mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-15 02:44:23 -05:00
41 lines
2.1 KiB
Diff
41 lines
2.1 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Will Leshner <wleshner@google.com>
|
||
|
Date: Tue, 31 Oct 2023 13:23:08 -0700
|
||
|
Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary
|
||
|
activities
|
||
|
|
||
|
Test: Flashed device and verified dream settings works as expected
|
||
|
Test: Installed APK from bug and verified the dream didn't allow
|
||
|
launching the inappropriate settings activity.
|
||
|
Fixes: 300090204
|
||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14)
|
||
|
Merged-In: I573040df84bf98a493b39f96c8581e4303206bac
|
||
|
Change-Id: I573040df84bf98a493b39f96c8581e4303206bac
|
||
|
---
|
||
|
.../com/android/settingslib/dream/DreamBackend.java | 12 +++++++++++-
|
||
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
|
||
|
index 3c0f6fe8ccbb..0b771580fff4 100644
|
||
|
--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
|
||
|
+++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
|
||
|
@@ -332,7 +332,17 @@ public class DreamBackend {
|
||
|
if (cn != null && cn.indexOf('/') < 0) {
|
||
|
cn = resolveInfo.serviceInfo.packageName + "/" + cn;
|
||
|
}
|
||
|
- return cn == null ? null : ComponentName.unflattenFromString(cn);
|
||
|
+ // Ensure that the component is from the same package as the dream service. If not,
|
||
|
+ // treat the component as invalid and return null instead.
|
||
|
+ final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null;
|
||
|
+ if (result != null
|
||
|
+ && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) {
|
||
|
+ Log.w(TAG,
|
||
|
+ "Inconsistent package name in component: " + result.getPackageName()
|
||
|
+ + ", should be: " + resolveInfo.serviceInfo.packageName);
|
||
|
+ return null;
|
||
|
+ }
|
||
|
+ return result;
|
||
|
}
|
||
|
|
||
|
private static void logd(String msg, Object... args) {
|