From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Pinyao Ting Date: Tue, 20 Jul 2021 00:01:29 +0000 Subject: [PATCH] Prevend user spoofing in isRequestPinItemSupported This CL ensure the caller process is from the same user when calling ShortcutService#isRequestPinItemSupported. Bug: 191772737 Test: atest ShortcutManagerTest1 ShortcutManagerTest2 ShortcutManagerTest3 ShortcutManagerTest4 ShortcutManagerTest5 ShortcutManagerTest6 ShortcutManagerTest7 ShortcutManagerTest8 ShortcutManagerTest9 ShortcutManagerTest10 ShortcutManagerTest11 ShortcutManagerTest12 Test: atest CtsShortcutManagerTestCases Change-Id: Icab7cdf25b870b88ecfde9b99e107bbeda0eb485 --- .../com/android/server/pm/ShortcutService.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java index 83dc8e99423d..56edf675cc67 100644 --- a/services/core/java/com/android/server/pm/ShortcutService.java +++ b/services/core/java/com/android/server/pm/ShortcutService.java @@ -1554,6 +1554,19 @@ public class ShortcutService extends IShortcutService.Stub { mContext.enforceCallingPermission(permission, message); } + private void verifyCallerUserId(@UserIdInt int userId) { + if (isCallerSystem()) { + return; // no check + } + + final int callingUid = injectBinderCallingUid(); + + // Otherwise, make sure the arguments are valid. + if (UserHandle.getUserId(callingUid) != userId) { + throw new SecurityException("Invalid user-ID"); + } + } + private void verifyCaller(@NonNull String packageName, @UserIdInt int userId) { Preconditions.checkStringNotEmpty(packageName, "packageName"); @@ -2237,6 +2250,8 @@ public class ShortcutService extends IShortcutService.Stub { @Override public boolean isRequestPinItemSupported(int callingUserId, int requestType) { + verifyCallerUserId(callingUserId); + final long token = injectClearCallingIdentity(); try { return mShortcutRequestPinProcessor