Fix security hole in GateKeeperResponse.

GateKeeperResponse has inconsistent writeToParcel() and createFromParcel() methods, making it possible for a malicious app to create a Bundle that changes contents after reserialization. Such Bundles can be used to execute Intents with system privileges. This CL changes writeToParcel() to make serialization and deserialization consistent, thus fixing the issue. Bug: 62998805 Test: use the debug app (see bug) Change-Id: Ie1c64172c454c3a4b7a0919eb3454f0e38efcd09 (cherry picked from commit e74cae8f7c3e6b12f2bf2b75427ee8f5b53eca3c)
author: Charles He <qiurui@google.com> 2017-07-14 14:41:06 +0100
committer: android-build-team Robot <android-build-team-robot@google.com> 2017-09-13 22:26:46 +0000
commit: 5979a0b84a8623b04a013eaa1bdc008a9ea9e44d (patch)
tree: b3e29a530d2ad7d93784b2a035d6634d86a5a953
parent: 43d61dcef058f5edd57734f9d189d3f5dd290d64 (diff)
download: base-5979a0b84a8623b04a013eaa1bdc008a9ea9e44d.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java
index a512957d6040..6ca6d8ac7100 100644
--- a/core/java/android/service/gatekeeper/GateKeeperResponse.java
+++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java
@@ -85,6 +85,8 @@ public final class GateKeeperResponse implements Parcelable {
             if (mPayload != null) {
                 dest.writeInt(mPayload.length);
                 dest.writeByteArray(mPayload);
+            } else {
+                dest.writeInt(0);
             }
         }
     }
author	Charles He <qiurui@google.com>	2017-07-14 14:41:06 +0100
committer	android-build-team Robot <android-build-team-robot@google.com>	2017-09-13 22:26:46 +0000
commit	5979a0b84a8623b04a013eaa1bdc008a9ea9e44d (patch)
tree	b3e29a530d2ad7d93784b2a035d6634d86a5a953
parent	43d61dcef058f5edd57734f9d189d3f5dd290d64 (diff)
download	base-5979a0b84a8623b04a013eaa1bdc008a9ea9e44d.tar.gz