Fix security hole in GateKeeperResponse.

GateKeeperResponse has inconsistent writeToParcel() and createFromParcel() methods, making it possible for a malicious app to create a Bundle that changes contents after reserialization. Such Bundles can be used to execute Intents with system privileges. This CL changes writeToParcel() to make serialization and deserialization consistent, thus fixing the issue. Bug: 62998805 Test: use the debug app (see bug) Change-Id: Ie1c64172c454c3a4b7a0919eb3454f0e38efcd09 (cherry picked from commit e74cae8f7c3e6b12f2bf2b75427ee8f5b53eca3c)
author: Charles He <qiurui@google.com> 2017-07-14 14:41:06 +0100
committer: android-build-team Robot <android-build-team-robot@google.com> 2017-09-13 20:31:26 +0000
commit: cf628c4cda2c3b34407e63844e59ae6def03fa09 (patch)
tree: b3e29a530d2ad7d93784b2a035d6634d86a5a953
parent: e65f667f4421377fb842312c67f1f686caf8590e (diff)
download: base-cf628c4cda2c3b34407e63844e59ae6def03fa09.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java
index a512957d6040..6ca6d8ac7100 100644
--- a/core/java/android/service/gatekeeper/GateKeeperResponse.java
+++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java
@@ -85,6 +85,8 @@ public final class GateKeeperResponse implements Parcelable {
             if (mPayload != null) {
                 dest.writeInt(mPayload.length);
                 dest.writeByteArray(mPayload);
+            } else {
+                dest.writeInt(0);
             }
         }
     }
author	Charles He <qiurui@google.com>	2017-07-14 14:41:06 +0100
committer	android-build-team Robot <android-build-team-robot@google.com>	2017-09-13 20:31:26 +0000
commit	cf628c4cda2c3b34407e63844e59ae6def03fa09 (patch)
tree	b3e29a530d2ad7d93784b2a035d6634d86a5a953
parent	e65f667f4421377fb842312c67f1f686caf8590e (diff)
download	base-cf628c4cda2c3b34407e63844e59ae6def03fa09.tar.gz