In mmcblkread_single of block.c, there is a possible way to read kernel heap memory due to uninitialized data. This could lead to local information disclosure if reading from an SD card that triggers errors, with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 978.0, "function_hash": "290459416158443490269445564131014734238" }, "id": "ASB-A-216481035-0d8a59c6", "source": "https://android.googlesource.com/kernel/common/+/8f66dc1a78a743ea3c3f039500d2aa0cddd776d5", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/mmc/core/block.c", "truncated_path_level": 1.0, "function": "mmc_blk_read_single" }, "signature_type": "Function" }, { "digest": { "length": 978.0, "function_hash": "290459416158443490269445564131014734238" }, "id": "ASB-A-216481035-3203c8b1", "source": "https://android.googlesource.com/kernel/common/+/8a3679a75730c1babde6bf63e35d227f3305bd90", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/mmc/core/block.c", "truncated_path_level": 1.0, "function": "mmc_blk_read_single" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "2907444189528137582598791217727045976", "80646727252109438267268950575052761574", "214455761909637698135983059591719148404", "314224666913841343005414661948040423198", "301079217581052051189090274480861617100", "333000515435920061536231456913963985304", "130151144031969264003597906697477326274", "248909641728583318544137915805454314577", "41714600779776968329513128334675758975", "145170706701966385612643393627647051505", "269644774211126604351262929141648861431", "200409849303713783695564726255665398656", "254740679565737498548231481744941635265", "95260411534038648523560557426888444784", "149451371566647158598358333914912173079", "246028754277326850540093589276958046608", "123655838134129163841804075222723179401", "336965310461298005801655302288838830825", "91701752304520966890165163965022529758", "184328425099164550879843336430941754535", "14189298840319197261086693072886128807" ] }, "id": "ASB-A-216481035-8719bca4", "source": "https://android.googlesource.com/kernel/common/+/8f66dc1a78a743ea3c3f039500d2aa0cddd776d5", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/mmc/core/block.c", "truncated_path_level": 1.0 }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "2907444189528137582598791217727045976", "80646727252109438267268950575052761574", "214455761909637698135983059591719148404", "314224666913841343005414661948040423198", "301079217581052051189090274480861617100", "333000515435920061536231456913963985304", "130151144031969264003597906697477326274", "248909641728583318544137915805454314577", "41714600779776968329513128334675758975", "145170706701966385612643393627647051505", "82779074392281770542715410463218417675", "321248953353821862450469011039827550385", "324843245304616300959363174425865350731", "151898391135442215427971803908467078645", "149451371566647158598358333914912173079", "246028754277326850540093589276958046608", "123655838134129163841804075222723179401", "336965310461298005801655302288838830825", "91701752304520966890165163965022529758", "184328425099164550879843336430941754535", "14189298840319197261086693072886128807" ] }, "id": "ASB-A-216481035-91b2ef5b", "source": "https://android.googlesource.com/kernel/common/+/8a3679a75730c1babde6bf63e35d227f3305bd90", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/mmc/core/block.c", "truncated_path_level": 1.0 }, "signature_type": "Line" }, { "digest": { "length": 978.0, "function_hash": "290459416158443490269445564131014734238" }, "id": "ASB-A-216481035-d11d0f38", "source": "https://android.googlesource.com/kernel/common/+/2aea7dc18f4249dc53e53598db50b59c26a60aeb", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/mmc/core/block.c", "truncated_path_level": 1.0, "function": "mmc_blk_read_single" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "2907444189528137582598791217727045976", "80646727252109438267268950575052761574", "214455761909637698135983059591719148404", "314224666913841343005414661948040423198", "301079217581052051189090274480861617100", "333000515435920061536231456913963985304", "130151144031969264003597906697477326274", "248909641728583318544137915805454314577", "41714600779776968329513128334675758975", "145170706701966385612643393627647051505", "82779074392281770542715410463218417675", "321248953353821862450469011039827550385", "324843245304616300959363174425865350731", "151898391135442215427971803908467078645", "149451371566647158598358333914912173079", "246028754277326850540093589276958046608", "123655838134129163841804075222723179401", "336965310461298005801655302288838830825", "91701752304520966890165163965022529758", "184328425099164550879843336430941754535", "14189298840319197261086693072886128807" ] }, "id": "ASB-A-216481035-ee7289ad", "source": "https://android.googlesource.com/kernel/common/+/2aea7dc18f4249dc53e53598db50b59c26a60aeb", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/mmc/core/block.c", "truncated_path_level": 1.0 }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/2aea7dc18f4249dc53e53598db50b59c26a60aeb", "https://android.googlesource.com/kernel/common/+/8a3679a75730c1babde6bf63e35d227f3305bd90", "https://android.googlesource.com/kernel/common/+/8f66dc1a78a743ea3c3f039500d2aa0cddd776d5" ], "spl": "2022-05-05", "severity": "High", "types": [ "ID" ] }