diff options
| author | 2023-03-08 03:01:36 +0000 | |
|---|---|---|
| committer | 2023-06-06 20:06:54 +0000 | |
| commit | 53657da852a5c2f6f50ad5a54c2d927bf12d9c24 (patch) | |
| tree | fe670cd93c88556ef1adade6f57daf3eccb0ed20 | |
| parent | a4ce59634ccb13720a94385505b03a1931e9a27d (diff) | |
DO NOT MERGE Revert "Revert "Fix vulnerability in AttributionSource due to in..."
Revert submission 21893028-revert-21778925-tm-dev-2-attribution-source-GNWUUYEQSX
Reason for revert: Re-submitting after test devices have been updated with the new Wifi mainline module.
Reverted changes: /q/submissionid:21893028-revert-21778925-tm-dev-2-attribution-source-GNWUUYEQSX
Change-Id: Ie108fa208af1c2e35d2c0137e45fa146e260c93d
Merged-In: Ic301a8518b8e57e1c9a2c9f2f845e51dca145257
Bug: 267231571
| -rw-r--r-- | core/java/android/content/AttributionSource.java | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/core/java/android/content/AttributionSource.java b/core/java/android/content/AttributionSource.java index 3f2fa2188d24..16b18c85e790 100644 --- a/core/java/android/content/AttributionSource.java +++ b/core/java/android/content/AttributionSource.java @@ -31,6 +31,7 @@ import android.os.Parcelable; import android.os.Process; import android.permission.PermissionManager; import android.util.ArraySet; +import android.util.Log; import com.android.internal.annotations.Immutable; @@ -87,6 +88,8 @@ import java.util.Set; */ @Immutable public final class AttributionSource implements Parcelable { + private static final String TAG = "AttributionSource"; + private static final String DESCRIPTOR = "android.content.AttributionSource"; private static final Binder sDefaultToken = new Binder(DESCRIPTOR); @@ -154,9 +157,20 @@ public final class AttributionSource implements Parcelable { AttributionSource(@NonNull Parcel in) { this(AttributionSourceState.CREATOR.createFromParcel(in)); - // Since we just unpacked this object as part of it transiting a Binder - // call, this is the perfect time to enforce that its UID and PID can be trusted - enforceCallingUidAndPid(); + if (!Binder.isDirectlyHandlingTransaction()) { + Log.e(TAG, "Unable to verify calling UID #" + mAttributionSourceState.uid + " PID #" + + mAttributionSourceState.pid + " when not handling Binder transaction; " + + "clearing."); + mAttributionSourceState.pid = -1; + mAttributionSourceState.uid = -1; + mAttributionSourceState.packageName = null; + mAttributionSourceState.attributionTag = null; + mAttributionSourceState.next = null; + } else { + // Since we just unpacked this object as part of it transiting a Binder + // call, this is the perfect time to enforce that its UID and PID can be trusted + enforceCallingUidAndPid(); + } } /** @hide */ |