diff options
author | Ayush Sharma <ayushsha@google.com> | 2022-03-16 10:32:23 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-07-07 01:46:34 +0000 |
commit | d15f00a09260dee8274a426ae0424a0bc9c05068 (patch) | |
tree | 8e4c24d3fec209fb3d3dac29e05ef26ed2df3b11 | |
parent | 26c1e64343596759677a12a65fce84792165d87f (diff) | |
download | base-d15f00a09260dee8274a426ae0424a0bc9c05068.tar.gz |
Fix security hole in GateKeeperResponse
GateKeeperResponse has inconsistent writeToParcel() and
createFromParcel() methods, making it possible for a malicious app to
create a Bundle that changes contents after reserialization. Such
Bundles can be used to execute Intents with system privileges.
We fixed related issues previously for GateKeeperResponse class, but
one of the case was remaining when payload is byte array of size 0,
Fixing this case now.
Bug: 220303465
Test: With the POC provided in the bug.
Change-Id: Ida28d611edd674e76ed39dd8037f52abcba82586
Merged-In: Ida28d611edd674e76ed39dd8037f52abcba82586
(cherry picked from commit 46653a91c30245ca29d41d69174813979a910496)
Change-Id: I486348c7a01c6f59c952b20fb4a36429fff22958
(cherry picked from commit 5d2176df6923a8984e2b81d8eb4b728f01f1c760)
Merged-In: I486348c7a01c6f59c952b20fb4a36429fff22958
-rw-r--r-- | core/java/android/service/gatekeeper/GateKeeperResponse.java | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java index 7ed733cb4f4c..9d648a6995fb 100644 --- a/core/java/android/service/gatekeeper/GateKeeperResponse.java +++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java @@ -105,7 +105,7 @@ public final class GateKeeperResponse implements Parcelable { dest.writeInt(mTimeout); } else if (mResponseCode == RESPONSE_OK) { dest.writeInt(mShouldReEnroll ? 1 : 0); - if (mPayload != null) { + if (mPayload != null && mPayload.length > 0) { dest.writeInt(mPayload.length); dest.writeByteArray(mPayload); } else { |