Fix security hole in GateKeeperResponse.

GateKeeperResponse has inconsistent writeToParcel() and createFromParcel() methods, making it possible for a malicious app to create a Bundle that changes contents after reserialization. Such Bundles can be used to execute Intents with system privileges. This CL changes writeToParcel() to make serialization and deserialization consistent, thus fixing the issue. Bug: 62998805 Test: use the debug app (see bug) Change-Id: Ie1c64172c454c3a4b7a0919eb3454f0e38efcd09 (cherry picked from commit e74cae8f7c3e6b12f2bf2b75427ee8f5b53eca3c)
author: Charles He <qiurui@google.com> 2017-07-14 14:41:06 +0100
committer: android-build-team Robot <android-build-team-robot@google.com> 2017-09-28 17:12:05 +0000
commit: c505f55d9243b1a961813685d6f02f5af2029b71 (patch)
tree: d386c534268be0fdea53e72fb3a87e5c2926b343
parent: c2176389a68fdd48fd41d0e3ca7efef2c9fcf557 (diff)
download: base-c505f55d9243b1a961813685d6f02f5af2029b71.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java
index a512957d6040..6ca6d8ac7100 100644
--- a/core/java/android/service/gatekeeper/GateKeeperResponse.java
+++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java
@@ -85,6 +85,8 @@ public final class GateKeeperResponse implements Parcelable {
             if (mPayload != null) {
                 dest.writeInt(mPayload.length);
                 dest.writeByteArray(mPayload);
+            } else {
+                dest.writeInt(0);
             }
         }
     }
author	Charles He <qiurui@google.com>	2017-07-14 14:41:06 +0100
committer	android-build-team Robot <android-build-team-robot@google.com>	2017-09-28 17:12:05 +0000
commit	c505f55d9243b1a961813685d6f02f5af2029b71 (patch)
tree	d386c534268be0fdea53e72fb3a87e5c2926b343
parent	c2176389a68fdd48fd41d0e3ca7efef2c9fcf557 (diff)
download	base-c505f55d9243b1a961813685d6f02f5af2029b71.tar.gz