Android gets the first 8 CVE’s for 2020

Android gets the first 8 CVE’s for 2020

Firo Solutions android 2020 CVE

Is a CVE that is affecting:
* Android 8.0
* Android 8.1
* Android 9
* Android 10
Google has published a security bulletin for Android
covering the first CVE of the year together with 8 of
the following CVE’s:
* CVE-2020–0002
* CVE-2020–0003
* CVE-2020–0004
* CVE-2020–0005
* CVE-2020–0006
* CVE-2020–0007
* CVE-2020–0008

Remote code execution CVE-2020–0002

A use after free vulnerability can be triggered
in the init_decoder function in the file “decoder/ih264d_api.c”.
Code was committed as a patch to prevent the program from possibly
using memory in a way it was not suppose to do:

@@ -963,6 +963,30 @@ 
     /* Free any dynamic buffers that are allocated */
     ih264d_free_dynamic_bufs(ps_dec);
 
+    {
+        UWORD8 i;
+        struct pic_buffer_t *ps_init_dpb;
+        ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0];
+        for(i = 0; i < 2 * MAX_REF_BUFS; i++)
+        {
+            ps_init_dpb->pu1_buf1 = NULL;
+            ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
+            ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb;
+            ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb;
+            ps_init_dpb++;
+        }
+
+        ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0];
+        for(i = 0; i < 2 * MAX_REF_BUFS; i++)
+        {
+            ps_init_dpb->pu1_buf1 = NULL;
+            ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
+            ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb;
+            ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb;
+            ps_init_dpb++;
+        }
+    }
+
     ps_cur_slice = ps_dec->ps_cur_slice;
     ps_dec->init_done = 0;
 
@@ -1439,29 +1463,6 @@
     ps_dec->ps_col_mv_base = pv_buf;
     memset(ps_dec->ps_col_mv_base, 0, size);
 
-    {
-        UWORD8 i;
-        struct pic_buffer_t *ps_init_dpb;
-        ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0];
-        for(i = 0; i < 2 * MAX_REF_BUFS; i++)
-        {
-            ps_init_dpb->pu1_buf1 = NULL;
-            ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
-            ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb;
-            ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb;
-            ps_init_dpb++;
-        }
-
-        ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0];
-        for(i = 0; i < 2 * MAX_REF_BUFS; i++)
-        {
-            ps_init_dpb->pu1_buf1 = NULL;
-            ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
-            ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb;
-            ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb;
-            ps_init_dpb++;
-        }
-    }
     ih264d_init_decoder(ps_dec);
 
     return IV_SUCCESS;

Link to git commit:
https://android.googlesource.com/platform/external/libavc/+/c4b0440fb7a36cd8692126404f86f1bd7a19701e

Privilege escalation vulnerabilities

CVE-2020–0001

A process function in ActivityManagerService.java is not
properly implemented making a escape of the sand boxed
environment available.

CVE-2020–0003

In Androids Install Start.java function it is possible to
a package validating check.
Link to diff
Denial of service CVE-2020–0004
A in-proper validation of the image texture size in
the function WallpaperManagerService can cause a denial of service if the file is to big. Information disclosure vulnerabilities

CVE-2020–0006

A vulnerability was found in the Near Field Communication part of the Android system. Allowing leakage of memory due to uninitialized data that is exploitable by a unprivileged third party.

CVE-2020–0007

A possible leakage of memory is possible due to uninitialized data in the Sensor.cpp part of Android. Link to patch: git commit 6c524a53c85bd0ee05d2714bc5606d62975e5819

CVE-2020–0008

A flaw in the Bluetooth part of android has been
found due to a invalid race condition which
if exploited would lead to a information disclosure.
The Mississippi State Government has gone out with a
announcement noticing these security threats
and advising to update your android device as soon
as possible.
Link here its.ms.gov

CVE-2020–0001
Android Security Bulletin January 2020
Use after free vulnerability

If you are using an rss reader you can subscribe to the blog here:
https://blog.firosolutions.com/exploits/index.xml
https://blog.firosolutions.com/posts/index.xml