Headline
CVE-2023-40117
In resetSettingsLocked of SettingsProvider.java, there is a possible lockscreen bypass due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "ff86ff28cf82124f8e65833a2dd8c319aea08945", "tree": "524d68215696fbfe5584e2a97f296e20904941a2", "parents": [ “86c8421c1181816b6cb333eb62a78e32290c4b17” ], "author": { "name": "Eric Biggers", "email": "[email protected]", "time": “Fri Jul 28 22:03:03 2023 +0000” }, "committer": { "name": "Justin Dunlap", "email": "[email protected]", "time": “Fri Sep 01 12:58:52 2023 -0700” }, "message": “RESTRICT AUTOMERGE: SettingsProvider: exclude secure_frp_mode from resets\n\nWhen RescueParty detects that a system process is crashing frequently,\nit tries to recover in various ways, such as by resetting all settings.\nUnfortunately, this included resetting the secure_frp_mode setting,\nwhich is the means by which the system keeps track of whether the\nFactory Reset Protection (FRP) challenge has been passed yet. With this\nsetting reset, some FRP restrictions went away and it became possible to\nbypass FRP by setting a new lockscreen credential.\n\nFix this by excluding secure_frp_mode from resets.\n\nNote: currently this bug isn\u0027t reproducible on \u0027main\u0027 due to ag/23727749\ndisabling much of RescueParty, but that is a temporary change.\n\nBug: 253043065\nTest: With ag/23727749 reverted and with my fix to prevent\n com.android.settings from crashing *not* applied, tried repeatedly\n setting lockscreen credential while in FRP mode, using the\n smartlock setup activity launched by intent via adb. Verified\n that although RescueParty is still triggered after 5 attempts,\n secure_frp_mode is no longer reset (its value remains \"1\”).\nTest: Verified that secure_frp_mode still gets changed from 1 to 0 when\n FRP is passed legitimately.\nTest: atest com.android.providers.settings.SettingsProviderTest\nTest: atest android.provider.SettingsProviderTest\n(cherry picked from commit 9890dd7f15c091f7d1a09e4fddb9f85d32015955)\n(changed Global.SECURE_FRP_MODE to Secure.SECURE_FRP_MODE,\n needed because this setting was moved in U)\n(removed static keyword from shouldExcludeSettingFromReset(),\n needed for compatibility with Java 15 and earlier)\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8c2d2c6fc91c6b80809a91ac510667af24d2cf17)\nMerged-In: Id95ed43b9cc2208090064392bcd5dc012710af93\nChange-Id: Id95ed43b9cc2208090064392bcd5dc012710af93\n", "tree_diff": [ { "type": "modify", "old_id": "a6edb0f0e2e35722ff118876f3098934a38b0f76", "old_mode": 33188, "old_path": "packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java", "new_id": "2e04cdae2a30420eb8a7aa41adf5dd5ef4dbf661", "new_mode": 33188, "new_path": “packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java” }, { "type": "modify", "old_id": "eaf0dcb9b4e797a07e5c2c058c3bbfe260b5024a", "old_mode": 33188, "old_path": "packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java", "new_id": "1c6d2b08136c3bda2fee087466e44ee105ce8ec4", "new_mode": 33188, "new_path": “packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java” } ] }