Android gets the first 8 CVE’s for 2020
Is a CVE that is affecting:
- Android 8.0
- Android 8.1
- Android 9
- Android 10
Google has published a security bulletin for Android
covering the first CVE of the year together with 8 of
the following CVE’s: - CVE-2020–0002
- CVE-2020–0003
- CVE-2020–0004
- CVE-2020–0005
- CVE-2020–0006
- CVE-2020–0007
- CVE-2020–0008
Remote code execution CVE-2020–0002
A use after free vulnerability can be triggered
in the init_decoder function in the file “decoder/ih264d_api.c”.
Code was committed as a patch to prevent the program from possibly
using memory in a way it was not suppose to do:
@@ -963,6 +963,30 @@
/* Free any dynamic buffers that are allocated */
ih264d_free_dynamic_bufs(ps_dec);
+ {
+ UWORD8 i;
+ struct pic_buffer_t *ps_init_dpb;
+ ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0];
+ for(i = 0; i < 2 * MAX_REF_BUFS; i++)
+ {
+ ps_init_dpb->pu1_buf1 = NULL;
+ ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
+ ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb;
+ ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb;
+ ps_init_dpb++;
+ }
+
+ ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0];
+ for(i = 0; i < 2 * MAX_REF_BUFS; i++)
+ {
+ ps_init_dpb->pu1_buf1 = NULL;
+ ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
+ ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb;
+ ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb;
+ ps_init_dpb++;
+ }
+ }
+
ps_cur_slice = ps_dec->ps_cur_slice;
ps_dec->init_done = 0;
@@ -1439,29 +1463,6 @@
ps_dec->ps_col_mv_base = pv_buf;
memset(ps_dec->ps_col_mv_base, 0, size);
- {
- UWORD8 i;
- struct pic_buffer_t *ps_init_dpb;
- ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0];
- for(i = 0; i < 2 * MAX_REF_BUFS; i++)
- {
- ps_init_dpb->pu1_buf1 = NULL;
- ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
- ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb;
- ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb;
- ps_init_dpb++;
- }
-
- ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0];
- for(i = 0; i < 2 * MAX_REF_BUFS; i++)
- {
- ps_init_dpb->pu1_buf1 = NULL;
- ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
- ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb;
- ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb;
- ps_init_dpb++;
- }
- }
ih264d_init_decoder(ps_dec);
return IV_SUCCESS;
Link to git commit:
https://android.googlesource.com/platform/external/libavc/+/c4b0440fb7a36cd8692126404f86f1bd7a19701e
Privilege escalation vulnerabilities
CVE-2020–0001
A process function in ActivityManagerService.java is not
properly implemented making a escape of the sand boxed
environment available.
CVE-2020–0003
In Androids Install Start.java function it is possible to
a package validating check.
Link to diff
Denial of service CVE-2020–0004
A in-proper validation of the image texture size in
the function WallpaperManagerService can cause a
denial of service if the file is to big.
Information disclosure vulnerabilities
CVE-2020–0006
A vulnerability was found in the Near Field Communication part of the Android system. Allowing leakage of memory due to uninitialized data that is exploitable by a unprivileged third party.
CVE-2020–0007
A possible leakage of memory is possible due to uninitialized data in the Sensor.cpp part of Android. Link to patch: git commit 6c524a53c85bd0ee05d2714bc5606d62975e5819
CVE-2020–0008
A flaw in the Bluetooth part of android has been
found due to a invalid race condition which
if exploited would lead to a information disclosure.
The Mississippi State Government has gone out with a
announcement noticing these security threats
and advising to update your android device as soon
as possible.
Link here its.ms.gov
External links:
CVE-2020–0001
Android Security Bulletin January 2020
Use after free vulnerability
If you are using an rss reader you can subscribe to the blog here:
https://blog.firosolutions.com/exploits/index.xml
https://blog.firosolutions.com/posts/index.xml
