294609150-94e818ec",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/f2c1d9d28083fdcba53f346bba5289e72bc4be49",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/binder/MemoryHeapBase.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1454.0,
                "function_hash": "167039174744814058412077865357774448779"
            },
            "id": "ASB-A-294609150-ac2ad346",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/f2c1d9d28083fdcba53f346bba5289e72bc4be49",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/binder/MemoryHeapBase.cpp",
                "function": "MemoryHeapBase::MemoryHeapBase"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/native/+/f2c1d9d28083fdcba53f346bba5289e72bc4be49"
    ],
    "spl": "2024-02-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/system/core

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2024-02-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "261156310786695644581642584175879933835",
                    "180811507382681509562895906386789842283",
                    "207842613690740056545347470374413932687",
                    "191196209844926916100865936626187733986",
                    "235807140696617410489558382673550515034",
                    "162574758249669744246306361414159655520",
                    "101840385824538227903280020879843624924",
                    "117185873691115811326861917347887040936",
                    "324678747457288162797933506071644273953",
                    "299325987141489419938834652528185645879",
                    "309801869721460638901119034333604737846",
                    "73966523449701301462376068364524983548"
                ]
            },
            "id": "ASB-A-294609150-5be709b1",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 559.0,
                "function_hash": "195215426006106713982080118962166354165"
            },
            "id": "ASB-A-294609150-61680bca",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp",
                "function": "memfd_create_region"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 316.0,
                "function_hash": "113970752469977986086479737717709044364"
            },
            "id": "ASB-A-294609150-6e720e7d",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp",
                "function": "memfd_set_prot_region"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"
    ],
    "spl": "2024-02-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/native

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14:0
Fixed
14:2024-02-01

Affected versions

Other

14

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "218321599948717590714487254783163945621",
                    "45588506461727005894535084985380218720",
                    "124855805480593868214252434885215660663",
                    "304130721794607915852323038872467968267",
                    "323667575840971434249975967998125264912"
                ]
            },
            "id": "ASB-A-294609150-3e4f4ab8",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/77b758c59f58a05d1c0d45350796951bc778745f",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/binder/MemoryHeapBase.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1343.0,
                "function_hash": "41683057875052563667609673171350457900"
            },
            "id": "ASB-A-294609150-f61a0fb0",
            "source": "https://android.googlesource.com/platform/frameworks/native/+/77b758c59f58a05d1c0d45350796951bc778745f",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libs/binder/MemoryHeapBase.cpp",
                "function": "MemoryHeapBase::MemoryHeapBase"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/native/+/77b758c59f58a05d1c0d45350796951bc778745f"
    ],
    "spl": "2024-02-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/system/core

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14:0
Fixed
14:2024-02-01

Affected versions

Other

14

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "261156310786695644581642584175879933835",
                    "180811507382681509562895906386789842283",
                    "207842613690740056545347470374413932687",
                    "191196209844926916100865936626187733986",
                    "235807140696617410489558382673550515034",
                    "162574758249669744246306361414159655520",
                    "101840385824538227903280020879843624924",
                    "117185873691115811326861917347887040936",
                    "324678747457288162797933506071644273953",
                    "299325987141489419938834652528185645879",
                    "309801869721460638901119034333604737846",
                    "73966523449701301462376068364524983548"
                ]
            },
            "id": "ASB-A-294609150-533436e9",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 559.0,
                "function_hash": "195215426006106713982080118962166354165"
            },
            "id": "ASB-A-294609150-803ad71a",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp",
                "function": "memfd_create_region"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 316.0,
                "function_hash": "113970752469977986086479737717709044364"
            },
            "id": "ASB-A-294609150-b5b7a8c1",
            "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "libcutils/ashmem-dev.cpp",
                "function": "memfd_set_prot_region"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"
    ],
    "spl": "2024-02-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}