diff options
author | Hao Ke <haok@google.com> | 2022-10-05 21:45:52 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-10-05 21:45:52 +0000 |
commit | 6edc8b7cdaecb616d4805efe3fdd36221660147f (patch) | |
tree | 0d560639a26010f197579acb4eb2403a33b1a623 | |
parent | adfa1235d2e3653d940ffb3d161322f9e47c04b1 (diff) | |
parent | 926e1629cb73bf4992af1bb3035ac73fe7a4d6a5 (diff) | |
download | base-6edc8b7cdaecb616d4805efe3fdd36221660147f.tar.gz |
Merge "Add safety checks on KEY_INTENT mismatch." into qt-dev am: 459808b2c0 am: 64e4cbc1d8 am: ac02d51ea3 am: c3cde6206d am: 926e1629cb
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/20105519
Change-Id: I5888374d641da4539d7f1d233d2c5f02dfda6f84
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | services/core/java/com/android/server/accounts/AccountManagerService.java | 34 |
1 files changed, 30 insertions, 4 deletions
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java index ae2f93449c86..a8672ff38e9d 100644 --- a/services/core/java/com/android/server/accounts/AccountManagerService.java +++ b/services/core/java/com/android/server/accounts/AccountManagerService.java @@ -88,6 +88,7 @@ import android.os.UserHandle; import android.os.UserManager; import android.stats.devicepolicy.DevicePolicyEnums; import android.text.TextUtils; +import android.util.EventLog; import android.util.Log; import android.util.Pair; import android.util.Slog; @@ -3097,7 +3098,7 @@ public class AccountManagerService */ if (!checkKeyIntent( Binder.getCallingUid(), - intent)) { + result)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; @@ -3516,7 +3517,7 @@ public class AccountManagerService && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { if (!checkKeyIntent( Binder.getCallingUid(), - intent)) { + result)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; @@ -4867,7 +4868,13 @@ public class AccountManagerService * into launching arbitrary intents on the device via by tricking to click authenticator * supplied entries in the system Settings app. */ - protected boolean checkKeyIntent(int authUid, Intent intent) { + protected boolean checkKeyIntent(int authUid, Bundle bundle) { + if (!checkKeyIntentParceledCorrectly(bundle)) { + EventLog.writeEvent(0x534e4554, "250588548", authUid, ""); + return false; + } + + Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); // Explicitly set an empty ClipData to ensure that we don't offer to // promote any Uris contained inside for granting purposes if (intent.getClipData() == null) { @@ -4904,6 +4911,25 @@ public class AccountManagerService } } + /** + * Simulate the client side's deserialization of KEY_INTENT value, to make sure they don't + * violate our security policy. + * + * In particular we want to make sure the Authenticator doesn't trick users + * into launching arbitrary intents on the device via exploiting any other Parcel read/write + * mismatch problems. + */ + private boolean checkKeyIntentParceledCorrectly(Bundle bundle) { + Parcel p = Parcel.obtain(); + p.writeBundle(bundle); + p.setDataPosition(0); + Bundle simulateBundle = p.readBundle(); + p.recycle(); + Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); + Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT); + return (intent.filterEquals(simulateIntent)); + } + private boolean isExportedSystemActivity(ActivityInfo activityInfo) { String className = activityInfo.name; return "android".equals(activityInfo.packageName) && @@ -5050,7 +5076,7 @@ public class AccountManagerService && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { if (!checkKeyIntent( Binder.getCallingUid(), - intent)) { + result)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; |