mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-09-30 05:05:47 +00:00
49 lines
2.2 KiB
Diff
49 lines
2.2 KiB
Diff
|
From c873988898e1b520e0e4cfda77e26ec4377a4ce9 Mon Sep 17 00:00:00 2001
|
||
|
From: Grace Jia <xiaotonj@google.com>
|
||
|
Date: Thu, 20 Jul 2023 13:42:50 -0700
|
||
|
Subject: [PATCH] Fix vulnerability in CallRedirectionService.
|
||
|
|
||
|
Currently when the CallRedirectionService binding died, we didn't do
|
||
|
anything, which cause malicious app start activities even not run in the
|
||
|
background by implementing a CallRedirectionService and overriding the
|
||
|
onPlaceCall method to schedule a activity start job in an independent
|
||
|
process and then kill itself. In that way, the activity can still
|
||
|
start after the CallRedirectionService died. Fix this by unbinding the
|
||
|
service when the binding died.
|
||
|
|
||
|
Bug: b/289809991
|
||
|
Test: Using testapp provided in bug to make sure the test activity can't
|
||
|
be started
|
||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:29b52e3cd027da2d8644450a4dee3a7d95dc0043)
|
||
|
Merged-In: I065d361b83700474a1efab2a75928427ee0a14ba
|
||
|
Change-Id: I065d361b83700474a1efab2a75928427ee0a14ba
|
||
|
---
|
||
|
.../callredirection/CallRedirectionProcessor.java | 14 ++++++++++++++
|
||
|
1 file changed, 14 insertions(+)
|
||
|
|
||
|
diff --git a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
|
||
|
index 226382bde..02debcd6c 100644
|
||
|
--- a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
|
||
|
+++ b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
|
||
|
@@ -175,6 +175,20 @@ public void onNullBinding(ComponentName componentName) {
|
||
|
Log.endSession();
|
||
|
}
|
||
|
}
|
||
|
+
|
||
|
+ @Override
|
||
|
+ public void onBindingDied(ComponentName componentName) {
|
||
|
+ // Make sure we unbind the service if binding died to avoid background stating
|
||
|
+ // activity leaks
|
||
|
+ Log.startSession("CRSC.oBD");
|
||
|
+ try {
|
||
|
+ synchronized (mTelecomLock) {
|
||
|
+ finishCallRedirection();
|
||
|
+ }
|
||
|
+ } finally {
|
||
|
+ Log.endSession();
|
||
|
+ }
|
||
|
+ }
|
||
|
}
|
||
|
|
||
|
private class CallRedirectionAdapter extends ICallRedirectionAdapter.Stub {
|