Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
7a42c9eb17
DivestOS/Patches/LineageOS-15.1/android_frameworks_base/379150.patch
Tavi 4fae529ddc
15.1: January ASB work 
+ a bonus patch for 16.0 and 17.1 as pointed out by @syphyr

Signed-off-by: Tavi <tavi@divested.dev>
2024-01-09 15:03:36 -05:00

41 lines
2.1 KiB
Diff
Raw Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Will Leshner <wleshner@google.com>
Date: Tue, 31 Oct 2023 13:23:08 -0700
Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary
activities
Test: Flashed device and verified dream settings works as expected
Test: Installed APK from bug and verified the dream didn't allow
launching the inappropriate settings activity.
Fixes: 300090204
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14)
Merged-In: I573040df84bf98a493b39f96c8581e4303206bac
Change-Id: I573040df84bf98a493b39f96c8581e4303206bac
---
.../com/android/settingslib/dream/DreamBackend.java | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
index 988060eac64d..a208d2f9284f 100644
--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
+++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
@@ -331,7 +331,17 @@ public class DreamBackend {
if (cn != null && cn.indexOf('/') < 0) {
cn = resolveInfo.serviceInfo.packageName + "/" + cn;
}
- return cn == null ? null : ComponentName.unflattenFromString(cn);
+ // Ensure that the component is from the same package as the dream service. If not,
+ // treat the component as invalid and return null instead.
+ final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null;
+ if (result != null
+ && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) {
+ Log.w(TAG,
+ "Inconsistent package name in component: " + result.getPackageName()
+ + ", should be: " + resolveInfo.serviceInfo.packageName);
+ return null;
+ }
+ return result;
}
private static void logd(String msg, Object... args) {
Reference in New Issue View Git Blame Copy Permalink