In setMetadata of MediaSessionRecord.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "0c3b7ec3377e7fb645ec366be3be96bb1a252ca1", "tree": "222d88340ccc012d992e39a87f195bf64b661b69", "parents": \[ "9b58aee2a4528c60b0aa2540bd0f48d2871d2dc7" \], "author": { "name": "Michael Mikhail", "email": "michaelmikhil@google.com", "time": "Fri May 26 19:41:21 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:34:25 2023 +0000" }, "message": "DO NOT MERGE\\nVerify URI permissions in MediaMetadata\\n\\nAdd a check for URI permission to make sure that user can access the URI\\nset in MediaMetadata. If permission is denied, clear the URI string set\\nin metadata.\\n\\nBug: 271851153\\nTest: atest MediaSessionTest\\nTest: Verified by POC app attached in bug, image of second user is not\\nthe UMO background of the first user.\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:277e7e05866a3da3c5871c071231b2b7c911d81e)\\nMerged-In: I932d5d5143998db89d7132ced84faffa4a0bd5aa\\nChange-Id: I932d5d5143998db89d7132ced84faffa4a0bd5aa\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "cc4895ffaf24a7a3e0bab6d4c364801ea7b72d14", "old\_mode": 33188, "old\_path": "services/core/java/com/android/server/media/MediaSessionRecord.java", "new\_id": "b459cfe6b44eb8575123a1efdfb58acac91ca2b0", "new\_mode": 33188, "new\_path": "services/core/java/com/android/server/media/MediaSessionRecord.java" } \] }

CVE-2023-21285

In multiple locations, there is a possible code execution due to type confusion. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "a79e80a25874dacaa266906a9048f13d4bac41c6", "tree": "20675215494af58053a383e6cfcb82e597490dcd", "parents": \[ "5d803bd3a68c98e1e9157ab187ee27c62ae0b4ec" \], "author": { "name": "Seigo Nonaka", "email": "nona@google.com", "time": "Tue May 02 10:01:38 2023 +0900" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:33:24 2023 +0000" }, "message": "Cherrypick following three changes\\n\\n\[cherrypick 545bf3a27\] \[sfnt, truetype\] Add \`size\_reset\` to \`MetricsVariations\`.\\n\[cherrypick daad10810\] \[truetype\] tt\_size\_reset\_height to take FT\_Size\\n\[cherrypick 51ad7b243\] \[services\] FT\_Size\_Reset\_Func to return FT\_Error\\n\\nBug: 278221085\\nTest: TreeHugger\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9fe9411db4b7e715a39c0ccf48d1e0328f1d8e7c)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cff127c5bc4a47ef88df305380ee2a47318a865b)\\nMerged-In: I7e839b2a36e35c27974a82cc76e853996a7c7688\\nChange-Id: I7e839b2a36e35c27974a82cc76e853996a7c7688\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "b9c95a7c9c8454637f0ddffacfc0b05153002be4", "old\_mode": 33188, "old\_path": "include/freetype/internal/services/svmetric.h", "new\_id": "ade6e9a6561bc67a479cce85684738a1b9dc44e7", "new\_mode": 33188, "new\_path": "include/freetype/internal/services/svmetric.h" }, { "type": "modify", "old\_id": "651131c8d36befa85ef7892b8c2e6b2d9882ba75", "old\_mode": 33188, "old\_path": "include/freetype/internal/tttypes.h", "new\_id": "afd7d024ad24c4842c6e14f0bdfa5dad5a53f9de", "new\_mode": 33188, "new\_path": "include/freetype/internal/tttypes.h" }, { "type": "modify", "old\_id": "59210f37c52272e1c43b230b92a23e9d089ffe42", "old\_mode": 33188, "old\_path": "src/cff/cffdrivr.c", "new\_id": "b3c018f78e80df458d963dabc4f6d41036ae1459", "new\_mode": 33188, "new\_path": "src/cff/cffdrivr.c" }, { "type": "modify", "old\_id": "3a4d47dbddd9c34ef2b7b011d0b37e6b6a1a2d93", "old\_mode": 33188, "old\_path": "src/cff/cffobjs.c", "new\_id": "80a25b7163edaaae735899e7a6519c8d40a4f069", "new\_mode": 33188, "new\_path": "src/cff/cffobjs.c" }, { "type": "modify", "old\_id": "789102479009ef7e053b28d3dbe27ba8e2d99a8e", "old\_mode": 33188, "old\_path": "src/sfnt/sfobjs.c", "new\_id": "64202aad8769613611c3cb0dd8c1e0e1d321cd2e", "new\_mode": 33188, "new\_path": "src/sfnt/sfobjs.c" }, { "type": "modify", "old\_id": "7aece36fb01ae87fe0ad35a3e9f0ae20485bf7d1", "old\_mode": 33188, "old\_path": "src/sfnt/ttmtx.c", "new\_id": "62cd021631f251463b73633ae79d50be500a90de", "new\_mode": 33188, "new\_path": "src/sfnt/ttmtx.c" }, { "type": "modify", "old\_id": "6fcfdb23e48a907482d14156afd4e9e07a8094fe", "old\_mode": 33188, "old\_path": "src/truetype/ttdriver.c", "new\_id": "bd7f2cea3865ebe409d8457014e493a2133e6fc3", "new\_mode": 33188, "new\_path": "src/truetype/ttdriver.c" }, { "type": "modify", "old\_id": "7f2db0cbdc0c8cafe8d0bfd2047758b48050e42c", "old\_mode": 33188, "old\_path": "src/truetype/ttgxvar.c", "new\_id": "bbd2640483a5b32a03d7a6e92620eb0ed1b57728", "new\_mode": 33188, "new\_path": "src/truetype/ttgxvar.c" }, { "type": "modify", "old\_id": "93fc548447398dc691d6ce1205e47884579d1318", "old\_mode": 33188, "old\_path": "src/truetype/ttobjs.c", "new\_id": "929f2c3fa0fd3e9379d22d8cf9732ce6f2686d76", "new\_mode": 33188, "new\_path": "src/truetype/ttobjs.c" }, { "type": "modify", "old\_id": "fd72378721bd951126693feea95394779b8d004b", "old\_mode": 33188, "old\_path": "src/truetype/ttobjs.h", "new\_id": "7e9c6a207b19014966112c9fe776c29aa1f3fdbd", "new\_mode": 33188, "new\_path": "src/truetype/ttobjs.h" } \] }

CVE-2023-21287

In multiple functions of StatusHints.java, there is a possible way to reveal images across users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.



)\]}' { "commit": "9b41a963f352fdb3da1da8c633d45280badfcb24", "tree": "49a71d93fae992774e9bb48afeed5a785168139b", "parents": \[ "05dc6b45187be90de495056e82f814e665a61aef" \], "author": { "name": "Pranav Madapurmath", "email": "pmadapurmath@google.com", "time": "Thu Jun 01 00:26:10 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:34:53 2023 +0000" }, "message": "\[conflict\] Resolve StatusHints image exploit across user. am: a853f6ba61\\n\\nOriginal change: https://googleplex-android-review.googlesource.com/c/platform/packages/services/Telecomm/+/23463634\\n\\nFixes: 285211549\\nFixes: 280797684\\nSigned-off-by: Automerger Merge Worker \\u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\\u003e\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:41042bd0c8e1e47c19dfdb2a378c70d2090b1e15)\\nMerged-In: I69b0c64413ce3b5e8f56c4fbc5e195a5f5adb6d7\\nChange-Id: I69b0c64413ce3b5e8f56c4fbc5e195a5f5adb6d7\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "5bb1dbe08f136f5bb995b1aa466dcc4c57305437", "old\_mode": 33261, "old\_path": "src/com/android/server/telecom/ConnectionServiceWrapper.java", "new\_id": "d38af578656a9c94ce62cd04dffbe2e41078b639", "new\_mode": 33261, "new\_path": "src/com/android/server/telecom/ConnectionServiceWrapper.java" }, { "type": "modify", "old\_id": "049a501631f02adbc2884ca874fcd08368c2eea9", "old\_mode": 33188, "old\_path": "tests/src/com/android/server/telecom/tests/BasicCallTests.java", "new\_id": "7bce5a672f572864e0670e6c9a6abc0808868591", "new\_mode": 33188, "new\_path": "tests/src/com/android/server/telecom/tests/BasicCallTests.java" }, { "type": "modify", "old\_id": "926d74078e60f5514fa8789f7bdd7dd1fac07bff", "old\_mode": 33188, "old\_path": "tests/src/com/android/server/telecom/tests/CallExtrasTest.java", "new\_id": "cf44cfeff6ecb6a6dbc54c7d62d1b005f3b3f810", "new\_mode": 33188, "new\_path": "tests/src/com/android/server/telecom/tests/CallExtrasTest.java" }, { "type": "modify", "old\_id": "6e6646f7aef2b3d8d472b0b36e06b0ff0271d2be", "old\_mode": 33261, "old\_path": "tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java", "new\_id": "9f0b6aaf8c7084e8666bc62ca48139547c5e1d28", "new\_mode": 33261, "new\_path": "tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java" }, { "type": "modify", "old\_id": "d6ff196b9f4f117dbe80ec4090641ccef83e7907", "old\_mode": 33188, "old\_path": "tests/src/com/android/server/telecom/tests/TelecomSystemTest.java", "new\_id": "137cf8b4803f44dd0b8cf52c64fd9b92802fbaa7", "new\_mode": 33188, "new\_path": "tests/src/com/android/server/telecom/tests/TelecomSystemTest.java" }, { "type": "modify", "old\_id": "97e71d18bf6b8d94eaf436bf107b4ac0c93adeda", "old\_mode": 33188, "old\_path": "tests/src/com/android/server/telecom/tests/VideoCallTests.java", "new\_id": "84beedc0f5d2d0028b7abb8ed6eda81e46ed19f8", "new\_mode": 33188, "new\_path": "tests/src/com/android/server/telecom/tests/VideoCallTests.java" } \] }

CVE-2023-21283

In TRANSPOSER_SETTINGS of lpp_tran.h, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.



)\]}' { "commit": "4242f97d149b0bf0cd96f00cd1e9d30d5922cd46", "tree": "171f0bb02a5a419e237be316cae8fa72d45031ed", "parents": \[ "2474d98134b5fdf5d4d344bbc19a9ec070a06e58" \], "author": { "name": "Fraunhofer IIS FDK", "email": "audio-fdk@iis.fraunhofer.de", "time": "Tue May 30 16:39:32 2023 +0200" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:33:22 2023 +0000" }, "message": "Increase patchParam array size by one and fix out-of-bounce write in resetLppTransposer().\\n\\nBug: 279766766\\nTest: see POC\\n(cherry picked from commit f682b8787eb312b9f8997dac4c2c18bb779cf0df)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2f8c08a4e7b228a55e4c89f0931069de8eda2df6)\\nMerged-In: I206973e0bb21140865efffd930e39f920f477359\\nChange-Id: I206973e0bb21140865efffd930e39f920f477359\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "51b4395ae4ac74ec7f5c33c3078e2ba7a8e25033", "old\_mode": 33188, "old\_path": "libSBRdec/src/lpp\_tran.h", "new\_id": "21c41011115d1ffb73fba08ab96606046aaa3dae", "new\_mode": 33188, "new\_path": "libSBRdec/src/lpp\_tran.h" } \] }

CVE-2023-21282

In visitUris of Notification.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "726247f4f53e8cc0746175265652fa415a123c0c", "tree": "865181b307278ddbed77404c71b416a4f86294ae", "parents": \[ "e7ccba6da2c3febeb449c172c1d8091f7a35193d" \], "author": { "name": "Ioana Alexandru", "email": "aioana@google.com", "time": "Mon May 15 16:15:55 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:33:57 2023 +0000" }, "message": "Check URIs in notification public version.\\n\\nBug: 276294099\\nTest: atest NotificationManagerServiceTest NotificationVisitUrisTest\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67cd169d073486c7c047b80ab83843cdee69bf53)\\nMerged-In: I670198b213abb2cb29a9865eb9d1e897700508b4\\nChange-Id: I670198b213abb2cb29a9865eb9d1e897700508b4\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "034192ddcecec7487e8764a22915a7e99a218055", "old\_mode": 33188, "old\_path": "core/java/android/app/Notification.java", "new\_id": "e564ec1490373e7b1d280b36bb112414bd1a20fd", "new\_mode": 33188, "new\_path": "core/java/android/app/Notification.java" }, { "type": "modify", "old\_id": "689691b749a3f0f67101637f657563c18a55c647", "old\_mode": 33261, "old\_path": "services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java", "new\_id": "28480bcda4eb13baf696a5a4385e986aaac31f8b", "new\_mode": 33261, "new\_path": "services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java" } \] }

CVE-2023-21288

In multiple functions of KeyguardViewMediator.java, there is a possible failure to lock after screen timeout due to a logic error in the code. This could lead to local escalation of privilege across users with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "badb243574d7fca9aa89152d9d25eeb4f8615385", "tree": "9326e3afec08486cb46575bbbde3fc6a1d92d5c6", "parents": \[ "0c3b7ec3377e7fb645ec366be3be96bb1a252ca1" \], "author": { "name": "Chandru S", "email": "chandruis@google.com", "time": "Tue May 16 10:41:07 2023 -0700" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:34:29 2023 +0000" }, "message": "Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used\\n\\nBug: 265431505\\nTest: atest KeyguardViewMediatorTest\\n(cherry picked from commit 625e009fc195ba5d658ca2d78ebb23d2770cc6c4)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dbdfadc24c81453c9c51e0d549b0ace924f4341e)\\nMerged-In: I66a660c091c90a957a0fd1e144c013840db3f47e\\nChange-Id: I66a660c091c90a957a0fd1e144c013840db3f47e\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "89994b0c228d5c7ff47d233f719f81723bbe3709", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java", "new\_id": "5d086e833e14a5f3909946425b4fb80baf24efa8", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java" } \] }

CVE-2023-21281

In startActivityInner of ActivityStarter.java, there is a possible way to launch an activity into PiP mode from the background due to BAL bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "70ec64dc5a2a816d6aa324190a726a85fd749b30", "tree": "a1e43d11b2f4ac0921e4391298c5224bde46b2af", "parents": \[ "49773f9d871dd8975128fccf71513928a5a97345" \], "author": { "name": "Hani Kazmi", "email": "hanikazmi@google.com", "time": "Tue May 23 17:28:56 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:34:14 2023 +0000" }, "message": "Update Pip launches to not enter pinned task if in background.\\n\\nAddresses a BAL bypass where Pip could be started without the launcher\\nbeing visible.\\n\\nBug: 271576718\\nTest: atest CtsWindowManagerDeviceTestCases:PinnedStackTests\\nTest: atest android.server.wm.BackgroundActivityLaunchTest#testPipCannotStartFromBackground\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1848b559059e021d1a923513ca2a936c6212a7ac)\\nMerged-In: Ibadc9c21f1d23f9904fc11009a9c2a40535db5e0\\nChange-Id: Ibadc9c21f1d23f9904fc11009a9c2a40535db5e0\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "84cd63424cd1653d62f5317a97d6c3e7e0324367", "old\_mode": 33188, "old\_path": "services/core/java/com/android/server/wm/ActivityStarter.java", "new\_id": "e6d311f7a9aa6d78c951e775efc7a07c3a6dfca0", "new\_mode": 33188, "new\_path": "services/core/java/com/android/server/wm/ActivityStarter.java" } \] }

CVE-2023-21269

In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "0679e4f35055729be7276536fe45fe8ec18a0453", "tree": "41d3703f1e553ae502b583449fcb7c5a4c8c0f13", "parents": \[ "8252d067b83cd7f03d5380ce5cc96320c7d69f17" \], "author": { "name": "Nate Myren", "email": "ntmyren@google.com", "time": "Tue Dec 06 14:01:03 2022 -0800" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:34:48 2023 +0000" }, "message": "RESTRICT AUTOMERGE Finish ManagePermissionsActivity if device is not provisioned\\n\\nIf the device isn\\u0027t set up yet, do not allow access to the permissions\\nsettings\\n\\nBug: 253043490\\nTest: manual\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a6f1f59d6cb5367f0c88980a75ddc227dba956a)\\nMerged-In: I6e8fb8f2d934cff965069493740cfc1c59c3623f\\nChange-Id: I6e8fb8f2d934cff965069493740cfc1c59c3623f\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "4c186cf7e2520e7428928cece45c14ce16e05d90", "old\_mode": 33188, "old\_path": "PermissionController/src/com/android/permissioncontroller/permission/ui/ManagePermissionsActivity.java", "new\_id": "c7b1bdcfa77b28fa983c109595699ee5101f312a", "new\_mode": 33188, "new\_path": "PermissionController/src/com/android/permissioncontroller/permission/ui/ManagePermissionsActivity.java" } \] }

CVE-2023-21140

In processMessageImpl of ClientModeImpl.java, there is a possible credential disclosure in the TOFU flow due to a logic error in the code. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "0d3cb609b0851ea9e5745cc6101e57c2e5e739f2", "tree": "7a0189a8f8573cdefb0afbe02c560cc04bbd86d9", "parents": \[ "bd318b9772759546509f6fdb8648366099dd65ad" \], "author": { "name": "Hai Shalom", "email": "haishalom@google.com", "time": "Thu Mar 02 23:00:56 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Apr 06 00:38:45 2023 +0000" }, "message": "\[TOFU\] Implement a secure TOFU flow\\n\\nImplement a secure TOFU flow for supporting devices, and\\nnotifications about insecure connections in non-supporting\\ndevices, when insecure configurations are not allowed.\\nHandle the case where insecure enterprise configurations are\\nallowed in the new and secure TOFU flow. In this mode, do not\\ndisconnect the network, do not load certificates, and do not\\nnotify the user about anything.\\nDisplay the correct certificate information in the dialog,\\nremove the email and 8-octet signature from the TOFU dialog, and\\nreplace with user verifiable information: certificate expiration\\ndate (locale adjusted) and a SHA-256 fingerprint of the server\\ncertificate which is locally generated.\\nNetwork admins can calculate the fingerprint of their server\\ncertificate and publish the result to their users, using:\\nopenssl x509 -in server-cert.pem -noout -fingerprint -sha256\\n\\nUpdated-Overlayable: TRUE\\nUpdated-PDD: TRUE\\n\\nBug: 267633332\\nBug: 251910611\\nBug: 250574778\\nTest: atest ClientModeImplTest InsecureEapNetworkHandlerTest\\nTest: atest WifiConfigManagerTest\\nTest: Integration test on R, and T devices with overlay setting\\nof insecure networks allowed and not allowed, and with new\\nconfigs and insecure (Do not validate) configs made with R.\\nTest: Functional test, UI verification with multiple locales\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a5227527411bc24e6e2c6276f16559c7305b6783)\\nMerged-In: I5cac12cd8c52a8a9425e98dad0fb90893f53e374\\nChange-Id: I5cac12cd8c52a8a9425e98dad0fb90893f53e374\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "2d6d08db5b4540a350d0cc8099849a74e021f211", "old\_mode": 33188, "old\_path": "service/ServiceWifiResources/res/values/overlayable.xml", "new\_id": "4ddba7f7322f680502cd308ba8942bf7839db727", "new\_mode": 33188, "new\_path": "service/ServiceWifiResources/res/values/overlayable.xml" }, { "type": "modify", "old\_id": "15ffcf0adabd9d5306e6ac64b3b8135d0768c967", "old\_mode": 33188, "old\_path": "service/ServiceWifiResources/res/values/strings.xml", "new\_id": "bfcb96a1f8801857cc8dfe2ba8e877a43adbfcb9", "new\_mode": 33188, "new\_path": "service/ServiceWifiResources/res/values/strings.xml" }, { "type": "modify", "old\_id": "92cc9ffce6119ede40f7d08d074399b8b9bc1e41", "old\_mode": 33188, "old\_path": "service/java/com/android/server/wifi/ClientModeImpl.java", "new\_id": "c4c0823db079402feb4ee5f2c833a75f339eae72", "new\_mode": 33188, "new\_path": "service/java/com/android/server/wifi/ClientModeImpl.java" }, { "type": "modify", "old\_id": "225d01c7e55d10b3226fd112e6c4d6ae12f34ca7", "old\_mode": 33188, "old\_path": "service/java/com/android/server/wifi/InsecureEapNetworkHandler.java", "new\_id": "6c55feab7fdfeeec9943cf005f624046e09c2948", "new\_mode": 33188, "new\_path": "service/java/com/android/server/wifi/InsecureEapNetworkHandler.java" }, { "type": "modify", "old\_id": "2079cb82d085a8c3eb69dcabab26d3b73327d346", "old\_mode": 33188, "old\_path": "service/java/com/android/server/wifi/WifiConfigManager.java", "new\_id": "f2a39dadaeb1c9010ab1e28e975c8297a1a14730", "new\_mode": 33188, "new\_path": "service/java/com/android/server/wifi/WifiConfigManager.java" }, { "type": "modify", "old\_id": "a69614090ce52d28a21430b0372ab917e628e308", "old\_mode": 33188, "old\_path": "service/java/com/android/server/wifi/WifiKeyStore.java", "new\_id": "deb2e9d94c36a6380358570288ece5f88581b294", "new\_mode": 33188, "new\_path": "service/java/com/android/server/wifi/WifiKeyStore.java" }, { "type": "modify", "old\_id": "16b05c38892fdc15e3ff23257b591097c92c3280", "old\_mode": 33188, "old\_path": "service/java/com/android/server/wifi/WifiServiceImpl.java", "new\_id": "30ea2482954ffb0f3cf4ed496fc1925ea3915942", "new\_mode": 33188, "new\_path": "service/java/com/android/server/wifi/WifiServiceImpl.java" }, { "type": "modify", "old\_id": "09a596f984cf403feaf85b6ab986de9fbdd05d00", "old\_mode": 33188, "old\_path": "service/proto/src/metrics.proto", "new\_id": "871eb2c750cd50f21e7740a3d3d18463836352f1", "new\_mode": 33188, "new\_path": "service/proto/src/metrics.proto" }, { "type": "modify", "old\_id": "ca8f5b031ceac99ff603d27679d89a0f7a22b208", "old\_mode": 33188, "old\_path": "service/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java", "new\_id": "cef996fef1df59033c6e62b544aa05b42170f837", "new\_mode": 33188, "new\_path": "service/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java" }, { "type": "modify", "old\_id": "aed3753ffc0f4f69c5bf998f376fe196f506493b", "old\_mode": 33188, "old\_path": "service/tests/wifitests/src/com/android/server/wifi/InsecureEapNetworkHandlerTest.java", "new\_id": "b83f6e7e6c1f89ede082ef11d045996b43f3e6ee", "new\_mode": 33188, "new\_path": "service/tests/wifitests/src/com/android/server/wifi/InsecureEapNetworkHandlerTest.java" }, { "type": "modify", "old\_id": "141dca53afb1a8b9c4b5f700c1257d344857470b", "old\_mode": 33188, "old\_path": "service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java", "new\_id": "b707b1d6b06fe564632f77f4e4d61c0fe3f394c9", "new\_mode": 33188, "new\_path": "service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java" }, { "type": "modify", "old\_id": "eefa46bb7c13db355460f3d458b90abe3444c771", "old\_mode": 33188, "old\_path": "service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java", "new\_id": "9dc610b275ee4077d1b832a814059304cf7d243b", "new\_mode": 33188, "new\_path": "service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java" }, { "type": "modify", "old\_id": "9de443def48ebc9ccc708bf2b2644247aa38faca", "old\_mode": 33188, "old\_path": "service/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java", "new\_id": "37fbb8f7b27a9902adc4a6994f0e0d2c653d44ed", "new\_mode": 33188, "new\_path": "service/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java" } \] }

CVE-2023-20965

In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "b35a06182451f71cc0543cfe36a3f21fad6f6f02", "tree": "7fdf671a4088d9e11c465beddb0dc1419fff4165", "parents": \[ "53625a846a7b4273982157d7a1db5947371757ef" \], "author": { "name": "Will Deacon", "email": "willdeacon@google.com", "time": "Wed Apr 26 15:38:32 2023 +0100" }, "committer": { "name": "Will Deacon", "email": "willdeacon@google.com", "time": "Fri Apr 28 14:31:57 2023 +0000" }, "message": "ANDROID: KVM: arm64: Move addr\_is\_allowed\_memory() check into host callback\\n\\nSince host stage-2 mappings are created lazily, we cannot rely on the\\npte in order to recover the target physical address when checking a\\nhost-initiated memory transition.\\n\\nInstead, move the addr\_is\_allowed\_memory() check into the host callback\\nfunction where it is passed the physical address directly from the\\nwalker.\\n\\nBug: 279739439\\nSigned-off-by: Will Deacon \\u003cwilldeacon@google.com\\u003e\\nChange-Id: I84bdc43eded79f1f5e5a489dbc0874604491e5c8\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "d1bb4f8689acc1ed08fb633b06b92cd20992cbe2", "old\_mode": 33188, "old\_path": "arch/arm64/kvm/hyp/nvhe/mem\_protect.c", "new\_id": "402b22ffc59315c4a984aa00fd61c5d1ecd4723c", "new\_mode": 33188, "new\_path": "arch/arm64/kvm/hyp/nvhe/mem\_protect.c" } \] }

Tag

#android