Fix security bug for startActivityInTaskFragment

A malicious application uses startActivityInTaskFragment to launch
activity from the background in case the setting application is in
the foreground. System allows activity to start if the realCallingUid
has a visible window from
ActivityStarter#shouldAbortBackgroundActivityStart. For this case,
resolving the caller’s reallCallingUid is a system uid while using the
Binder.getCallingUid() after clearCallingIdentity(). If the setting
app in the forground that make system believe there is a visible
window now and allow the background activity to start.

This CL passes in the caller realCallingUid/Pid for activity starter
instead of using Binder.getCallingUid() after clearCallingIdentity()
to fix.

Bug: 230493191
Test: atest WmTests:TaskFragmentOrganizerControllerTest
      1. Install the PoC APP and open it.
      2. open the Settings APP and then check if the activity has
      started.
Change-Id: I8b427de13eac760924bf5a2e7975a60b202a559c

1 files changed, 2 insertions, 0 deletions

diff --git a/services/core/java/com/android/server/wm/ActivityStartController.java b/services/core/java/com/android/server/wm/ActivityStartController.java
index 72408b67de41..d60981fcf504 100644
--- a/services/core/java/com/android/server/wm/ActivityStartController.java
+++ b/services/core/java/com/android/server/wm/ActivityStartController.java
@@ -518,6 +518,8 @@ public class ActivityStartController {
                 .setRequestCode(-1)
                 .setCallingUid(callingUid)
                 .setCallingPid(callingPid)
+                .setRealCallingUid(callingUid)
+                .setRealCallingPid(callingPid)
                 .setUserId(caller != null ? caller.mUserId : mService.getCurrentUserId())
                 .execute();
     }