From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Ashish Kumar Date: Fri, 26 May 2023 14:18:46 +0000 Subject: [PATCH] RESTRICT AUTOMERGE Fixed leak of cross user data in multiple settings. - Any app is allowed to receive GET_CONTENT intent. Using this, an user puts back in the intent an uri with data of another user. - Telephony service has INTERACT_ACROSS_USER permission. Using this, it reads and shows the deta to the evil user. Fix: When telephony service gets the intent result, it checks if the uri is from the current user or not. Bug: b/256591023 , b/256819787 Test: The malicious behaviour was not being reproduced. Unable to import contact from other users data. Test2: Able to import contact from the primary user or uri with no user id (These settings are not available for secondary users) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36e10a6d0d7b9efc543f8004729fa85751f4f70d) Merged-In: I1e3a643f17948153aecc1d0df9ffd9619ad678c1 Change-Id: I1e3a643f17948153aecc1d0df9ffd9619ad678c1 --- .../android/phone/GsmUmtsCallForwardOptions.java | 12 ++++++++++++ .../phone/settings/VoicemailSettingsActivity.java | 14 ++++++++++++++ .../phone/settings/fdn/EditFdnContactScreen.java | 13 +++++++++++++ 3 files changed, 39 insertions(+) diff --git a/src/com/android/phone/GsmUmtsCallForwardOptions.java b/src/com/android/phone/GsmUmtsCallForwardOptions.java index 77cc6cca6..aa1c797d4 100644 --- a/src/com/android/phone/GsmUmtsCallForwardOptions.java +++ b/src/com/android/phone/GsmUmtsCallForwardOptions.java @@ -5,9 +5,12 @@ import com.android.internal.telephony.CommandsInterface; import com.android.internal.telephony.Phone; import android.app.ActionBar; +import android.content.ContentProvider; import android.content.Intent; import android.database.Cursor; import android.os.Bundle; +import android.os.Process; +import android.os.UserHandle; import android.preference.Preference; import android.preference.PreferenceScreen; import android.telephony.CarrierConfigManager; @@ -156,6 +159,15 @@ public class GsmUmtsCallForwardOptions extends TimeConsumingPreferenceActivity { } Cursor cursor = null; try { + // check if the URI returned by the user belongs to the user + final int currentUser = UserHandle.getUserId(Process.myUid()); + if (currentUser + != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) { + + Log.w(LOG_TAG, "onActivityResult: Contact data of different user, " + + "cannot access"); + return; + } cursor = getContentResolver().query(data.getData(), NUM_PROJECTION, null, null, null); if ((cursor == null) || (!cursor.moveToFirst())) { diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java index 7c5dbf20c..ef8d9e535 100644 --- a/src/com/android/phone/settings/VoicemailSettingsActivity.java +++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java @@ -17,6 +17,7 @@ package com.android.phone.settings; import android.app.Dialog; +import android.content.ContentProvider; import android.content.DialogInterface; import android.content.Intent; import android.database.Cursor; @@ -24,6 +25,8 @@ import android.os.AsyncResult; import android.os.Bundle; import android.os.Handler; import android.os.Message; +import android.os.Process; +import android.os.UserHandle; import android.os.UserManager; import android.preference.Preference; import android.preference.PreferenceActivity; @@ -508,6 +511,17 @@ public class VoicemailSettingsActivity extends PreferenceActivity Cursor cursor = null; try { + // check if the URI returned by the user belongs to the user + final int currentUser = UserHandle.getUserId(Process.myUid()); + if (currentUser + != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) { + + if (DBG) { + log("onActivityResult: Contact data of different user, " + + "cannot access"); + } + return; + } cursor = getContentResolver().query(data.getData(), new String[] { CommonDataKinds.Phone.NUMBER }, null, null, null); if ((cursor == null) || (!cursor.moveToFirst())) { diff --git a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java index b8a761c47..d20b381cc 100644 --- a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java +++ b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java @@ -18,9 +18,12 @@ package com.android.phone.settings.fdn; import static android.view.Window.PROGRESS_VISIBILITY_OFF; import static android.view.Window.PROGRESS_VISIBILITY_ON; +import static android.app.Activity.RESULT_OK; + import android.app.Activity; import android.content.AsyncQueryHandler; +import android.content.ContentProvider; import android.content.ContentResolver; import android.content.ContentValues; import android.content.Intent; @@ -29,6 +32,8 @@ import android.database.Cursor; import android.net.Uri; import android.os.Bundle; import android.os.Handler; +import android.os.Process; +import android.os.UserHandle; import android.provider.Contacts.PeopleColumns; import android.provider.Contacts.PhonesColumns; import android.provider.ContactsContract.CommonDataKinds; @@ -152,6 +157,14 @@ public class EditFdnContactScreen extends Activity { } Cursor cursor = null; try { + // check if the URI returned by the user belongs to the user + final int currentUser = UserHandle.getUserId(Process.myUid()); + if (currentUser + != ContentProvider.getUserIdFromUri(intent.getData(), currentUser)) { + Log.w(LOG_TAG, "onActivityResult: Contact data of different user, " + + "cannot access"); + return; + } cursor = getContentResolver().query(intent.getData(), NUM_PROJECTION, null, null, null); if ((cursor == null) || (!cursor.moveToFirst())) {