diff options
| author | 2023-03-06 22:19:44 +0000 | |
|---|---|---|
| committer | 2023-03-06 22:19:44 +0000 | |
| commit | 1e6fb470160396e6fce7b5de7d68a075d954cbae (patch) | |
| tree | b5f3ef5e9b5525c84ff6292cfd0bca57739dc32c | |
| parent | a8ce54ee339f1517f290c0f11242bb5f4e9d4ba9 (diff) | |
| parent | 7cb165f1c02e8c5a3093bb331e084b0fa6a32e90 (diff) | |
Merge "Fix vulnerability in AttributionSource due to incorrect Binder call" into tm-dev
| -rw-r--r-- | core/java/android/content/AttributionSource.java | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/core/java/android/content/AttributionSource.java b/core/java/android/content/AttributionSource.java index 3f2fa2188d24..16b18c85e790 100644 --- a/core/java/android/content/AttributionSource.java +++ b/core/java/android/content/AttributionSource.java @@ -31,6 +31,7 @@ import android.os.Parcelable; import android.os.Process; import android.permission.PermissionManager; import android.util.ArraySet; +import android.util.Log; import com.android.internal.annotations.Immutable; @@ -87,6 +88,8 @@ import java.util.Set; */ @Immutable public final class AttributionSource implements Parcelable { + private static final String TAG = "AttributionSource"; + private static final String DESCRIPTOR = "android.content.AttributionSource"; private static final Binder sDefaultToken = new Binder(DESCRIPTOR); @@ -154,9 +157,20 @@ public final class AttributionSource implements Parcelable { AttributionSource(@NonNull Parcel in) { this(AttributionSourceState.CREATOR.createFromParcel(in)); - // Since we just unpacked this object as part of it transiting a Binder - // call, this is the perfect time to enforce that its UID and PID can be trusted - enforceCallingUidAndPid(); + if (!Binder.isDirectlyHandlingTransaction()) { + Log.e(TAG, "Unable to verify calling UID #" + mAttributionSourceState.uid + " PID #" + + mAttributionSourceState.pid + " when not handling Binder transaction; " + + "clearing."); + mAttributionSourceState.pid = -1; + mAttributionSourceState.uid = -1; + mAttributionSourceState.packageName = null; + mAttributionSourceState.attributionTag = null; + mAttributionSourceState.next = null; + } else { + // Since we just unpacked this object as part of it transiting a Binder + // call, this is the perfect time to enforce that its UID and PID can be trusted + enforceCallingUidAndPid(); + } } /** @hide */ |