mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-27 07:37:11 -05:00
59bf3b75c7
https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/353117 https://review.lineageos.org/q/topic:Q_asb_2023-03 https://review.lineageos.org/q/topic:Q_asb_2023-04 https://review.lineageos.org/q/topic:Q_asb_2023-05 https://review.lineageos.org/q/topic:Q_asb_2023-06 https://review.lineageos.org/q/topic:Q_asb_2023-07 https://review.lineageos.org/q/topic:Q_asb_2023-08 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376560 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376561 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376562 https://review.lineageos.org/q/topic:Q_asb_2023-09 https://review.lineageos.org/q/topic:Q_asb_2023-10 https://review.lineageos.org/q/topic:Q_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376563 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_webp/+/376568 https://review.lineageos.org/q/topic:Q_asb_2023-12 https://review.lineageos.org/q/topic:Q_asb_2024-01 https://review.lineageos.org/q/topic:Q_asb_2024-02 https://review.lineageos.org/q/topic:Q_asb_2024-03 Signed-off-by: Tavi <tavi@divested.dev>
108 lines
5.0 KiB
Diff
108 lines
5.0 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Pranav Madapurmath <pmadapurmath@google.com>
|
|
Date: Wed, 5 Apr 2023 21:36:12 +0000
|
|
Subject: [PATCH] Resolve account image icon profile boundary exploit.
|
|
|
|
Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit
|
|
is possible where the user can upload an image icon (belonging to
|
|
another user) via registering a phone account. This CL provides a
|
|
lightweight solution for parsing the image URI to detect profile
|
|
exploitation.
|
|
|
|
Fixes: 273502295
|
|
Fixes: 296915211
|
|
Test: Unit test to enforce successful/failure path
|
|
(cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7)
|
|
(cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48)
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42)
|
|
Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
|
|
Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
|
|
---
|
|
.../server/telecom/TelecomServiceImpl.java | 21 +++++++++++++++++++
|
|
.../telecom/tests/TelecomServiceImplTest.java | 21 +++++++++++++++++++
|
|
2 files changed, 42 insertions(+)
|
|
|
|
diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java
|
|
index f784fa59c..f76c0f994 100644
|
|
--- a/src/com/android/server/telecom/TelecomServiceImpl.java
|
|
+++ b/src/com/android/server/telecom/TelecomServiceImpl.java
|
|
@@ -37,6 +37,7 @@ import android.content.pm.PackageManager;
|
|
import android.content.res.Resources;
|
|
import android.content.pm.ParceledListSlice;
|
|
import android.content.pm.ResolveInfo;
|
|
+import android.graphics.drawable.Icon;
|
|
import android.net.Uri;
|
|
import android.os.Binder;
|
|
import android.os.Build;
|
|
@@ -525,6 +526,9 @@ public class TelecomServiceImpl {
|
|
.build();
|
|
}
|
|
|
|
+ // Validate the profile boundary of the given image URI.
|
|
+ validateAccountIconUserBoundary(account.getIcon());
|
|
+
|
|
final long token = Binder.clearCallingIdentity();
|
|
try {
|
|
mPhoneAccountRegistrar.registerPhoneAccount(account);
|
|
@@ -2112,4 +2116,21 @@ public class TelecomServiceImpl {
|
|
mContext.sendBroadcast(intent);
|
|
}
|
|
}
|
|
+
|
|
+ private void validateAccountIconUserBoundary(Icon icon) {
|
|
+ // Refer to Icon#getUriString for context. The URI string is invalid for icons of
|
|
+ // incompatible types.
|
|
+ if (icon != null && (icon.getType() == Icon.TYPE_URI)) {
|
|
+ String encodedUser = icon.getUri().getEncodedUserInfo();
|
|
+ // If there is no encoded user, the URI is calling into the calling user space
|
|
+ if (encodedUser != null) {
|
|
+ int userId = Integer.parseInt(encodedUser);
|
|
+ if (userId != UserHandle.getUserId(Binder.getCallingUid())) {
|
|
+ // If we are transcending the profile boundary, throw an error.
|
|
+ throw new IllegalArgumentException("Attempting to register a phone account with"
|
|
+ + " an image icon belonging to another user.");
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
}
|
|
diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
|
|
index 00d8000e4..6daf516d1 100644
|
|
--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
|
|
+++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
|
|
@@ -30,6 +30,7 @@ import android.content.Context;
|
|
import android.content.Intent;
|
|
import android.content.pm.ApplicationInfo;
|
|
import android.content.pm.PackageManager;
|
|
+import android.graphics.drawable.Icon;
|
|
import android.net.Uri;
|
|
import android.os.Binder;
|
|
import android.os.Bundle;
|
|
@@ -531,6 +532,26 @@ public class TelecomServiceImplTest extends TelecomTestCase {
|
|
}
|
|
}
|
|
|
|
+ @SmallTest
|
|
+ @Test
|
|
+ public void testRegisterPhoneAccountImageIconCrossUser() throws RemoteException {
|
|
+ String packageNameToUse = "com.android.officialpackage";
|
|
+ PhoneAccountHandle phHandle = new PhoneAccountHandle(new ComponentName(
|
|
+ packageNameToUse, "cs"), "test", Binder.getCallingUserHandle());
|
|
+ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/");
|
|
+ PhoneAccount phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build();
|
|
+ doReturn(PackageManager.PERMISSION_GRANTED)
|
|
+ .when(mContext).checkCallingOrSelfPermission(MODIFY_PHONE_STATE);
|
|
+
|
|
+ // This should fail; security exception will be thrown.
|
|
+ registerPhoneAccountTestHelper(phoneAccount, false);
|
|
+
|
|
+ icon = Icon.createWithContentUri("content://0@media/external/images/media/");
|
|
+ phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build();
|
|
+ // This should succeed.
|
|
+ registerPhoneAccountTestHelper(phoneAccount, true);
|
|
+ }
|
|
+
|
|
@SmallTest
|
|
@Test
|
|
public void testUnregisterPhoneAccount() throws RemoteException {
|