¡¾Ô­´´Â©¶´¡¿AOSP¿çÓû§×ÊÔ´·ÃÎÊ©¶´

·¢²¼Ê±¼ä 2025-05-09
Ò»¡¢Ñо¿±³¾°


AndroidµÄ¶àÓû§»úÖÆÊÇָϵͳ֧³ÖÔÚͬһ̨É豸ÉÏ´´½¨¶à¸öÓû§ÕË»§£¬Ã¿¸öÕË»§ÓµÓжÀÁ¢µÄÓ¦Óû·¾³¡¢Êý¾ÝºÍÉèÖã¬Ö÷ÒªÓÃÓÚÆ½°åÉ豸¡¢¹²ÏíÉ豸¡¢ÆóÒµ¹ÜÀíÉ豸µÈ³¡¾°¡£mansion88Ã÷ÉýADLabͨ¹ý¶Ô¶àÓû§Ä£Ê½Ï¸ôÀë»úÖÆ¿ªÕ¹°²È«Ñо¿£¬¾Û½¹ÏµÍ³¿çÓû§×ÊÔ´·ÃÎʵÄÊäÈë·¾¶ÎÛȾÎÊÌ⣬ÍÚ¾òÁ˶à¸öAOSP¸ßΣ©¶´¡£´ËÍ⣬»¹·¢ÏÖ¹úÄÚÍâÖ÷Á÷³§ÉÌÖÐÒ²´æÔÚͬÀàÐ͸ßΣ©¶´CVE-2024-34674¡¢CVE-2024-34672¡¢CVE-2025-20883¡¢CVE-2024-49402µÈ¡£


¶þ¡¢AOSP¶àÓû§ÏµÍ³»úÖÆ


2.1 »ù±¾ÀàÐÍ


Androidϵͳ¶¨ÒåÁ˶àÖÖÓû§ÀàÐÍ£º


? Primary User£¨Ö÷Óû§£©£ºÉ豸³õʼ»¯Ê±´´½¨µÄµÚÒ»¸öÓû§£¬ÓµÓÐËùÓÐϵͳȨÏÞ£¬Î¨Ò»¿ÉÒÔ½ÓÊÕOTA¡£

Secondary User£¨´ÎÓû§£©£ºÀàËÆ¶ÀÁ¢Õ˺Å£¬ÎÞ·¨½ÓÊÕOTA£¬²»¾ß±¸É豸¹ÜÀíȨÏÞ¡£

Guest User£¨·Ã¿ÍÓû§£©£ºÁÙʱÓû§£¬Í˳öºó»áɾ³ýËùÓÐÊý¾Ý¡£

Profile£¨ÅäÖÃÎļþ£©£ºWork Profile¹¤×÷ÅäÖÃÎļþÓÃÓÚBYODÆóÒµ³¡¾°£¬ÓëÖ÷Óû§¸ôÀ뵫¹²Ïí²¿·Ö×ÊÔ´£»Restricted ProfileÏÞÖÆÅäÖÃÎļþÓÃÓÚÆ½°å¶àÓû§Ä£Ê½£¬ÏÞÖÆÈ¨Ï޺ͷÃÎÊÄÚÈÝ¡£

¶ÔӦȨÏÞ¸ôÀ밲ȫ»úÖÆ£º

¸÷Óû§È¨ÏÞ¶ÀÁ¢ÊÚÓè¡£

Ò»¸öÓû§ÊÚÓèȨÏÞ²»»áÓ°ÏìÆäËûÓû§¡£

¿çÓû§Í¨ÐÅÐèҪϵͳȨÏÞ£¬È磺INTERACT_ACROSS_USERS»òINTERACT_ACROSS_USERS_FULL¡£

ÆÕͨÈý·½Ó¦ÓÃÎÞ·¨Í¨¹ýIntent¡¢ContentProvider µÈԽȨ·ÃÎÊÆäËûÓû§µÄÊý¾Ý»ò·þÎñ¡£


2.2 ±£»¤»úÖÆ


AndroidϵͳʵʩÁ˶àÖÖ±£»¤»úÖÆÒÔ·ÀÖ¹¿çÓû§µÄ·Ç·¨×ÊÔ´·ÃÎÊ¡£ÔÚAndroidÖУ¬URIµÄ·ÃÎÊȨÏÞÊÇÓÉContentProviderͳһ¹ÜÀíºÍ¿ØÖƵÄ¡£µ±Óû§AµÄÓ¦ÓÃЯ´øÌض¨URI·¢Æðij¸ö¶¯×÷ÇëÇóʱ£¬ÏµÍ³×é¼þ»áͨ¹ýµ÷ÓÃÁ´½øÈëqueryContentProviders·½·¨À´ÑéÖ¤¸ÃURIµÄ·ÃÎÊȨÏÞ¡£


¾ßÌå´úÂëʵÏÖÈçÏ£º


ͼƬ1.png


Õâ¸öº¯ÊýÊ×Ïȼì²éÓ¦ÓÃÊÇ·ñЯ´øÁË"@userid!=currentuserid"µÄ±ê¼Ç£¬ÒÔ´ËÅжÏÊÇ·ñ´æÔÚ¿çÓû§URI·ÃÎʵÄÇé¿ö¡£Èç¹ûÈ·ÊµÉæ¼°¿çÓû§·ÃÎÊ£¬Ôòµ÷ÓÃcheckCrossUserPermissionÀ´¼ìÑéÊÇ·ñÓпçÓû§·ÃÎʵÄȨÏÞ£¬²¢Í¬Ê±È·ÈÏ·ÃÎÊÊÇ·ñÀ´Ô´ÓÚsystem/rootÓû§ID¡£Èç¹û²»ÊÇsystem/rootÓû§£¬º¯Êý½«¼ÌÐø¼ì²é¸ÃÓ¦ÓÃÊÇ·ñÓµÓÐINTERACT_ACROSS_USERS_FULL»òINTERACT_ACROSS_USERSϵͳȨÏÞ¡£ÈôÉÏÊöÌõ¼þ¾ùδÂú×㣬Ôò²»ÔÊÐí½øÐпçÓû§URI×ÊÔ´µÄ·ÃÎÊ¡£


ͼƬ2.png


Èç¹ûͬʱÂú×ãÒÔÏÂÈý¸öÌõ¼þ£¬ÏµÍ³¿ÉÄÜ´æÔÚ¿çÓû§µÄ×ÊÔ´·ÃÎÊ©¶´£º


ϵͳӦÓÃÖдæÔÚÉèÖÃΪexported=trueµÄ×é¼þ£»

¸Ã×é¼þ¿ÉÒÔ½ÓÊÕÈý·½Ó¦Óô«ÈëµÄURI²ÎÊý£¬²¢ÇÒδ¶ÔuseridÓ뵱ǰcurrentUserId½øÐа²È«Ð£Ñ飻

ϵͳӦÓõÄAndroidManifest.xmlÖÐÉùÃ÷ÁËINTERACT_ACROSS_USERS»òINTERACT_ACROSS_USERS_FULLȨÏÞ¡£


Èý¡¢Â©¶´Ô­Àí·ÖÎö£¨Android-337184703£©


©¶´´æÔÚÓÚdeskclock apkÄ£¿éÖУ¬´ËÄ£¿éΪAOSPͨÓÃÁåÉùϵͳӦÓ㬹©Ó¦ÓýøÐÐÍØÕ¹ÁåÉù×Ô¶¨ÒåÉèÖá£

ͼƬ.png

deskclockÄ£¿é¾ß±¸INTERACT_ACROSS_USERS*ȨÏÞ¡£ÔÚHandleSetAlarmApiCallsµÄµ÷ÓÃÁ´ÖУ¬ÏµÍ³½«µ¼³ö×é¼þ¿ª·Å¸øÈý·½Ó¦Ó㬴æÔÚ°²È«Òþ»¼¡£¾ßÌåµ÷ÓÃÁ÷³ÌÈçÏ£º


HandleSetAlarmApiCalls/HandleSetAlarm.onCreate

©¸©¤©¤> handleSetAlarm(intent)

 ©¸©¤©¤> updateAlarmFromIntent(intent, alarm)

  ©¸©¤©¤>alarm.alert=getAlertFromIntent(intent, alarm.alert)


ÓÉÓÚgetAlertFromIntentδ¶Ô´«ÈëµÄURI²ÎÊý½øÐÐÈκÎУÑ飬±ãÖ±½ÓÉèÖÃalarm.alert£¬¿ÉÄܵ¼ÖÂÈý·½Ó¦Óô«Èë¶ñÒâURI£¬´Ó¶øÒý·¢È¨ÏÞÈÆ¹ý»òÐÅϢй¶µÈ·çÏÕ¡£


ͼƬ3.png


¹¥»÷Õß¿ÉÒÔ¹¹Ôì¶ñÒâµ÷ÓÃÁ´£¬Í¨¹ý´«ÈëÌØ¶¨µÄURI²ÎÊý²¢Ö¸¶¨Ä¿±êÓû§µÄuserId£¬½ø¶ø´¥·¢ÏµÍ³×é¼þµÄ´¦ÀíÂß¼­¡£ÔÚδ½øÐÐÓû§Éí·ÝУÑéµÄÇé¿öÏ£¬ÏµÍ³»áÖ±½ÓʹÓøÃURIÉèÖÃalarm.alert×ֶΡ£ÓÉÓÚ¸ÃURI¿ÉÖ¸ÏòÆäËûÓû§¿Õ¼äϵÄ×ÊÔ´£¬¹¥»÷Õ߿ɽøÒ»²½Í¨¹ý±éÀú_id×ֶΣ¬´ïµ½ÈÎÒâ¶ÁÈ¡²¢ÇÔÈ¡ÆäËûÓû§ÒôƵÎļþµÄÄ¿µÄ¡£


ËÄ¡¢Â©¶´´¦ÖÃ


Google Android°²È«ÍŶӶÔmansion88Ã÷ÉýADLabÌá½»µÄ©¶´±¨¸æ½øÐÐÁËÆÀ¹À£¬È·¶¨¸Ã©¶´Îª¸ßΣ¼¶±ð¡£¼øÓÚÐÞ¸´´æÔÚµÄÀ§ÄÑ£¬ÔÚ×îз¢²¼µÄ°æ±¾ÖУ¬ÒÑÆúÓÃÁË´æÔÚ©¶´µÄ×é¼þ£¬²¢ÔÚа汾ÖвÉÓÃÆäËû×é¼þ½øÐÐÌæ´ú¡£


ͼƬ4.png


ͼƬ5.png


Î塢С ½á


ΪÁ˱ÜÃâ´ËÀàÎÊÌ⣬½¨ÒéÉèÖÃȨÏÞ×îС»¯£¬½÷É÷ʹÓÃINTERACT_ACROSS_USERS*ÕâÀàȨÏÞ£¬´ËÍ⣬¶Ô¿ª·Å×é¼þ½øÐÐuseridÊÇ·ñΪcurrentuseridµÄ°²È«Ð£Ñé¡£


Áù¡¢Â©¶´Åû¶ʱ¼äÏß


? 2024Äê4ÔÂ26ÈÕ ADLabÏòGoolgeÌá½»Androidϵͳ°²È«±¨¸æ¡£

2024Äê4ÔÂ30ÈÕ ADLab²¹³äϸ½Ú¡£

2024Äê5ÔÂ8ÈÕ  GoolgeÈ·ÈÏ©¶´ÆÀ¼¶ÒÔ¼°¸ßΣ½±Àø¡£

2024Äê12ÔÂ11ÈÕ Ë«·½¹µÍ¨ÐÞ¸´·½°¸¡£

2024Äê12ÔÂ24ÈÕ Google×îÖÕÍ£Ö¹¸Ã¹¦ÄÜ¿ª·¢£¬Ê¹ÓÃÆäËû×é¼þÌæ´ú¸Ã¹¦ÄÜ¡£



mansion88Ã÷Éý»ý¼«·ÀÓùʵÑéÊÒ£¨ADLab£©


ADLab³ÉÁ¢ÓÚ1999Ä꣬ÊÇÖйú°²È«ÐÐÒµ×îÔç³ÉÁ¢µÄ¹¥·À¼¼ÊõÑо¿ÊµÑéÊÒÖ®Ò»£¬Î¢ÈíMAPP¼Æ»®ºËÐijÉÔ±£¬¡°ºÚȸ¹¥»÷¡±¸ÅÄîÊ×ÍÆÕß¡£½ØÖÁĿǰ£¬ADLabÒÑͨ¹ý CNVD/CNNVD/NVDB/CVEÀۼƷ¢²¼°²È«Â©¶´6500Óà¸ö£¬³ÖÐø±£³Ö¹ú¼ÊÍøÂ簲ȫÁìÓòÒ»Á÷Ë®×¼¡£ÊµÑéÊÒÑо¿·½Ïòº­¸Ç»ù´¡°²È«Ñо¿¡¢Êý¾Ý°²È«Ñо¿¡¢5G°²È«Ñо¿¡¢AI+°²È«Ñо¿¡¢ÎÀÐǰ²È«Ñо¿¡¢ÔËÓªÉÌ»ù´¡ÉèÊ©°²È«Ñо¿¡¢Òƶ¯°²È«Ñо¿¡¢ÎïÁªÍø°²È«Ñо¿¡¢³µÁªÍø°²È«Ñо¿¡¢¹¤¿Ø°²È«Ñо¿¡¢ÐÅ´´°²È«Ñо¿¡¢Ôư²È«Ñо¿¡¢ÎÞÏß°²È«Ñо¿¡¢¸ß¼¶ÍþвÑо¿¡¢¹¥·À¶Ô¿¹¼¼ÊõÑо¿¡£Ñо¿³É¹ûÓ¦ÓÃÓÚ²úÆ·ºËÐļ¼ÊõÑо¿¡¢¹ú¼ÒÖØµã¿Æ¼¼ÏîÄ¿¹¥¹Ø¡¢×¨Òµ°²È«·þÎñµÈ¡£


adlab.jpg