DivestOS/Patches/LineageOS-20.0/ASB-2023-10/telecomm-01.patch

From c873988898e1b520e0e4cfda77e26ec4377a4ce9 Mon Sep 17 00:00:00 2001
From: Grace Jia <xiaotonj@google.com>
Date: Thu, 20 Jul 2023 13:42:50 -0700
Subject: [PATCH] Fix vulnerability in CallRedirectionService.

Currently when the CallRedirectionService binding died, we didn't do
anything, which cause malicious app start activities even not run in the
background by implementing a CallRedirectionService and overriding the
onPlaceCall method to schedule a activity start job in an independent
process and then kill itself. In that way, the activity can still
start after the CallRedirectionService died. Fix this by unbinding the
service when the binding died.

Bug: b/289809991
Test: Using testapp provided in bug to make sure the test activity can't
be started
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:29b52e3cd027da2d8644450a4dee3a7d95dc0043)
Merged-In: I065d361b83700474a1efab2a75928427ee0a14ba
Change-Id: I065d361b83700474a1efab2a75928427ee0a14ba
---
 .../callredirection/CallRedirectionProcessor.java  | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
index 226382bde..02debcd6c 100644
--- a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
+++ b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
@@ -175,6 +175,20 @@ public void onNullBinding(ComponentName componentName) {
                     Log.endSession();
                 }
             }
+
+            @Override
+            public void onBindingDied(ComponentName componentName) {
+                // Make sure we unbind the service if binding died to avoid background stating
+                // activity leaks
+                Log.startSession("CRSC.oBD");
+                try {
+                    synchronized (mTelecomLock) {
+                        finishCallRedirection();
+                    }
+                } finally {
+                    Log.endSession();
+                }
+            }
         }
 
         private class CallRedirectionAdapter extends ICallRedirectionAdapter.Stub {
20.0: October ASB picks wget https://github.com/GrapheneOS/platform_packages_services_Telecomm/commit/c873988898e1b520e0e4cfda77e26ec4377a4ce9.patch -O telecomm-01.patch wget https://github.com/GrapheneOS/platform_packages_providers_MediaProvider/commit/0fb5786dbf8b462eb106df912a7f65ab240f0d6a.patch -O mediaprovider-01.patch wget https://github.com/GrapheneOS/platform_packages_modules_Wifi/commit/1a4b9ef510410a8d8c90e80352357f08c49f10c5.patch -O wifi-01.patch wget https://github.com/GrapheneOS/platform_packages_modules_Bluetooth/commit/364a1d99624e8dca6501d98166efbb8061362970.patch -O bluetooth-01.patch wget https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/87a06448b96e1ccd2403ae5c90b15efdd8585444.patch -O settings-01.patch wget https://github.com/GrapheneOS/platform_packages_apps_Settings/commit/aaba724a6858fba3754c11bfafd92b22f090c570.patch -O settings-02.patch wget https://github.com/GrapheneOS/platform_frameworks_native/commit/507304e1f59236675bfd820290b329f5f7334ec0.patch -O native-01.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/89489ff5dd9b7717f0421ca4e90bc060af1ba8b7.patch -O base-01.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/d1765c47157a99ecdc44537b5cadbb9726892967.patch -O base-02.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/cbb1a0ecd6b67735bdb735d76606bc03f6b955bf.patch -O base-03.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/4725772c0b3f0db2940e70851e145ec4ec71768b.patch -O base-04.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/19747f69235d208e3d61099c76fa47aa792fe3a7.patch -O base-05.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/e7a1aa9ed0bc69853bc83d098e15b8fa3b1881b4.patch -O base-06.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/922a7860b1baf29ff5cb53a31d01c341cd2b9ecb.patch -O base-07.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/ed183ed9122416026ed27d4877f96a545fe42316.patch -O base-08.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/c6fbe1330a77c479ea3e29b54523682d0f248420.patch -O base-09.patch wget https://github.com/GrapheneOS/platform_frameworks_base/commit/9141cac175caaf176377d088e334d0991482fd6a.patch -O base-10.patch wget https://github.com/GrapheneOS/platform_frameworks_av/commit/41235bcc67a2122bc1d6a4d19e8356b3d1ada91e.patch -O av-01.patch wget https://github.com/GrapheneOS/platform_frameworks_av/commit/a89f704701e6af4a4809f4bb4911af88a023226f.patch -O av-02.patch wget https://github.com/GrapheneOS/platform_frameworks_av/commit/6d7cd80d77ed35efbe168f627dda021a5d8dd766.patch -O av-03.patch wget https://github.com/GrapheneOS/platform_frameworks_av/commit/75fc175a08c1a8e86d4649c19fd3136121518b96.patch -O av-04.patch wget https://github.com/GrapheneOS/platform_frameworks_av/commit/b023ec300f437494d6d6b23b03607e308dae43d2.patch -O av-05.patch wget https://github.com/GrapheneOS/platform_frameworks_av/commit/c8117d1539078bb3339b5d5fffe063a9135c2c21.patch -O av-06.patch wget https://github.com/GrapheneOS/platform_frameworks_av/commit/f06d23d824f60e98299d03f21c0715477666936d.patch -O av-07.patch wget https://github.com/GrapheneOS/platform_frameworks_av/commit/9c7408ab0710a9e36fd2a258098afde863cb6544.patch -O av-08.patch wget https://github.com/GrapheneOS/platform_packages_apps_Launcher3/commit/cfbfcefb3ce6bcd4d099cba4f45a8c6a0c02e6e6.patch -O launcher-01.patch wget https://github.com/GrapheneOS/platform_external_libxml2/commit/4a27a7f162907facfbeddf2d4ae4c6ab7c6eb15a.patch -O libxml-01.patch Signed-off-by: Tad <tad@spotco.us> 2023-10-03 18:30:46 +00:00			`From c873988898e1b520e0e4cfda77e26ec4377a4ce9 Mon Sep 17 00:00:00 2001`
			`From: Grace Jia <xiaotonj@google.com>`
			`Date: Thu, 20 Jul 2023 13:42:50 -0700`
			`Subject: [PATCH] Fix vulnerability in CallRedirectionService.`

			`Currently when the CallRedirectionService binding died, we didn't do`
			`anything, which cause malicious app start activities even not run in the`
			`background by implementing a CallRedirectionService and overriding the`
			`onPlaceCall method to schedule a activity start job in an independent`
			`process and then kill itself. In that way, the activity can still`
			`start after the CallRedirectionService died. Fix this by unbinding the`
			`service when the binding died.`

			`Bug: b/289809991`
			`Test: Using testapp provided in bug to make sure the test activity can't`
			`be started`
			`(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:29b52e3cd027da2d8644450a4dee3a7d95dc0043)`
			`Merged-In: I065d361b83700474a1efab2a75928427ee0a14ba`
			`Change-Id: I065d361b83700474a1efab2a75928427ee0a14ba`
			`---`
			`.../callredirection/CallRedirectionProcessor.java \| 14 ++++++++++++++`
			`1 file changed, 14 insertions(+)`

			`diff --git a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java`
			`index 226382bde..02debcd6c 100644`
			`--- a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java`
			`+++ b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java`
			`@@ -175,6 +175,20 @@ public void onNullBinding(ComponentName componentName) {`
			`Log.endSession();`
			`}`
			`}`
			`+`
			`+ @Override`
			`+ public void onBindingDied(ComponentName componentName) {`
			`+ // Make sure we unbind the service if binding died to avoid background stating`
			`+ // activity leaks`
			`+ Log.startSession("CRSC.oBD");`
			`+ try {`
			`+ synchronized (mTelecomLock) {`
			`+ finishCallRedirection();`
			`+ }`
			`+ } finally {`
			`+ Log.endSession();`
			`+ }`
			`+ }`
			`}`

			`private class CallRedirectionAdapter extends ICallRedirectionAdapter.Stub {`