diff options
| author | 2023-03-06 23:36:01 +0000 | |
|---|---|---|
| committer | 2023-03-06 23:36:01 +0000 | |
| commit | accb88c894757231667cdb652fefba27c813828e (patch) | |
| tree | 3afdfa6369c3fea49263076262787f0cbbde90fc | |
| parent | 5e82ca7952f4949e7ead3897feccdc328e331af5 (diff) | |
| parent | 2fc07deafd257dcc934bb802887ef4297f49548f (diff) | |
Merge "Fix vulnerability in AttributionSource due to incorrect Binder call" into sc-dev
| -rw-r--r-- | core/java/android/content/AttributionSource.java | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/core/java/android/content/AttributionSource.java b/core/java/android/content/AttributionSource.java index 2f61fee88e9f..ec56f9a7cf0c 100644 --- a/core/java/android/content/AttributionSource.java +++ b/core/java/android/content/AttributionSource.java @@ -30,6 +30,7 @@ import android.os.Parcelable; import android.os.Process; import android.permission.PermissionManager; import android.util.ArraySet; +import android.util.Log; import com.android.internal.annotations.Immutable; @@ -86,6 +87,8 @@ import java.util.Set; */ @Immutable public final class AttributionSource implements Parcelable { + private static final String TAG = "AttributionSource"; + private static final String DESCRIPTOR = "android.content.AttributionSource"; private static final Binder sDefaultToken = new Binder(DESCRIPTOR); @@ -153,9 +156,20 @@ public final class AttributionSource implements Parcelable { AttributionSource(@NonNull Parcel in) { this(AttributionSourceState.CREATOR.createFromParcel(in)); - // Since we just unpacked this object as part of it transiting a Binder - // call, this is the perfect time to enforce that its UID and PID can be trusted - enforceCallingUidAndPid(); + if (!Binder.isHandlingTransaction()) { + Log.e(TAG, "Unable to verify calling UID #" + mAttributionSourceState.uid + " PID #" + + mAttributionSourceState.pid + " when not handling Binder transaction; " + + "clearing."); + mAttributionSourceState.pid = -1; + mAttributionSourceState.uid = -1; + mAttributionSourceState.packageName = null; + mAttributionSourceState.attributionTag = null; + mAttributionSourceState.next = null; + } else { + // Since we just unpacked this object as part of it transiting a Binder + // call, this is the perfect time to enforce that its UID and PID can be trusted + enforceCallingUidAndPid(); + } } /** @hide */ |