diff options
| author | 2024-02-27 23:05:05 +0000 | |
|---|---|---|
| committer | 2024-03-15 17:36:52 +0000 | |
| commit | 5d79e535b9a802680062545e15fc1faaf779c0bf (patch) | |
| tree | a9e3772d0cacecbd78a0b9a3c2820772760bd987 | |
| parent | 8ab8c7517905915808491506f634b808618fb706 (diff) | |
Fix vulnerability in AttributionSource due to incorrect Binder call
AttributionSource uses Binder.getCallingUid to verify the UID of the
caller from another process. However, getCallingUid does not always
behave as expected. If the AttributionSource is unparceled outside a
transaction thread, which is quite possible, getCallingUid will return
the UID of the current process instead. If this is a system process,
the UID check gets bypassed entirely, meaning any uid can be provided.
This patch fixes the vulnerability by emptying out the state of the
AttributionSource, so that the service checking its credentials will
fail to give permission to the app.
Bug: 267231571
Test: v2/android-virtual-infra/test_mapping/presubmit-avd
Merged-In: Ic301a8518b8e57e1c9a2c9f2f845e51dca145257
Change-Id: I3f228064fbd62e1c907f1ebe870cb61102f788f0
| -rw-r--r-- | core/java/android/content/AttributionSource.java | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/core/java/android/content/AttributionSource.java b/core/java/android/content/AttributionSource.java index 3f2fa2188d24..16b18c85e790 100644 --- a/core/java/android/content/AttributionSource.java +++ b/core/java/android/content/AttributionSource.java @@ -31,6 +31,7 @@ import android.os.Parcelable; import android.os.Process; import android.permission.PermissionManager; import android.util.ArraySet; +import android.util.Log; import com.android.internal.annotations.Immutable; @@ -87,6 +88,8 @@ import java.util.Set; */ @Immutable public final class AttributionSource implements Parcelable { + private static final String TAG = "AttributionSource"; + private static final String DESCRIPTOR = "android.content.AttributionSource"; private static final Binder sDefaultToken = new Binder(DESCRIPTOR); @@ -154,9 +157,20 @@ public final class AttributionSource implements Parcelable { AttributionSource(@NonNull Parcel in) { this(AttributionSourceState.CREATOR.createFromParcel(in)); - // Since we just unpacked this object as part of it transiting a Binder - // call, this is the perfect time to enforce that its UID and PID can be trusted - enforceCallingUidAndPid(); + if (!Binder.isDirectlyHandlingTransaction()) { + Log.e(TAG, "Unable to verify calling UID #" + mAttributionSourceState.uid + " PID #" + + mAttributionSourceState.pid + " when not handling Binder transaction; " + + "clearing."); + mAttributionSourceState.pid = -1; + mAttributionSourceState.uid = -1; + mAttributionSourceState.packageName = null; + mAttributionSourceState.attributionTag = null; + mAttributionSourceState.next = null; + } else { + // Since we just unpacked this object as part of it transiting a Binder + // call, this is the perfect time to enforce that its UID and PID can be trusted + enforceCallingUidAndPid(); + } } /** @hide */ |