From 4ee14083484520e5b8e38573e1da50e2b496167a Mon Sep 17 00:00:00 2001 From: Ashish Kumar Date: Fri, 26 May 2023 14:18:46 +0000 Subject: [PATCH] Fixed leak of cross user data in multiple settings. - Any app is allowed to receive GET_CONTENT intent. Using this, an user puts back in the intent an uri with data of another user. - Telephony service has INTERACT_ACROSS_USER permission. Using this, it reads and shows the deta to the evil user. Fix: When telephony service gets the intent result, it checks if the uri is from the current user or not. Bug: b/256591023 , b/256819787 Test: The malicious behaviour was not being reproduced. Unable to import contact from other users data. Test2: Able to import contact from the primary user or uri with no user id (These settings are not available for secondary users) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab593467e900d4a6d25a34024a06195ae863f6dc) Merged-In: I1e3a643f17948153aecc1d0df9ffd9619ad678c1 Change-Id: I1e3a643f17948153aecc1d0df9ffd9619ad678c1 Change-Id: I01cf83cc40bbf13497bc6c90f949f5bb62a833d7 --- .../android/phone/GsmUmtsCallForwardOptions.java | 12 ++++++++++++ .../phone/settings/VoicemailSettingsActivity.java | 13 +++++++++++++ .../phone/settings/fdn/EditFdnContactScreen.java | 11 +++++++++++ 3 files changed, 36 insertions(+) diff --git a/src/com/android/phone/GsmUmtsCallForwardOptions.java b/src/com/android/phone/GsmUmtsCallForwardOptions.java index 99f3599742..f5e7ad295e 100644 --- a/src/com/android/phone/GsmUmtsCallForwardOptions.java +++ b/src/com/android/phone/GsmUmtsCallForwardOptions.java @@ -8,6 +8,7 @@ import android.app.AlertDialog; import android.app.Dialog; import android.content.Context; +import android.content.ContentProvider; import android.content.DialogInterface; import android.content.Intent; import android.database.Cursor; @@ -15,6 +16,8 @@ import android.net.NetworkInfo; import android.os.Bundle; import android.os.PersistableBundle; +import android.os.Process; +import android.os.UserHandle; import android.preference.Preference; import android.preference.PreferenceScreen; import android.telephony.ServiceState; @@ -229,6 +232,15 @@ protected void onActivityResult(int requestCode, int resultCode, Intent data) { } Cursor cursor = null; try { + // check if the URI returned by the user belongs to the user + final int currentUser = UserHandle.getUserId(Process.myUid()); + if (currentUser + != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) { + + Log.w(LOG_TAG, "onActivityResult: Contact data of different user, " + + "cannot access"); + return; + } cursor = getContentResolver().query(data.getData(), NUM_PROJECTION, null, null, null); if ((cursor == null) || (!cursor.moveToFirst())) { diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java index fea702bf53..1a4b1eea45 100644 --- a/src/com/android/phone/settings/VoicemailSettingsActivity.java +++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java @@ -17,6 +17,7 @@ package com.android.phone.settings; import android.app.Dialog; +import android.content.ContentProvider; import android.content.DialogInterface; import android.content.Intent; import android.database.Cursor; @@ -24,6 +25,7 @@ import android.os.Bundle; import android.os.Handler; import android.os.Message; +import android.os.Process; import android.os.UserHandle; import android.preference.CheckBoxPreference; import android.preference.Preference; @@ -544,6 +546,17 @@ protected void onActivityResult(int requestCode, int resultCode, Intent data) { Cursor cursor = null; try { + // check if the URI returned by the user belongs to the user + final int currentUser = UserHandle.getUserId(Process.myUid()); + if (currentUser + != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) { + + if (DBG) { + log("onActivityResult: Contact data of different user, " + + "cannot access"); + } + return; + } cursor = getContentResolver().query(data.getData(), new String[] { CommonDataKinds.Phone.NUMBER }, null, null, null); if ((cursor == null) || (!cursor.moveToFirst())) { diff --git a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java index 23ef0bb075..98dbd9480c 100644 --- a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java +++ b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java @@ -21,6 +21,7 @@ import android.app.Activity; import android.content.AsyncQueryHandler; +import android.content.ContentProvider; import android.content.ContentResolver; import android.content.ContentValues; import android.content.Intent; @@ -29,6 +30,8 @@ import android.net.Uri; import android.os.Bundle; import android.os.Handler; +import android.os.Process; +import android.os.UserHandle; import android.provider.Contacts.PeopleColumns; import android.provider.Contacts.PhonesColumns; import android.provider.ContactsContract.CommonDataKinds; @@ -152,6 +155,14 @@ protected void onActivityResult(int requestCode, int resultCode, Intent intent) } Cursor cursor = null; try { + // check if the URI returned by the user belongs to the user + final int currentUser = UserHandle.getUserId(Process.myUid()); + if (currentUser + != ContentProvider.getUserIdFromUri(intent.getData(), currentUser)) { + Log.w(LOG_TAG, "onActivityResult: Contact data of different user, " + + "cannot access"); + return; + } cursor = getContentResolver().query(intent.getData(), NUM_PROJECTION, null, null, null); if ((cursor == null) || (!cursor.moveToFirst())) {