summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
author Bishoy Gendy <bishoygendy@google.com> 2024-04-11 16:37:10 +0000
committer Cherrypicker Worker <android-build-cherrypicker-worker@google.com> 2024-05-29 11:26:40 +0000
commit4cb24d0d7a28a77894ad7a1fcedb04bd58a986fc (patch)
tree083cf73fcaf6616f812bbf38b5544db88bfb738d
parentb0d976b8d74592e82e22043a7f28abc9af74dd93 (diff)
Fix security vulnerability allowing apps to start from background
Bug: 317048338 Test: Using the steps in b/317048338#comment12 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c5fc8ea92c0aabbb2fdccc23b743c18a8bf62e64) Merged-In: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759 Change-Id: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
Diffstat
-rw-r--r--media/java/android/media/session/ParcelableListBinder.java13
-rw-r--r--services/core/java/com/android/server/media/MediaSessionRecord.java14
2 files changed, 19 insertions, 8 deletions
diff --git a/media/java/android/media/session/ParcelableListBinder.java b/media/java/android/media/session/ParcelableListBinder.java
index bbf1e0889b68..d78828462b1e 100644
--- a/media/java/android/media/session/ParcelableListBinder.java
+++ b/media/java/android/media/session/ParcelableListBinder.java
@@ -45,6 +45,7 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder {
private static final int END_OF_PARCEL = 0;
private static final int ITEM_CONTINUED = 1;
+ private final Class<T> mListElementsClass;
private final Consumer<List<T>> mConsumer;
private final Object mLock = new Object();
@@ -61,9 +62,11 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder {
/**
* Creates an instance.
*
+ * @param listElementsClass the class of the list elements.
* @param consumer a consumer that consumes the list received
*/
- public ParcelableListBinder(@NonNull Consumer<List<T>> consumer) {
+ public ParcelableListBinder(Class<T> listElementsClass, @NonNull Consumer<List<T>> consumer) {
+ mListElementsClass = listElementsClass;
mConsumer = consumer;
}
@@ -83,7 +86,13 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder {
mCount = data.readInt();
}
while (i < mCount && data.readInt() != END_OF_PARCEL) {
- mList.add(data.readParcelable(null));
+ Object object = data.readParcelable(null);
+ if (mListElementsClass.isAssignableFrom(object.getClass())) {
+ // Checking list items are of compaitible types to validate against malicious
+ // apps calling it directly via reflection with non compilable items.
+ // See b/317048338 for more details
+ mList.add((T) object);
+ }
i++;
}
if (i >= mCount) {
diff --git a/services/core/java/com/android/server/media/MediaSessionRecord.java b/services/core/java/com/android/server/media/MediaSessionRecord.java
index a9a82725223d..e2e0d834d6d1 100644
--- a/services/core/java/com/android/server/media/MediaSessionRecord.java
+++ b/services/core/java/com/android/server/media/MediaSessionRecord.java
@@ -1329,12 +1329,14 @@ public class MediaSessionRecord extends MediaSessionRecordImpl implements IBinde
@Override
public IBinder getBinderForSetQueue() throws RemoteException {
- return new ParcelableListBinder<QueueItem>((list) -> {
- synchronized (mLock) {
- mQueue = list;
- }
- mHandler.post(MessageHandler.MSG_UPDATE_QUEUE);
- });
+ return new ParcelableListBinder<QueueItem>(
+ QueueItem.class,
+ (list) -> {
+ synchronized (mLock) {
+ mQueue = list;
+ }
+ mHandler.post(MessageHandler.MSG_UPDATE_QUEUE);
+ });
}
@Override
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-12-07 02:01:31 +0000