In multiple functions of MessageQueueBase.h, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 67.0, "function_hash": "152908095466554525151767292445838411466" }, "id": "ASB-A-321326147-b6da29fd", "source": "https://android.googlesource.com/platform/system/libfmq/+/db9028d6eead72c9cd45da48087ec6d5f1ac9c5a", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h", "function": "availableToWriteBytes" }, "signature_type": "Function" }, { "digest": { "length": 132.0, "function_hash": "42176836157770431253731899450536067667" }, "id": "ASB-A-321326147-d833764a", "source": "https://android.googlesource.com/platform/system/libfmq/+/db9028d6eead72c9cd45da48087ec6d5f1ac9c5a", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h", "function": "availableToReadBytes" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "223300289963335374737942252888573102210", "18488681837412616122657724577069121117", "117125899055428656738178779745640830831", "124740727282001485722438669538694109634", "26754661951786742350714602196532112434", "309930484527067763940979091410551508531", "12256677282735441436613688363205428834", "296149326157022037812024307966699756893", "186726450763857558586092957778372274909", "109017410997082114250456964558342449531" ] }, "id": "ASB-A-321326147-eecf1aa8", "source": "https://android.googlesource.com/platform/system/libfmq/+/db9028d6eead72c9cd45da48087ec6d5f1ac9c5a", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/system/libfmq/+/db9028d6eead72c9cd45da48087ec6d5f1ac9c5a" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 67.0, "function_hash": "152908095466554525151767292445838411466" }, "id": "ASB-A-321326147-4c2650f1", "source": "https://android.googlesource.com/platform/system/libfmq/+/af19e0ef034174afd794563552f91303fd9f1529", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h", "function": "availableToWriteBytes" }, "signature_type": "Function" }, { "digest": { "length": 132.0, "function_hash": "42176836157770431253731899450536067667" }, "id": "ASB-A-321326147-c7b1ad30", "source": "https://android.googlesource.com/platform/system/libfmq/+/af19e0ef034174afd794563552f91303fd9f1529", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h", "function": "availableToReadBytes" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "223300289963335374737942252888573102210", "18488681837412616122657724577069121117", "117125899055428656738178779745640830831", "124740727282001485722438669538694109634", "26754661951786742350714602196532112434", "309930484527067763940979091410551508531", "12256677282735441436613688363205428834", "296149326157022037812024307966699756893", "186726450763857558586092957778372274909", "109017410997082114250456964558342449531" ] }, "id": "ASB-A-321326147-eb5c74d7", "source": "https://android.googlesource.com/platform/system/libfmq/+/af19e0ef034174afd794563552f91303fd9f1529", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/system/libfmq/+/af19e0ef034174afd794563552f91303fd9f1529" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "223300289963335374737942252888573102210", "18488681837412616122657724577069121117", "117125899055428656738178779745640830831", "124740727282001485722438669538694109634", "26754661951786742350714602196532112434", "309930484527067763940979091410551508531", "12256677282735441436613688363205428834", "296149326157022037812024307966699756893", "186726450763857558586092957778372274909", "109017410997082114250456964558342449531" ] }, "id": "ASB-A-321326147-71cda85e", "source": "https://android.googlesource.com/platform/system/libfmq/+/b923a7c0d0d25de7b0c9ba7a7c2a3e917819d95a", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h" }, "signature_type": "Line" }, { "digest": { "length": 67.0, "function_hash": "152908095466554525151767292445838411466" }, "id": "ASB-A-321326147-99698b61", "source": "https://android.googlesource.com/platform/system/libfmq/+/b923a7c0d0d25de7b0c9ba7a7c2a3e917819d95a", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h", "function": "availableToWriteBytes" }, "signature_type": "Function" }, { "digest": { "length": 132.0, "function_hash": "42176836157770431253731899450536067667" }, "id": "ASB-A-321326147-f0af7d31", "source": "https://android.googlesource.com/platform/system/libfmq/+/b923a7c0d0d25de7b0c9ba7a7c2a3e917819d95a", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h", "function": "availableToReadBytes" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/libfmq/+/b923a7c0d0d25de7b0c9ba7a7c2a3e917819d95a" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "223300289963335374737942252888573102210", "18488681837412616122657724577069121117", "117125899055428656738178779745640830831", "124740727282001485722438669538694109634", "26754661951786742350714602196532112434", "309930484527067763940979091410551508531", "12256677282735441436613688363205428834", "296149326157022037812024307966699756893", "186726450763857558586092957778372274909", "109017410997082114250456964558342449531" ] }, "id": "ASB-A-321326147-54886f13", "source": "https://android.googlesource.com/platform/system/libfmq/+/050952bf5f9bd035e469ce005300115d563e524a", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h" }, "signature_type": "Line" }, { "digest": { "length": 67.0, "function_hash": "152908095466554525151767292445838411466" }, "id": "ASB-A-321326147-588489ff", "source": "https://android.googlesource.com/platform/system/libfmq/+/050952bf5f9bd035e469ce005300115d563e524a", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h", "function": "availableToWriteBytes" }, "signature_type": "Function" }, { "digest": { "length": 132.0, "function_hash": "42176836157770431253731899450536067667" }, "id": "ASB-A-321326147-c0375658", "source": "https://android.googlesource.com/platform/system/libfmq/+/050952bf5f9bd035e469ce005300115d563e524a", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h", "function": "availableToReadBytes" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/libfmq/+/050952bf5f9bd035e469ce005300115d563e524a" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "223300289963335374737942252888573102210", "18488681837412616122657724577069121117", "117125899055428656738178779745640830831", "124740727282001485722438669538694109634", "26754661951786742350714602196532112434", "309930484527067763940979091410551508531", "12256677282735441436613688363205428834", "296149326157022037812024307966699756893", "186726450763857558586092957778372274909", "109017410997082114250456964558342449531" ] }, "id": "ASB-A-321326147-11822135", "source": "https://android.googlesource.com/platform/system/libfmq/+/da080aa565f0cd1158bde3b8100dc73604959035", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h" }, "signature_type": "Line" }, { "digest": { "length": 132.0, "function_hash": "42176836157770431253731899450536067667" }, "id": "ASB-A-321326147-6cb18cc9", "source": "https://android.googlesource.com/platform/system/libfmq/+/da080aa565f0cd1158bde3b8100dc73604959035", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h", "function": "availableToReadBytes" }, "signature_type": "Function" }, { "digest": { "length": 67.0, "function_hash": "152908095466554525151767292445838411466" }, "id": "ASB-A-321326147-a76eed42", "source": "https://android.googlesource.com/platform/system/libfmq/+/da080aa565f0cd1158bde3b8100dc73604959035", "deprecated": false, "signature_version": "v1", "target": { "file": "include/fmq/MessageQueueBase.h", "function": "availableToWriteBytes" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/libfmq/+/da080aa565f0cd1158bde3b8100dc73604959035" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }