From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Will Leshner Date: Tue, 31 Oct 2023 13:23:08 -0700 Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary activities Test: Flashed device and verified dream settings works as expected Test: Installed APK from bug and verified the dream didn't allow launching the inappropriate settings activity. Fixes: 300090204 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14) Merged-In: I573040df84bf98a493b39f96c8581e4303206bac Change-Id: I573040df84bf98a493b39f96c8581e4303206bac --- .../com/android/settingslib/dream/DreamBackend.java | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java index 3c0f6fe8ccbb..0b771580fff4 100644 --- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java +++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java @@ -332,7 +332,17 @@ public class DreamBackend { if (cn != null && cn.indexOf('/') < 0) { cn = resolveInfo.serviceInfo.packageName + "/" + cn; } - return cn == null ? null : ComponentName.unflattenFromString(cn); + // Ensure that the component is from the same package as the dream service. If not, + // treat the component as invalid and return null instead. + final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null; + if (result != null + && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) { + Log.w(TAG, + "Inconsistent package name in component: " + result.getPackageName() + + ", should be: " + resolveInfo.serviceInfo.packageName); + return null; + } + return result; } private static void logd(String msg, Object... args) {