Merge "Add safety checks on KEY_INTENT mismatch." into qt-dev am: 459808b2c0 am: 64e4cbc1d8 am: ac02d51ea3 am: c3cde6206d am: 926e1629cb

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/20105519 Change-Id: I5888374d641da4539d7f1d233d2c5f02dfda6f84 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Hao Ke <haok@google.com> 2022-10-05 21:45:52 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2022-10-05 21:45:52 +0000
commit: 6edc8b7cdaecb616d4805efe3fdd36221660147f (patch)
tree: 0d560639a26010f197579acb4eb2403a33b1a623
parent: adfa1235d2e3653d940ffb3d161322f9e47c04b1 (diff)
parent: 926e1629cb73bf4992af1bb3035ac73fe7a4d6a5 (diff)
download: base-6edc8b7cdaecb616d4805efe3fdd36221660147f.tar.gz
1 files changed, 30 insertions, 4 deletions
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index ae2f93449c86..a8672ff38e9d 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -88,6 +88,7 @@ import android.os.UserHandle;
 import android.os.UserManager;
 import android.stats.devicepolicy.DevicePolicyEnums;
 import android.text.TextUtils;
+import android.util.EventLog;
 import android.util.Log;
 import android.util.Pair;
 import android.util.Slog;
@@ -3097,7 +3098,7 @@ public class AccountManagerService
                              */
                             if (!checkKeyIntent(
                                     Binder.getCallingUid(),
-                                    intent)) {
+                                    result)) {
                                 onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
                                         "invalid intent in bundle returned");
                                 return;
@@ -3516,7 +3517,7 @@ public class AccountManagerService
                     && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
                 if (!checkKeyIntent(
                         Binder.getCallingUid(),
-                        intent)) {
+                        result)) {
                     onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
                             "invalid intent in bundle returned");
                     return;
@@ -4867,7 +4868,13 @@ public class AccountManagerService
          * into launching arbitrary intents on the device via by tricking to click authenticator
          * supplied entries in the system Settings app.
          */
-         protected boolean checkKeyIntent(int authUid, Intent intent) {
+        protected boolean checkKeyIntent(int authUid, Bundle bundle) {
+            if (!checkKeyIntentParceledCorrectly(bundle)) {
+            	EventLog.writeEvent(0x534e4554, "250588548", authUid, "");
+                return false;
+            }
+
+            Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
             // Explicitly set an empty ClipData to ensure that we don't offer to
             // promote any Uris contained inside for granting purposes
             if (intent.getClipData() == null) {
@@ -4904,6 +4911,25 @@ public class AccountManagerService
             }
         }
 
+        /**
+         * Simulate the client side's deserialization of KEY_INTENT value, to make sure they don't
+         * violate our security policy.
+         *
+         * In particular we want to make sure the Authenticator doesn't trick users
+         * into launching arbitrary intents on the device via exploiting any other Parcel read/write
+         * mismatch problems.
+         */
+        private boolean checkKeyIntentParceledCorrectly(Bundle bundle) {
+            Parcel p = Parcel.obtain();
+            p.writeBundle(bundle);
+            p.setDataPosition(0);
+            Bundle simulateBundle = p.readBundle();
+            p.recycle();
+            Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
+            Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);
+            return (intent.filterEquals(simulateIntent));
+        }
+
         private boolean isExportedSystemActivity(ActivityInfo activityInfo) {
             String className = activityInfo.name;
             return "android".equals(activityInfo.packageName) &&
@@ -5050,7 +5076,7 @@ public class AccountManagerService
                     && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
                 if (!checkKeyIntent(
                         Binder.getCallingUid(),
-                        intent)) {
+                        result)) {
                     onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
                             "invalid intent in bundle returned");
                     return;
author	Hao Ke <haok@google.com>	2022-10-05 21:45:52 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-10-05 21:45:52 +0000
commit	6edc8b7cdaecb616d4805efe3fdd36221660147f (patch)
tree	0d560639a26010f197579acb4eb2403a33b1a623
parent	adfa1235d2e3653d940ffb3d161322f9e47c04b1 (diff)
parent	926e1629cb73bf4992af1bb3035ac73fe7a4d6a5 (diff)
download	base-6edc8b7cdaecb616d4805efe3fdd36221660147f.tar.gz