Fix security hole in GateKeeperResponse.

GateKeeperResponse has inconsistent writeToParcel() and createFromParcel() methods, making it possible for a malicious app to create a Bundle that changes contents after reserialization. Such Bundles can be used to execute Intents with system privileges. This CL changes writeToParcel() to make serialization and deserialization consistent, thus fixing the issue. Bug: 62998805 Test: use the debug app (see bug) Change-Id: Ie1c64172c454c3a4b7a0919eb3454f0e38efcd09 (cherry picked from commit e74cae8f7c3e6b12f2bf2b75427ee8f5b53eca3c)
author: Charles He <qiurui@google.com> 2017-07-14 14:41:06 +0100
committer: android-build-team Robot <android-build-team-robot@google.com> 2017-08-22 23:20:12 +0000
commit: b87c968e5a41a1a09166199bf54eee12608f3900 (patch)
tree: 58065d5f3847794bc69adf5c0e329d4a2a7e21be
parent: c574568aaede7f652432deb7707f20ae54bbdf9a (diff)
download: base-b87c968e5a41a1a09166199bf54eee12608f3900.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java
index 287dc76a9b01..9b529345851b 100644
--- a/core/java/android/service/gatekeeper/GateKeeperResponse.java
+++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java
@@ -106,6 +106,8 @@ public final class GateKeeperResponse implements Parcelable {
             if (mPayload != null) {
                 dest.writeInt(mPayload.length);
                 dest.writeByteArray(mPayload);
+            } else {
+                dest.writeInt(0);
             }
         }
     }
author	Charles He <qiurui@google.com>	2017-07-14 14:41:06 +0100
committer	android-build-team Robot <android-build-team-robot@google.com>	2017-08-22 23:20:12 +0000
commit	b87c968e5a41a1a09166199bf54eee12608f3900 (patch)
tree	58065d5f3847794bc69adf5c0e329d4a2a7e21be
parent	c574568aaede7f652432deb7707f20ae54bbdf9a (diff)
download	base-b87c968e5a41a1a09166199bf54eee12608f3900.tar.gz