DivestOS/Patches/LineageOS-18.1/android_frameworks_base/399076.patch

54 lines
2.2 KiB
Diff
Raw Normal View History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pinyao Ting <pinyaoting@google.com>
Date: Tue, 20 Jul 2021 00:01:29 +0000
Subject: [PATCH] Prevend user spoofing in isRequestPinItemSupported
This CL ensure the caller process is from the same user when calling
ShortcutService#isRequestPinItemSupported.
Bug: 191772737
Test: atest ShortcutManagerTest1 ShortcutManagerTest2
ShortcutManagerTest3 ShortcutManagerTest4 ShortcutManagerTest5
ShortcutManagerTest6 ShortcutManagerTest7 ShortcutManagerTest8
ShortcutManagerTest9 ShortcutManagerTest10 ShortcutManagerTest11
ShortcutManagerTest12
Test: atest CtsShortcutManagerTestCases
Change-Id: Icab7cdf25b870b88ecfde9b99e107bbeda0eb485
---
.../com/android/server/pm/ShortcutService.java | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
index 3d1fce98307d..001268066701 100644
--- a/services/core/java/com/android/server/pm/ShortcutService.java
+++ b/services/core/java/com/android/server/pm/ShortcutService.java
@@ -1614,6 +1614,19 @@ public class ShortcutService extends IShortcutService.Stub {
mContext.enforceCallingPermission(permission, message);
}
+ private void verifyCallerUserId(@UserIdInt int userId) {
+ if (isCallerSystem()) {
+ return; // no check
+ }
+
+ final int callingUid = injectBinderCallingUid();
+
+ // Otherwise, make sure the arguments are valid.
+ if (UserHandle.getUserId(callingUid) != userId) {
+ throw new SecurityException("Invalid user-ID");
+ }
+ }
+
private void verifyCaller(@NonNull String packageName, @UserIdInt int userId) {
Preconditions.checkStringNotEmpty(packageName, "packageName");
@@ -2609,6 +2622,8 @@ public class ShortcutService extends IShortcutService.Stub {
@Override
public boolean isRequestPinItemSupported(int callingUserId, int requestType) {
+ verifyCallerUserId(callingUserId);
+
final long token = injectClearCallingIdentity();
try {
return mShortcutRequestPinProcessor