In multiple functions of ashmem-dev.cpp, there is a possible missing seal due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "218321599948717590714487254783163945621", "45588506461727005894535084985380218720", "124855805480593868214252434885215660663", "304130721794607915852323038872467968267", "323667575840971434249975967998125264912" ] }, "id": "ASB-A-294609150-58741196", "source": "https://android.googlesource.com/platform/frameworks/native/+/3d9f1e3b0a135b784b9ffa0e65d6a699c7ed1f8e", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/binder/MemoryHeapBase.cpp" }, "signature_type": "Line" }, { "digest": { "length": 1361.0, "function_hash": "187671776888294417156935036257939364166" }, "id": "ASB-A-294609150-fb3091e1", "source": "https://android.googlesource.com/platform/frameworks/native/+/3d9f1e3b0a135b784b9ffa0e65d6a699c7ed1f8e", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/binder/MemoryHeapBase.cpp", "function": "MemoryHeapBase::MemoryHeapBase" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/native/+/3d9f1e3b0a135b784b9ffa0e65d6a699c7ed1f8e" ], "spl": "2024-02-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "261156310786695644581642584175879933835", "180811507382681509562895906386789842283", "207842613690740056545347470374413932687", "191196209844926916100865936626187733986", "235807140696617410489558382673550515034", "162574758249669744246306361414159655520", "101840385824538227903280020879843624924", "117185873691115811326861917347887040936", "324678747457288162797933506071644273953", "299325987141489419938834652528185645879", "309801869721460638901119034333604737846", "73966523449701301462376068364524983548" ] }, "id": "ASB-A-294609150-6b722d23", "source": "https://android.googlesource.com/platform/system/core/+/f83c5c8fecf89d9315945368aa20350c2f235cc0", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp" }, "signature_type": "Line" }, { "digest": { "length": 316.0, "function_hash": "113970752469977986086479737717709044364" }, "id": "ASB-A-294609150-72f80b7a", "source": "https://android.googlesource.com/platform/system/core/+/f83c5c8fecf89d9315945368aa20350c2f235cc0", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp", "function": "memfd_set_prot_region" }, "signature_type": "Function" }, { "digest": { "length": 573.0, "function_hash": "291495214528864181825778639720026738285" }, "id": "ASB-A-294609150-a175e426", "source": "https://android.googlesource.com/platform/system/core/+/f83c5c8fecf89d9315945368aa20350c2f235cc0", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp", "function": "memfd_create_region" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/core/+/f83c5c8fecf89d9315945368aa20350c2f235cc0" ], "spl": "2024-02-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 316.0, "function_hash": "113970752469977986086479737717709044364" }, "id": "ASB-A-294609150-269ceb79", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp", "function": "memfd_set_prot_region" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "261156310786695644581642584175879933835", "180811507382681509562895906386789842283", "207842613690740056545347470374413932687", "191196209844926916100865936626187733986", "235807140696617410489558382673550515034", "162574758249669744246306361414159655520", "101840385824538227903280020879843624924", "117185873691115811326861917347887040936", "324678747457288162797933506071644273953", "299325987141489419938834652528185645879", "309801869721460638901119034333604737846", "73966523449701301462376068364524983548" ] }, "id": "ASB-A-294609150-a701bf38", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp" }, "signature_type": "Line" }, { "digest": { "length": 559.0, "function_hash": "195215426006106713982080118962166354165" }, "id": "ASB-A-294609150-f00b7765", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp", "function": "memfd_create_region" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351" ], "spl": "2024-02-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 559.0, "function_hash": "195215426006106713982080118962166354165" }, "id": "ASB-A-294609150-0bced3c9", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp", "function": "memfd_create_region" }, "signature_type": "Function" }, { "digest": { "length": 316.0, "function_hash": "113970752469977986086479737717709044364" }, "id": "ASB-A-294609150-368122f0", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp", "function": "memfd_set_prot_region" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "261156310786695644581642584175879933835", "180811507382681509562895906386789842283", "207842613690740056545347470374413932687", "191196209844926916100865936626187733986", "235807140696617410489558382673550515034", "162574758249669744246306361414159655520", "101840385824538227903280020879843624924", "117185873691115811326861917347887040936", "324678747457288162797933506071644273953", "299325987141489419938834652528185645879", "309801869721460638901119034333604737846", "73966523449701301462376068364524983548" ] }, "id": "ASB-A-294609150-8d7535b2", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351" ], "spl": "2024-02-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "261156310786695644581642584175879933835", "180811507382681509562895906386789842283", "207842613690740056545347470374413932687", "191196209844926916100865936626187733986", "235807140696617410489558382673550515034", "162574758249669744246306361414159655520", "101840385824538227903280020879843624924", "117185873691115811326861917347887040936", "324678747457288162797933506071644273953", "299325987141489419938834652528185645879", "309801869721460638901119034333604737846", "73966523449701301462376068364524983548" ] }, "id": "ASB-A-294609150-571df3c0", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp" }, "signature_type": "Line" }, { "digest": { "length": 559.0, "function_hash": "195215426006106713982080118962166354165" }, "id": "ASB-A-294609150-b412d294", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp", "function": "memfd_create_region" }, "signature_type": "Function" }, { "digest": { "length": 316.0, "function_hash": "113970752469977986086479737717709044364" }, "id": "ASB-A-294609150-ef4af1bd", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp", "function": "memfd_set_prot_region" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351" ], "spl": "2024-02-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "218321599948717590714487254783163945621", "34036627689076654165346954968650927935", "177528396368070132329863857794330917805", "135261448792827151031508216050454184951", "321031115397245363340750465791525223961" ] }, "id": "ASB-A-294609150-94e818ec", "source": "https://android.googlesource.com/platform/frameworks/native/+/f2c1d9d28083fdcba53f346bba5289e72bc4be49", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/binder/MemoryHeapBase.cpp" }, "signature_type": "Line" }, { "digest": { "length": 1454.0, "function_hash": "167039174744814058412077865357774448779" }, "id": "ASB-A-294609150-ac2ad346", "source": "https://android.googlesource.com/platform/frameworks/native/+/f2c1d9d28083fdcba53f346bba5289e72bc4be49", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/binder/MemoryHeapBase.cpp", "function": "MemoryHeapBase::MemoryHeapBase" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/native/+/f2c1d9d28083fdcba53f346bba5289e72bc4be49" ], "spl": "2024-02-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "261156310786695644581642584175879933835", "180811507382681509562895906386789842283", "207842613690740056545347470374413932687", "191196209844926916100865936626187733986", "235807140696617410489558382673550515034", "162574758249669744246306361414159655520", "101840385824538227903280020879843624924", "117185873691115811326861917347887040936", "324678747457288162797933506071644273953", "299325987141489419938834652528185645879", "309801869721460638901119034333604737846", "73966523449701301462376068364524983548" ] }, "id": "ASB-A-294609150-5be709b1", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp" }, "signature_type": "Line" }, { "digest": { "length": 559.0, "function_hash": "195215426006106713982080118962166354165" }, "id": "ASB-A-294609150-61680bca", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp", "function": "memfd_create_region" }, "signature_type": "Function" }, { "digest": { "length": 316.0, "function_hash": "113970752469977986086479737717709044364" }, "id": "ASB-A-294609150-6e720e7d", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp", "function": "memfd_set_prot_region" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351" ], "spl": "2024-02-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "218321599948717590714487254783163945621", "45588506461727005894535084985380218720", "124855805480593868214252434885215660663", "304130721794607915852323038872467968267", "323667575840971434249975967998125264912" ] }, "id": "ASB-A-294609150-3e4f4ab8", "source": "https://android.googlesource.com/platform/frameworks/native/+/77b758c59f58a05d1c0d45350796951bc778745f", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/binder/MemoryHeapBase.cpp" }, "signature_type": "Line" }, { "digest": { "length": 1343.0, "function_hash": "41683057875052563667609673171350457900" }, "id": "ASB-A-294609150-f61a0fb0", "source": "https://android.googlesource.com/platform/frameworks/native/+/77b758c59f58a05d1c0d45350796951bc778745f", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/binder/MemoryHeapBase.cpp", "function": "MemoryHeapBase::MemoryHeapBase" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/native/+/77b758c59f58a05d1c0d45350796951bc778745f" ], "spl": "2024-02-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "261156310786695644581642584175879933835", "180811507382681509562895906386789842283", "207842613690740056545347470374413932687", "191196209844926916100865936626187733986", "235807140696617410489558382673550515034", "162574758249669744246306361414159655520", "101840385824538227903280020879843624924", "117185873691115811326861917347887040936", "324678747457288162797933506071644273953", "299325987141489419938834652528185645879", "309801869721460638901119034333604737846", "73966523449701301462376068364524983548" ] }, "id": "ASB-A-294609150-533436e9", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp" }, "signature_type": "Line" }, { "digest": { "length": 559.0, "function_hash": "195215426006106713982080118962166354165" }, "id": "ASB-A-294609150-803ad71a", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp", "function": "memfd_create_region" }, "signature_type": "Function" }, { "digest": { "length": 316.0, "function_hash": "113970752469977986086479737717709044364" }, "id": "ASB-A-294609150-b5b7a8c1", "source": "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351", "deprecated": false, "signature_version": "v1", "target": { "file": "libcutils/ashmem-dev.cpp", "function": "memfd_set_prot_region" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351" ], "spl": "2024-02-01", "severity": "High", "types": [ "EoP" ] }