Headline
CVE-2023-21284
In multiple functions of DevicePolicyManager.java, there is a possible way to prevent enabling the Find my Device feature due to improper input validation. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "ed3f25b7222d4cff471f2b7d22d1150348146957", "tree": "7555a4e85b65aebefdcad7d82d5b71b0396cbf3b", "parents": [ “cb6282e8970f4c9db5497889699e68fb2038566e” ], "author": { "name": "Pavel Grafov", "email": "[email protected]", "time": “Wed Apr 05 15:15:41 2023 +0000” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Thu Jun 08 20:33:44 2023 +0000” }, "message": "Ensure policy has no absurdly long strings\n\nThe following APIs now enforce limits and throw IllegalArgumentException\nwhen limits are violated:\n* DPM.setTrustAgentConfiguration() limits agent packgage name,\n component name, and strings within configuration bundle.\n* DPM.setPermittedAccessibilityServices() limits package names.\n* DPM.setPermittedInputMethods() limits package names.\n* DPM.setAccountManagementDisabled() limits account name.\n* DPM.setLockTaskPackages() limits package names.\n* DPM.setAffiliationIds() limits id.\n* DPM.transferOwnership() limits strings inside the bundle.\n\nPackage names are limited at 223, because they become directory names\nand it is a filesystem restriction, see FrameworkParsingPackageUtils.\n\nAll other strings are limited at 65535, because longer ones break binary\nXML serializer.\n\nThe following APIs silently truncate strings that are long beyond reason:\n* DPM.setShortSupportMessage() truncates message at 200.\n* DPM.setLongSupportMessage() truncates message at 20000.\n* DPM.setOrganizationName() truncates org name at 200.\n\nBug: 260729089\nTest: atest com.android.server.devicepolicy\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5dd3e81347e3c841510094fb5effd51fc0fa995b)\nMerged-In: Idcf54e408722f164d16bf2f24a00cd1f5b626d23\nChange-Id: Idcf54e408722f164d16bf2f24a00cd1f5b626d23\n", "tree_diff": [ { "type": "modify", "old_id": "5338ebdc92ee0c2435d8b086328f0b866f5a1bc1", "old_mode": 33188, "old_path": "core/java/android/app/admin/DevicePolicyManager.java", "new_id": "86746b9f203a66611ef4875640f23ea754f2fea9", "new_mode": 33188, "new_path": “core/java/android/app/admin/DevicePolicyManager.java” }, { "type": "modify", "old_id": "851e15123d8a061d91a894610d00eca286c1823e", "old_mode": 33188, "old_path": "services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java", "new_id": "32aa936195e262bc445755336c391c4c47a11235", "new_mode": 33188, "new_path": “services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java” } ] }
Related news
Clone vulnerability in the huks ta module.Successful exploitation of this vulnerability may affect service confidentiality.
In doKeyguardLocked of KeyguardViewMediator.java, there is a possible way to bypass lockdown mode with screen pinning due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.