Headline
CVE-2023-21269
In startActivityInner of ActivityStarter.java, there is a possible way to launch an activity into PiP mode from the background due to BAL bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "70ec64dc5a2a816d6aa324190a726a85fd749b30", "tree": "a1e43d11b2f4ac0921e4391298c5224bde46b2af", "parents": [ “49773f9d871dd8975128fccf71513928a5a97345” ], "author": { "name": "Hani Kazmi", "email": "[email protected]", "time": “Tue May 23 17:28:56 2023 +0000” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Thu Jun 08 20:34:14 2023 +0000” }, "message": "Update Pip launches to not enter pinned task if in background.\n\nAddresses a BAL bypass where Pip could be started without the launcher\nbeing visible.\n\nBug: 271576718\nTest: atest CtsWindowManagerDeviceTestCases:PinnedStackTests\nTest: atest android.server.wm.BackgroundActivityLaunchTest#testPipCannotStartFromBackground\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1848b559059e021d1a923513ca2a936c6212a7ac)\nMerged-In: Ibadc9c21f1d23f9904fc11009a9c2a40535db5e0\nChange-Id: Ibadc9c21f1d23f9904fc11009a9c2a40535db5e0\n", "tree_diff": [ { "type": "modify", "old_id": "84cd63424cd1653d62f5317a97d6c3e7e0324367", "old_mode": 33188, "old_path": "services/core/java/com/android/server/wm/ActivityStarter.java", "new_id": "e6d311f7a9aa6d78c951e775efc7a07c3a6dfca0", "new_mode": 33188, "new_path": “services/core/java/com/android/server/wm/ActivityStarter.java” } ] }
Related news
In doKeyguardLocked of KeyguardViewMediator.java, there is a possible way to bypass lockdown mode with screen pinning due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.