Fix security hole in GateKeeperResponse.

GateKeeperResponse has inconsistent writeToParcel() and createFromParcel() methods, making it possible for a malicious app to create a Bundle that changes contents after reserialization. Such Bundles can be used to execute Intents with system privileges. This CL changes writeToParcel() to make serialization and deserialization consistent, thus fixing the issue. Bug: 62998805 Test: use the debug app (see bug) Change-Id: Ie1c64172c454c3a4b7a0919eb3454f0e38efcd09 (cherry picked from commit e74cae8f7c3e6b12f2bf2b75427ee8f5b53eca3c)
author: Charles He <qiurui@google.com> 2017-07-14 14:41:06 +0100
committer: android-build-team Robot <android-build-team-robot@google.com> 2017-08-23 19:07:08 +0000
commit: 5d094db79e896108214a3d8d84a4a1b636beed48 (patch)
tree: 91c8408e6002f1d337124c38211fac78fb017263
parent: 7b50517352d75b0c09365c161460348dc86edf78 (diff)
download: base-5d094db79e896108214a3d8d84a4a1b636beed48.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java
index a512957d6040..6ca6d8ac7100 100644
--- a/core/java/android/service/gatekeeper/GateKeeperResponse.java
+++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java
@@ -85,6 +85,8 @@ public final class GateKeeperResponse implements Parcelable {
             if (mPayload != null) {
                 dest.writeInt(mPayload.length);
                 dest.writeByteArray(mPayload);
+            } else {
+                dest.writeInt(0);
             }
         }
     }
author	Charles He <qiurui@google.com>	2017-07-14 14:41:06 +0100
committer	android-build-team Robot <android-build-team-robot@google.com>	2017-08-23 19:07:08 +0000
commit	5d094db79e896108214a3d8d84a4a1b636beed48 (patch)
tree	91c8408e6002f1d337124c38211fac78fb017263
parent	7b50517352d75b0c09365c161460348dc86edf78 (diff)
download	base-5d094db79e896108214a3d8d84a4a1b636beed48.tar.gz