DivestOS/Patches/LineageOS-18.1/android_packages_services_Telecomm/403225.patch

From cd4c2994e16a9a5c911292a6d05ed66f41efd53a Mon Sep 17 00:00:00 2001
From: Pranav Madapurmath <pmadapurmath@google.com>
Date: Tue, 11 Jun 2024 22:50:08 -0700
Subject: [PATCH] Resolve cross-user image exploit for conference status hints

Ensure that status hint image icon is validated for cross-user exploits.
Currently, there is no check for this so a conference call can display
an image from another user, exposing a vulnerability.

Bug: 329058967
Test: Manual with POC
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a8e2bf9c77cd94f683979c849015b78ef0537802)
Merged-In: Ib9d701398d25d021cdb9abacbaa5b175f62bee1d
Change-Id: Ib9d701398d25d021cdb9abacbaa5b175f62bee1d
---
 .../android/server/telecom/ConnectionServiceWrapper.java   | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/com/android/server/telecom/ConnectionServiceWrapper.java b/src/com/android/server/telecom/ConnectionServiceWrapper.java
index 6ca74fba3..e944209a4 100644
--- a/src/com/android/server/telecom/ConnectionServiceWrapper.java
+++ b/src/com/android/server/telecom/ConnectionServiceWrapper.java
@@ -133,10 +133,17 @@ public void handleCreateConferenceComplete(String callId, ConnectionRequest requ
                 ParcelableConference conference, Session.Info sessionInfo) {
             Log.startSession(sessionInfo, LogUtils.Sessions.CSW_HANDLE_CREATE_CONNECTION_COMPLETE,
                     mPackageAbbreviation);
+            UserHandle callingUserHandle = Binder.getCallingUserHandle();
             long token = Binder.clearCallingIdentity();
             try {
                 synchronized (mLock) {
                     logIncoming("handleCreateConferenceComplete %s", callId);
+                    // Check status hints image for cross user access
+                    if (conference.getStatusHints() != null) {
+                        Icon icon = conference.getStatusHints().getIcon();
+                        conference.getStatusHints().setIcon(StatusHints.
+                                validateAccountIconUserBoundary(icon, callingUserHandle));
+                    }
                     Call call = mCallIdMapper.getCall(callId);
                     if (mScheduledFutureMap.containsKey(call)) {
                         ScheduledFuture<?> existingTimeout = mScheduledFutureMap.get(call);