Headline
CVE-2023-20942
In openMmapStream of AudioFlinger.cpp, there is a possible way to record audio without displaying the microphone privacy indicator due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "bae3b00a5873d1562679a1289fd8490178cfe064", "tree": "8a87ef2bda8f258a7d5c2ef13925498f6667b887", "parents": [ “c267873fb58b0c8798147254a8bb130bd20a846b” ], "author": { "name": "Eric Laurent", "email": "[email protected]", "time": “Thu Nov 10 16:04:44 2022 +0100” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Thu Dec 08 04:02:38 2022 +0000” }, "message": "audio: fix missing package name in attribution source\n\nThe attribution source passed by OpenSL ES does not have a package name\nwhich is needed to register for app ops changes.\nThis CL moves the attribution source verification before we call\nAudioPolicyManager getInputForAttr so that the package name is correct\nwhen registering for app ops.\nThis CL also:\n- limits the attribution check to filling missing package name\n- adds system server in trusted source for client UIDs.\n- removes redundant UID check in AudioPolicyService getOutputForAttr and\ngetInputForAttr as those are only called from AudioFlinger after verification\n- Add missing attribution source verification in openMmapStream()\n\nBug: 243376549\nBug: 258021433\nTest: verify app ops work with WhatsApp\nTest: audio capture regression\nChange-Id: I40040b8ace382f145dcfc8d04d81dcf6a259dfeb\nMerged-In: I40040b8ace382f145dcfc8d04d81dcf6a259dfeb\n(cherry picked from commit 9ff3e533ef45173bb4014ff20b801fcbda88b1db)\n(cherry picked from commit 74058e6f701d8c4200858781d2d3a150ea4fa3bb)\nMerged-In: I40040b8ace382f145dcfc8d04d81dcf6a259dfeb\n", "tree_diff": [ { "type": "modify", "old_id": "f7576f670b767a770a3b6fbb8fe3d851b8d17b3e", "old_mode": 33188, "old_path": "services/audioflinger/AudioFlinger.cpp", "new_id": "23a3a36c781edb427ef4daf0f224418f72777497", "new_mode": 33188, "new_path": “services/audioflinger/AudioFlinger.cpp” }, { "type": "modify", "old_id": "07e82a8f9677c334f4cf813ea7ec612fba01758e", "old_mode": 33188, "old_path": "services/audioflinger/Threads.cpp", "new_id": "683e32007368dc23ae17916205d4705c63415a7e", "new_mode": 33188, "new_path": “services/audioflinger/Threads.cpp” }, { "type": "modify", "old_id": "613502094d2b79e11bf861b4fa375d15a67efcf4", "old_mode": 33188, "old_path": "services/audioflinger/Tracks.cpp", "new_id": "83a8bb0d5fe1e1794843a406ae784853beca81b9", "new_mode": 33188, "new_path": “services/audioflinger/Tracks.cpp” }, { "type": "modify", "old_id": "df49bba79a2466a5972e7ea7b9543b28ba145baf", "old_mode": 33188, "old_path": "services/audiopolicy/service/AudioPolicyInterfaceImpl.cpp", "new_id": "49224c5bb0c9897ba558fda22b9db2e1cb0595a1", "new_mode": 33188, "new_path": “services/audiopolicy/service/AudioPolicyInterfaceImpl.cpp” } ] }
Related news
Clone vulnerability in the huks ta module.Successful exploitation of this vulnerability may affect service confidentiality.
In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
In addAutomaticZenRule of ZenModeHelper.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242537431