mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-07 05:37:56 -05:00
59bf3b75c7
https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/353117 https://review.lineageos.org/q/topic:Q_asb_2023-03 https://review.lineageos.org/q/topic:Q_asb_2023-04 https://review.lineageos.org/q/topic:Q_asb_2023-05 https://review.lineageos.org/q/topic:Q_asb_2023-06 https://review.lineageos.org/q/topic:Q_asb_2023-07 https://review.lineageos.org/q/topic:Q_asb_2023-08 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376560 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376561 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376562 https://review.lineageos.org/q/topic:Q_asb_2023-09 https://review.lineageos.org/q/topic:Q_asb_2023-10 https://review.lineageos.org/q/topic:Q_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376563 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_webp/+/376568 https://review.lineageos.org/q/topic:Q_asb_2023-12 https://review.lineageos.org/q/topic:Q_asb_2024-01 https://review.lineageos.org/q/topic:Q_asb_2024-02 https://review.lineageos.org/q/topic:Q_asb_2024-03 Signed-off-by: Tavi <tavi@divested.dev>
80 lines
3.8 KiB
Diff
80 lines
3.8 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Pranav Madapurmath <pmadapurmath@google.com>
|
|
Date: Tue, 21 Mar 2023 23:28:56 +0000
|
|
Subject: [PATCH] Call Redirection: unbind service when onBind returns null
|
|
|
|
The call redirection service does not handle the corner case of
|
|
onNullBinding (occurs when onBind returns null). This vulnerability
|
|
would give the app that has the call redirection role unintentional
|
|
access to launch background activities outside the scope of a call
|
|
lifecycle.
|
|
|
|
Fixes: 273260090
|
|
Test: Unit test to ensure we unbind the service on null onBind
|
|
Test: CTS for similar assertion
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c3580d96071a7232ce11ad83848d6394b93121d8)
|
|
Merged-In: Ib9d44d239833131eb055e83801cb635e8efe0b81
|
|
Change-Id: Ib9d44d239833131eb055e83801cb635e8efe0b81
|
|
---
|
|
.../CallRedirectionProcessor.java | 13 ++++++++++
|
|
.../tests/CallRedirectionProcessorTest.java | 24 +++++++++++++++++++
|
|
2 files changed, 37 insertions(+)
|
|
|
|
diff --git a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
|
|
index 7a54118f8..5de576ccb 100644
|
|
--- a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
|
|
+++ b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
|
|
@@ -140,6 +140,19 @@ public class CallRedirectionProcessor implements CallRedirectionCallback {
|
|
}
|
|
}
|
|
|
|
+ @Override
|
|
+ public void onNullBinding(ComponentName componentName) {
|
|
+ // Make sure we unbind the service if onBind returns null
|
|
+ Log.startSession("CRSC.oNB");
|
|
+ try {
|
|
+ synchronized (mTelecomLock) {
|
|
+ finishCallRedirection();
|
|
+ }
|
|
+ } finally {
|
|
+ Log.endSession();
|
|
+ }
|
|
+ }
|
|
+
|
|
@Override
|
|
public void onServiceDisconnected(ComponentName componentName) {
|
|
Log.startSession("CRSC.oSD");
|
|
diff --git a/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java b/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java
|
|
index 169c56acf..82e32b24b 100644
|
|
--- a/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java
|
|
+++ b/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java
|
|
@@ -280,4 +280,28 @@ public class CallRedirectionProcessorTest extends TelecomTestCase {
|
|
eq(mPhoneAccountHandle), eq(mGatewayInfo), eq(SPEAKER_PHONE_ON), eq(VIDEO_STATE),
|
|
eq(false), eq(CallRedirectionProcessor.UI_TYPE_NO_ACTION));
|
|
}
|
|
+
|
|
+ @Test
|
|
+ public void testUnbindOnNullBind() throws Exception {
|
|
+ startProcessWithNoGateWayInfo();
|
|
+ // To make sure tests are not flaky, clean all the previous handler messages
|
|
+ waitForHandlerAction(mProcessor.getHandler(), HANDLER_TIMEOUT_DELAY);
|
|
+ enableUserDefinedCallRedirectionService();
|
|
+ disableCarrierCallRedirectionService();
|
|
+
|
|
+ mProcessor.performCallRedirection();
|
|
+
|
|
+ // Capture the binder
|
|
+ ArgumentCaptor<ServiceConnection> serviceConnectionCaptor = ArgumentCaptor.forClass(
|
|
+ ServiceConnection.class);
|
|
+ // Verify binding occurred
|
|
+ verify(mContext, times(1)).bindServiceAsUser(any(Intent.class),
|
|
+ serviceConnectionCaptor.capture(), anyInt(), eq(UserHandle.CURRENT));
|
|
+ // Simulate null return from onBind
|
|
+ serviceConnectionCaptor.getValue().onNullBinding(USER_DEFINED_SERVICE_TEST_COMPONENT_NAME);
|
|
+
|
|
+ // Verify service was unbound
|
|
+ verify(mContext, times(1)).
|
|
+ unbindService(any(ServiceConnection.class));
|
|
+ }
|
|
}
|