Fix exploit where can hide the fact that a location was mocked am: a206a0f17e am: d417e54872 am: 3380a77516 am: 0a8978f04b am: 1684e5f344

am: d28eef0cc2 Change-Id: If937d91cee2bb06406cf3cd1ae6ac3402a51e88d (cherry picked from commit 1f458fdc66c27977a2f93ba473d120aad190282a)
author: Tom O'Neill <tomo@google.com> 2016-12-22 17:23:39 +0000
committer: The Android Automerger <android-build@android.com> 2017-01-27 13:47:52 -0800
commit: 5549a1f8372a46176486039e0f135f78b42cc0e3 (patch)
tree: 5567eb5c500265ec29da591f217efed8b3d08358
parent: 8c1294a930ff2ced62b4021527083b89c6feede6 (diff)
download: base-5549a1f8372a46176486039e0f135f78b42cc0e3.tar.gz
1 files changed, 16 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/LocationManagerService.java b/services/core/java/com/android/server/LocationManagerService.java
index 468ead0e9c92..66d40deb503d 100644
--- a/services/core/java/com/android/server/LocationManagerService.java
+++ b/services/core/java/com/android/server/LocationManagerService.java
@@ -87,6 +87,8 @@ import android.os.UserHandle;
 import android.os.UserManager;
 import android.os.WorkSource;
 import android.provider.Settings;
+import android.text.TextUtils;
+import android.util.EventLog;
 import android.util.Log;
 import android.util.Slog;
 
@@ -2505,9 +2507,22 @@ public class LocationManagerService extends ILocationManager.Stub {
             if (mockProvider == null) {
                 throw new IllegalArgumentException("Provider \"" + provider + "\" unknown");
             }
+
+            // Ensure that the location is marked as being mock. There's some logic to do this in
+            // handleLocationChanged(), but it fails if loc has the wrong provider (bug 33091107).
+            Location mock = new Location(loc);
+            mock.setIsFromMockProvider(true);
+
+            if (!TextUtils.isEmpty(loc.getProvider()) && !provider.equals(loc.getProvider())) {
+                // The location has an explicit provider that is different from the mock provider
+                // name. The caller may be trying to fool us via bug 33091107.
+                EventLog.writeEvent(0x534e4554, "33091107", Binder.getCallingUid(),
+                        provider + "!=" + loc.getProvider());
+            }
+
             // clear calling identity so INSTALL_LOCATION_PROVIDER permission is not required
             long identity = Binder.clearCallingIdentity();
-            mockProvider.setLocation(loc);
+            mockProvider.setLocation(mock);
             Binder.restoreCallingIdentity(identity);
         }
     }
author	Tom O'Neill <tomo@google.com>	2016-12-22 17:23:39 +0000
committer	The Android Automerger <android-build@android.com>	2017-01-27 13:47:52 -0800
commit	5549a1f8372a46176486039e0f135f78b42cc0e3 (patch)
tree	5567eb5c500265ec29da591f217efed8b3d08358
parent	8c1294a930ff2ced62b4021527083b89c6feede6 (diff)
download	base-5549a1f8372a46176486039e0f135f78b42cc0e3.tar.gz