DivestOS/Patches/LineageOS-16.0/android_frameworks_base/379794.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Will Leshner <wleshner@google.com>
Date: Tue, 31 Oct 2023 13:23:08 -0700
Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary
 activities

Test: Flashed device and verified dream settings works as expected
Test: Installed APK from bug and verified the dream didn't allow
launching the inappropriate settings activity.
Fixes: 300090204
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14)
Merged-In: I573040df84bf98a493b39f96c8581e4303206bac
Change-Id: I573040df84bf98a493b39f96c8581e4303206bac
---
 .../com/android/settingslib/dream/DreamBackend.java  | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
index 3c0f6fe8ccbb..0b771580fff4 100644
--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
+++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
@@ -332,7 +332,17 @@ public class DreamBackend {
         if (cn != null && cn.indexOf('/') < 0) {
             cn = resolveInfo.serviceInfo.packageName + "/" + cn;
         }
-        return cn == null ? null : ComponentName.unflattenFromString(cn);
+        // Ensure that the component is from the same package as the dream service. If not,
+        // treat the component as invalid and return null instead.
+        final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null;
+        if (result != null
+                && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) {
+            Log.w(TAG,
+                    "Inconsistent package name in component: " + result.getPackageName()
+                            + ", should be: " + resolveInfo.serviceInfo.packageName);
+            return null;
+        }
+        return result;
     }
 
     private static void logd(String msg, Object... args) {
16.0: Import and verify picks https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev> 2024-05-07 23:13:31 +00:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Will Leshner <wleshner@google.com>`
			`Date: Tue, 31 Oct 2023 13:23:08 -0700`
			`Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary`
			`activities`

			`Test: Flashed device and verified dream settings works as expected`
			`Test: Installed APK from bug and verified the dream didn't allow`
			`launching the inappropriate settings activity.`
			`Fixes: 300090204`
			`(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14)`
			`Merged-In: I573040df84bf98a493b39f96c8581e4303206bac`
			`Change-Id: I573040df84bf98a493b39f96c8581e4303206bac`
			`---`
			`.../com/android/settingslib/dream/DreamBackend.java \| 12 +++++++++++-`
			`1 file changed, 11 insertions(+), 1 deletion(-)`

			`diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java`
			`index 3c0f6fe8ccbb..0b771580fff4 100644`
			`--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java`
			`+++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java`
			`@@ -332,7 +332,17 @@ public class DreamBackend {`
			`if (cn != null && cn.indexOf('/') < 0) {`
			`cn = resolveInfo.serviceInfo.packageName + "/" + cn;`
			`}`
			`- return cn == null ? null : ComponentName.unflattenFromString(cn);`
			`+ // Ensure that the component is from the same package as the dream service. If not,`
			`+ // treat the component as invalid and return null instead.`
			`+ final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null;`
			`+ if (result != null`
			`+ && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) {`
			`+ Log.w(TAG,`
			`+ "Inconsistent package name in component: " + result.getPackageName()`
			`+ + ", should be: " + resolveInfo.serviceInfo.packageName);`
			`+ return null;`
			`+ }`
			`+ return result;`
			`}`

			`private static void logd(String msg, Object... args) {`