diff options
author | William Leshner <wleshner@google.com> | 2023-11-01 18:03:35 +0000 |
---|---|---|
committer | William Leshner <wleshner@google.com> | 2023-11-01 18:03:40 +0000 |
commit | bf8ff047eb25960720a688cb16aa44b3775799da (patch) | |
tree | be8b9b3e4af90ade7e969e64780952ee6d65185b | |
parent | 5e5e9db28b88f9adeb0f06473aeca7a50e65b0a8 (diff) | |
download | base-bf8ff047eb25960720a688cb16aa44b3775799da.tar.gz |
Fix vulnerability that allowed attackers to start arbitary activities
Test: Flashed device and verified dream settings works as expected
Test: Installed APK from bug and verified the dream didn't allow
launching the inappropriate settings activity.
Fixes: 300090204
Change-Id: I146415ad400827d0a798e27f34f098feb5e96422
Merged-In: I6e90e3a0d513dceb7d7f5c59d6807ebe164c5716
-rw-r--r-- | core/java/android/service/dreams/DreamService.java | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/core/java/android/service/dreams/DreamService.java b/core/java/android/service/dreams/DreamService.java index 2d461c6cf92e..d380522de643 100644 --- a/core/java/android/service/dreams/DreamService.java +++ b/core/java/android/service/dreams/DreamService.java @@ -1192,8 +1192,17 @@ public class DreamService extends Service implements Window.Callback { if (!flattenedString.contains("/")) { return new ComponentName(serviceInfo.packageName, flattenedString); } - - return ComponentName.unflattenFromString(flattenedString); + // Ensure that the component is from the same package as the dream service. If not, + // treat the component as invalid and return null instead. + final ComponentName cn = ComponentName.unflattenFromString(flattenedString); + if (cn == null) return null; + if (!cn.getPackageName().equals(serviceInfo.packageName)) { + Log.w(TAG, + "Inconsistent package name in component: " + cn.getPackageName() + + ", should be: " + serviceInfo.packageName); + return null; + } + return cn; } /** |