DivestOS/Patches/LineageOS-20.0/ASB2023-09/telephony-01.patch

From b96ee4a2d1ec8c552af40820077fe85f9b2fa01f Mon Sep 17 00:00:00 2001
From: Ashish Kumar <akgaurav@google.com>
Date: Fri, 26 May 2023 14:18:46 +0000
Subject: [PATCH] Fixed leak of cross user data in multiple settings.

  - Any app is allowed to receive GET_CONTENT intent. Using this, an user puts back in the intent an uri with data of another user.
  - Telephony service has INTERACT_ACROSS_USER permission. Using this, it reads and shows the deta to the evil user.

Fix: When telephony service gets the intent result, it checks if the uri is from the current user or not.

Bug: b/256591023 , b/256819787

Test: The malicious behaviour was not being reproduced. Unable to import contact from other users data.
Test2: Able to import contact from the primary user or uri with no user id
(These settings are not available for secondary users)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab593467e900d4a6d25a34024a06195ae863f6dc)
Merged-In: I1e3a643f17948153aecc1d0df9ffd9619ad678c1
Change-Id: I1e3a643f17948153aecc1d0df9ffd9619ad678c1
---
 src/com/android/phone/CdmaCallForwardOptions.java  | 12 ++++++++++++
 .../android/phone/GsmUmtsCallForwardOptions.java   | 12 ++++++++++++
 .../phone/settings/VoicemailSettingsActivity.java  | 14 ++++++++++++++
 .../phone/settings/fdn/EditFdnContactScreen.java   | 11 +++++++++++
 4 files changed, 49 insertions(+)

diff --git a/src/com/android/phone/CdmaCallForwardOptions.java b/src/com/android/phone/CdmaCallForwardOptions.java
index a8d2e93d69..d70e7099b4 100644
--- a/src/com/android/phone/CdmaCallForwardOptions.java
+++ b/src/com/android/phone/CdmaCallForwardOptions.java
@@ -17,10 +17,13 @@
 package com.android.phone;
 
 import android.app.ActionBar;
+import android.content.ContentProvider;
 import android.content.Intent;
 import android.database.Cursor;
 import android.os.Bundle;
 import android.os.PersistableBundle;
+import android.os.Process;
+import android.os.UserHandle;
 import android.preference.Preference;
 import android.preference.PreferenceScreen;
 import android.telephony.CarrierConfigManager;
@@ -212,6 +215,15 @@ protected void onActivityResult(int requestCode, int resultCode, Intent data) {
         }
         Cursor cursor = null;
         try {
+            // check if the URI returned by the user belongs to the user
+            final int currentUser = UserHandle.getUserId(Process.myUid());
+            if (currentUser
+                    != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {
+
+                Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "
+                        + "cannot access");
+                return;
+            }
             cursor = getContentResolver().query(data.getData(),
                 NUM_PROJECTION, null, null, null);
             if ((cursor == null) || (!cursor.moveToFirst())) {
diff --git a/src/com/android/phone/GsmUmtsCallForwardOptions.java b/src/com/android/phone/GsmUmtsCallForwardOptions.java
index fda0ea5265..db830deb66 100644
--- a/src/com/android/phone/GsmUmtsCallForwardOptions.java
+++ b/src/com/android/phone/GsmUmtsCallForwardOptions.java
@@ -1,10 +1,13 @@
 package com.android.phone;
 
 import android.app.ActionBar;
+import android.content.ContentProvider;
 import android.content.Intent;
 import android.database.Cursor;
 import android.os.Bundle;
 import android.os.PersistableBundle;
+import android.os.Process;
+import android.os.UserHandle;
 import android.preference.Preference;
 import android.preference.PreferenceScreen;
 import android.telephony.CarrierConfigManager;
@@ -203,6 +206,15 @@ protected void onActivityResult(int requestCode, int resultCode, Intent data) {
         }
         Cursor cursor = null;
         try {
+            // check if the URI returned by the user belongs to the user
+            final int currentUser = UserHandle.getUserId(Process.myUid());
+            if (currentUser
+                    != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {
+
+                Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "
+                        + "cannot access");
+                return;
+            }
             cursor = getContentResolver().query(data.getData(),
                 NUM_PROJECTION, null, null, null);
             if ((cursor == null) || (!cursor.moveToFirst())) {
diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java
index 02bf4b25d8..c940748a35 100644
--- a/src/com/android/phone/settings/VoicemailSettingsActivity.java
+++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java
@@ -17,6 +17,7 @@
 package com.android.phone.settings;
 
 import android.app.Dialog;
+import android.content.ContentProvider;
 import android.content.DialogInterface;
 import android.content.Intent;
 import android.database.Cursor;
@@ -25,6 +26,8 @@
 import android.os.Handler;
 import android.os.Message;
 import android.os.PersistableBundle;
+import android.os.Process;
+import android.os.UserHandle;
 import android.os.UserManager;
 import android.preference.Preference;
 import android.preference.PreferenceActivity;
@@ -520,6 +523,17 @@ protected void onActivityResult(int requestCode, int resultCode, Intent data) {
 
             Cursor cursor = null;
             try {
+                // check if the URI returned by the user belongs to the user
+                final int currentUser = UserHandle.getUserId(Process.myUid());
+                if (currentUser
+                        != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {
+
+                    if (DBG) {
+                        log("onActivityResult: Contact data of different user, "
+                                + "cannot access");
+                    }
+                    return;
+                }
                 cursor = getContentResolver().query(data.getData(),
                     new String[] { CommonDataKinds.Phone.NUMBER }, null, null, null);
                 if ((cursor == null) || (!cursor.moveToFirst())) {
diff --git a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
index 468d38f65d..0884e1262d 100644
--- a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
+++ b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
@@ -19,6 +19,7 @@
 
 import static android.app.Activity.RESULT_OK;
 
+import android.content.ContentProvider;
 import android.content.ContentValues;
 import android.content.Intent;
 import android.content.res.Resources;
@@ -26,6 +27,8 @@
 import android.net.Uri;
 import android.os.Bundle;
 import android.os.PersistableBundle;
+import android.os.Process;
+import android.os.UserHandle;
 import android.provider.ContactsContract.CommonDataKinds;
 import android.telephony.CarrierConfigManager;
 import android.telephony.PhoneNumberUtils;
@@ -137,6 +140,14 @@ protected void onActivityResult(int requestCode, int resultCode, Intent intent)
                 }
                 Cursor cursor = null;
                 try {
+                    // check if the URI returned by the user belongs to the user
+                    final int currentUser = UserHandle.getUserId(Process.myUid());
+                    if (currentUser
+                            != ContentProvider.getUserIdFromUri(intent.getData(), currentUser)) {
+                        Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "
+                                + "cannot access");
+                        return;
+                    }
                     cursor = getContentResolver().query(intent.getData(),
                         NUM_PROJECTION, null, null, null);
                     if ((cursor == null) || (!cursor.moveToFirst())) {
20.0: September ASB picks wget https://github.com/GrapheneOS/platform_packages_services_Telephony/commit/b96ee4a2d1ec8c552af40820077fe85f9b2fa01f.patch -O telephony-01.patch wget https://github.com/GrapheneOS/platform_packages_providers_MediaProvider/commit/c16e6e78c1c8ba40f8c2ff6a4d87afe44590eb7f.patch -O media-01.patch wget https://github.com/GrapheneOS/platform_packages_providers_MediaProvider/commit/d5771450d7b2acde9fa051dedbb6c115b001d48b.patch -O media-02.patch wget https://github.com/GrapheneOS/platform_packages_modules_NeuralNetworks/commit/a1370bd00c106e4d172dc68638778fa111f6ecbe.patch -O nn-01.patch wget https://github.com/GrapheneOS/platform_packages_modules_Bluetooth/commit/ce2776f4ca4fba080bd64bffa2c8fa2d0188bd45.patch -O bt-01.patch wget https://github.com/GrapheneOS/platform_packages_modules_Bluetooth/commit/585f583ef5e6c2446df7700d8959774771d2a9d8.patch -O bt-02.patch wget https://github.com/GrapheneOS/platform_packages_modules_Bluetooth/commit/c9905e7968f603014d8ebd631393f9ba1ffd98c9.patch -O bt-03.patch wget https://github.com/GrapheneOS/platform_packages_modules_Bluetooth/commit/c93ec045f59462f2fb64242da1a119a7b49c3d50.patch -O bt-04.patch wget https://github.com/GrapheneOS/platform_packages_modules_Bluetooth/commit/89fb17d17249382f8bd5c4c9b0912447ea7ff676.patch -O bt-05.patch wget https://github.com/GrapheneOS/platform_packages_modules_Bluetooth/commit/14aed2455e4e800e4bde6175ad3c4910ffcf7b0e.patch -O bt-06.patch wget https://github.com/GrapheneOS/platform_packages_modules_Bluetooth/commit/cd438ebc524bc27b6200c70ccb6ed9f8d0271a10.patch -O bt-07.patch wget https://github.com/GrapheneOS/platform_packages_apps_Nfc/commit/27e7cdc4e5748e2ad85552433cf9c120fd7a936b.patch -O nfc-01.patch wget https://github.com/GrapheneOS/platform_packages_apps_Launcher3/commit/dfeb4270b8ecad08bc5361f122af9453881a5987.patch -O launcher-01.patch wget https://github.com/GrapheneOS/platform_frameworks_native/commit/b1993f6cec45bc638ea1d2875c91d069e89ca57e.patch -O native-01.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/df4a9362cd39867ca7deee537934649bd6a2589f.patch -O fwb-01.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/b55563bb9d534210c3f4c5e21ba07a63360c2094.patch -O fwb-02.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/a80971a28168f2667a2821d008964ba001cad059.patch -O fwb-03.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/7e173b43837c419a7cb77f5758191a557fdc76fa.patch -O fwb-04.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/44191b1c6b55d9e09d8b5fca96176035abc18c31.patch -O fwb-05.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/8dc8dfe572ce5e4bcb64418275b6d8c4e05284ac.patch -O fwb-06.patch wget https://github.com/GrapheneOS/platform_frameworks_av/commit/00a42241007a2c2a03b97656c958236091553b80.patch -O av-01.patch wget https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/21623d1f437beb59ceee1fc88cd07d48e3f6a13e.patch -O settings-01.patch wget https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/fa5ec443d94922424112fe8a7c7f9d3b36dca67d.patch -O settings-02.patch wget https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/ba4da9c7b3a711a5e1c73dcf361b0c14fe02ebf4.patch -O settings-03.patch Signed-off-by: Tad <tad@spotco.us> 2023-09-06 19:26:45 +00:00			`From b96ee4a2d1ec8c552af40820077fe85f9b2fa01f Mon Sep 17 00:00:00 2001`
			`From: Ashish Kumar <akgaurav@google.com>`
			`Date: Fri, 26 May 2023 14:18:46 +0000`
			`Subject: [PATCH] Fixed leak of cross user data in multiple settings.`

			`- Any app is allowed to receive GET_CONTENT intent. Using this, an user puts back in the intent an uri with data of another user.`
			`- Telephony service has INTERACT_ACROSS_USER permission. Using this, it reads and shows the deta to the evil user.`

			`Fix: When telephony service gets the intent result, it checks if the uri is from the current user or not.`

			`Bug: b/256591023 , b/256819787`

			`Test: The malicious behaviour was not being reproduced. Unable to import contact from other users data.`
			`Test2: Able to import contact from the primary user or uri with no user id`
			`(These settings are not available for secondary users)`
			`(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab593467e900d4a6d25a34024a06195ae863f6dc)`
			`Merged-In: I1e3a643f17948153aecc1d0df9ffd9619ad678c1`
			`Change-Id: I1e3a643f17948153aecc1d0df9ffd9619ad678c1`
			`---`
			`src/com/android/phone/CdmaCallForwardOptions.java \| 12 ++++++++++++`
			`.../android/phone/GsmUmtsCallForwardOptions.java \| 12 ++++++++++++`
			`.../phone/settings/VoicemailSettingsActivity.java \| 14 ++++++++++++++`
			`.../phone/settings/fdn/EditFdnContactScreen.java \| 11 +++++++++++`
			`4 files changed, 49 insertions(+)`

			`diff --git a/src/com/android/phone/CdmaCallForwardOptions.java b/src/com/android/phone/CdmaCallForwardOptions.java`
			`index a8d2e93d69..d70e7099b4 100644`
			`--- a/src/com/android/phone/CdmaCallForwardOptions.java`
			`+++ b/src/com/android/phone/CdmaCallForwardOptions.java`
			`@@ -17,10 +17,13 @@`
			`package com.android.phone;`

			`import android.app.ActionBar;`
			`+import android.content.ContentProvider;`
			`import android.content.Intent;`
			`import android.database.Cursor;`
			`import android.os.Bundle;`
			`import android.os.PersistableBundle;`
			`+import android.os.Process;`
			`+import android.os.UserHandle;`
			`import android.preference.Preference;`
			`import android.preference.PreferenceScreen;`
			`import android.telephony.CarrierConfigManager;`
			`@@ -212,6 +215,15 @@ protected void onActivityResult(int requestCode, int resultCode, Intent data) {`
			`}`
			`Cursor cursor = null;`
			`try {`
			`+ // check if the URI returned by the user belongs to the user`
			`+ final int currentUser = UserHandle.getUserId(Process.myUid());`
			`+ if (currentUser`
			`+ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {`
			`+`
			`+ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "`
			`+ + "cannot access");`
			`+ return;`
			`+ }`
			`cursor = getContentResolver().query(data.getData(),`
			`NUM_PROJECTION, null, null, null);`
			`if ((cursor == null) \|\| (!cursor.moveToFirst())) {`
			`diff --git a/src/com/android/phone/GsmUmtsCallForwardOptions.java b/src/com/android/phone/GsmUmtsCallForwardOptions.java`
			`index fda0ea5265..db830deb66 100644`
			`--- a/src/com/android/phone/GsmUmtsCallForwardOptions.java`
			`+++ b/src/com/android/phone/GsmUmtsCallForwardOptions.java`
			`@@ -1,10 +1,13 @@`
			`package com.android.phone;`

			`import android.app.ActionBar;`
			`+import android.content.ContentProvider;`
			`import android.content.Intent;`
			`import android.database.Cursor;`
			`import android.os.Bundle;`
			`import android.os.PersistableBundle;`
			`+import android.os.Process;`
			`+import android.os.UserHandle;`
			`import android.preference.Preference;`
			`import android.preference.PreferenceScreen;`
			`import android.telephony.CarrierConfigManager;`
			`@@ -203,6 +206,15 @@ protected void onActivityResult(int requestCode, int resultCode, Intent data) {`
			`}`
			`Cursor cursor = null;`
			`try {`
			`+ // check if the URI returned by the user belongs to the user`
			`+ final int currentUser = UserHandle.getUserId(Process.myUid());`
			`+ if (currentUser`
			`+ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {`
			`+`
			`+ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "`
			`+ + "cannot access");`
			`+ return;`
			`+ }`
			`cursor = getContentResolver().query(data.getData(),`
			`NUM_PROJECTION, null, null, null);`
			`if ((cursor == null) \|\| (!cursor.moveToFirst())) {`
			`diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java`
			`index 02bf4b25d8..c940748a35 100644`
			`--- a/src/com/android/phone/settings/VoicemailSettingsActivity.java`
			`+++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java`
			`@@ -17,6 +17,7 @@`
			`package com.android.phone.settings;`

			`import android.app.Dialog;`
			`+import android.content.ContentProvider;`
			`import android.content.DialogInterface;`
			`import android.content.Intent;`
			`import android.database.Cursor;`
			`@@ -25,6 +26,8 @@`
			`import android.os.Handler;`
			`import android.os.Message;`
			`import android.os.PersistableBundle;`
			`+import android.os.Process;`
			`+import android.os.UserHandle;`
			`import android.os.UserManager;`
			`import android.preference.Preference;`
			`import android.preference.PreferenceActivity;`
			`@@ -520,6 +523,17 @@ protected void onActivityResult(int requestCode, int resultCode, Intent data) {`

			`Cursor cursor = null;`
			`try {`
			`+ // check if the URI returned by the user belongs to the user`
			`+ final int currentUser = UserHandle.getUserId(Process.myUid());`
			`+ if (currentUser`
			`+ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {`
			`+`
			`+ if (DBG) {`
			`+ log("onActivityResult: Contact data of different user, "`
			`+ + "cannot access");`
			`+ }`
			`+ return;`
			`+ }`
			`cursor = getContentResolver().query(data.getData(),`
			`new String[] { CommonDataKinds.Phone.NUMBER }, null, null, null);`
			`if ((cursor == null) \|\| (!cursor.moveToFirst())) {`
			`diff --git a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java`
			`index 468d38f65d..0884e1262d 100644`
			`--- a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java`
			`+++ b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java`
			`@@ -19,6 +19,7 @@`

			`import static android.app.Activity.RESULT_OK;`

			`+import android.content.ContentProvider;`
			`import android.content.ContentValues;`
			`import android.content.Intent;`
			`import android.content.res.Resources;`
			`@@ -26,6 +27,8 @@`
			`import android.net.Uri;`
			`import android.os.Bundle;`
			`import android.os.PersistableBundle;`
			`+import android.os.Process;`
			`+import android.os.UserHandle;`
			`import android.provider.ContactsContract.CommonDataKinds;`
			`import android.telephony.CarrierConfigManager;`
			`import android.telephony.PhoneNumberUtils;`
			`@@ -137,6 +140,14 @@ protected void onActivityResult(int requestCode, int resultCode, Intent intent)`
			`}`
			`Cursor cursor = null;`
			`try {`
			`+ // check if the URI returned by the user belongs to the user`
			`+ final int currentUser = UserHandle.getUserId(Process.myUid());`
			`+ if (currentUser`
			`+ != ContentProvider.getUserIdFromUri(intent.getData(), currentUser)) {`
			`+ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "`
			`+ + "cannot access");`
			`+ return;`
			`+ }`
			`cursor = getContentResolver().query(intent.getData(),`
			`NUM_PROJECTION, null, null, null);`
			`if ((cursor == null) \|\| (!cursor.moveToFirst())) {`