From 0fac9e3e2e2a9b1d03763821a40217a0034b86e2 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Wed, 20 Sep 2017 16:09:16 -0600
Subject: Only construct real Throwable objects.

Without this test, someone could trick us into constructing other
shady classes.

Test: builds, boots
Bug: 65281159
Change-Id: If678d0681708d1b0dcf056aa1133830ad3dbce31
(cherry picked from commit 8e151bf8999345399208d54663f103921ae5e1c6)
---
 core/java/android/os/ParcelableException.java | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/core/java/android/os/ParcelableException.java b/core/java/android/os/ParcelableException.java
index d84d62997d93..7f71905d7f28 100644
--- a/core/java/android/os/ParcelableException.java
+++ b/core/java/android/os/ParcelableException.java
@@ -52,10 +52,12 @@ public final class ParcelableException extends RuntimeException implements Parce
         final String msg = in.readString();
         try {
             final Class<?> clazz = Class.forName(name, true, Parcelable.class.getClassLoader());
-            return (Throwable) clazz.getConstructor(String.class).newInstance(msg);
+            if (Throwable.class.isAssignableFrom(clazz)) {
+                return (Throwable) clazz.getConstructor(String.class).newInstance(msg);
+            }
         } catch (ReflectiveOperationException e) {
-            throw new RuntimeException(name + ": " + msg);
         }
+        return new RuntimeException(name + ": " + msg);
     }
 
     /** {@hide} */
-- 
cgit v1.2.3


From 73f9e2006cbddac88f1693092998c934c9f62d4c Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Mon, 12 Jun 2017 17:33:07 -0600
Subject: DO NOT MERGE. KEY_INTENT shouldn't grant permissions.

KEY_INTENT has no business granting any Uri permissions, so remove
any grant flags that malicious apps may have tried sneaking in.

Also fix ordering bug in general-purpose security check that was
allowing FLAG_GRANT_PERSISTABLE to bypass it.

Test: builds, boots
Bug: 32990341, 32879915
Change-Id: I657455a770c81f045ccce6abbd2291407a1cfb42
(cherry picked from commit d722e780bac7685e8a012b5f479eba8c348c3c53)
(cherry picked from commit dba1bb07e04b51b1bd0a1251711781e731ce9524)
---
 .../server/accounts/AccountManagerService.java     |  4 ++++
 .../android/server/am/ActivityManagerService.java  | 23 ++++++++++++----------
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index f0b1b3baee17..ef8a5758e873 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -4703,6 +4703,10 @@ public class AccountManagerService
         protected void checkKeyIntent(
                 int authUid,
                 Intent intent) throws SecurityException {
+            intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
+                    | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+                    | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
+                    | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION));
             long bid = Binder.clearCallingIdentity();
             try {
                 PackageManager pm = mContext.getPackageManager();
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 186d0f40f43a..64eb97070d61 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -8629,6 +8629,19 @@ public class ActivityManagerService extends IActivityManager.Stub
             return -1;
         }
 
+        // Bail early if system is trying to hand out permissions directly; it
+        // must always grant permissions on behalf of someone explicit.
+        final int callingAppId = UserHandle.getAppId(callingUid);
+        if ((callingAppId == SYSTEM_UID) || (callingAppId == ROOT_UID)) {
+            if ("com.android.settings.files".equals(grantUri.uri.getAuthority())) {
+                // Exempted authority for cropping user photos in Settings app
+            } else {
+                Slog.w(TAG, "For security reasons, the system cannot issue a Uri permission"
+                        + " grant to " + grantUri + "; use startActivityAsCaller() instead");
+                return -1;
+            }
+        }
+
         final String authority = grantUri.uri.getAuthority();
         final ProviderInfo pi = getProviderInfoLocked(authority, grantUri.sourceUserId,
                 MATCH_DEBUG_TRIAGED_MISSING);
@@ -8724,16 +8737,6 @@ public class ActivityManagerService extends IActivityManager.Stub
 
         // Third...  does the caller itself have permission to access
         // this uri?
-        final int callingAppId = UserHandle.getAppId(callingUid);
-        if ((callingAppId == SYSTEM_UID) || (callingAppId == ROOT_UID)) {
-            if ("com.android.settings.files".equals(grantUri.uri.getAuthority())) {
-                // Exempted authority for cropping user photos in Settings app
-            } else {
-                Slog.w(TAG, "For security reasons, the system cannot issue a Uri permission"
-                        + " grant to " + grantUri + "; use startActivityAsCaller() instead");
-                return -1;
-            }
-        }
         if (!checkHoldingPermissionsLocked(pm, pi, grantUri, callingUid, modeFlags)) {
             // Require they hold a strong enough Uri permission
             if (!checkUriPermissionLocked(grantUri, callingUid, modeFlags)) {
-- 
cgit v1.2.3