Enforce ComponentName belongs to caller app

Add checks that enforce ComponentName's package belongs to calling app in MediaButtonReceiverHolder and MediaSessionRecord. This avoids privileged execution of arbitrary code. Bug: 238177121 Test: atest CtsMediaBetterTogetherTestCases Change-Id: Iac143d8bbc9422f3ca3f42f8c0154b9906ecd897 Merged-In: Iac143d8bbc9422f3ca3f42f8c0154b9906ecd897
author: Iván Budnik <ivanbuper@google.com> 2022-07-19 13:22:09 +0000
committer: Iván Budnik <ivanbuper@google.com> 2022-08-09 16:39:43 +0000
commit: b479180b73c07082394b96ec0f17d6fcdb67950a (patch)
tree: e29e05f6032edc3e36837451af8e9966011a44d0
parent: 7c5b922af83e73dde27741dd472ca6e195e01a46 (diff)
2 files changed, 25 insertions, 0 deletions
diff --git a/services/core/java/com/android/server/media/MediaButtonReceiverHolder.java b/services/core/java/com/android/server/media/MediaButtonReceiverHolder.java
index 9a190316f4eb..6759d79eedca 100644
--- a/services/core/java/com/android/server/media/MediaButtonReceiverHolder.java
+++ b/services/core/java/com/android/server/media/MediaButtonReceiverHolder.java
@@ -32,6 +32,7 @@ import android.os.Handler;
 import android.os.PowerWhitelistManager;
 import android.os.UserHandle;
 import android.text.TextUtils;
+import android.util.EventLog;
 import android.util.Log;
 import android.view.KeyEvent;
 
@@ -117,6 +118,12 @@ final class MediaButtonReceiverHolder {
         int componentType = getComponentType(pendingIntent);
         ComponentName componentName = getComponentName(pendingIntent, componentType);
         if (componentName != null) {
+            if (!TextUtils.equals(componentName.getPackageName(), sessionPackageName)) {
+                EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging
+                throw new IllegalArgumentException("ComponentName does not belong to "
+                        + "sessionPackageName. sessionPackageName = " + sessionPackageName
+                        + ", ComponentName pkg = " + componentName.getPackageName());
+            }
             return new MediaButtonReceiverHolder(userId, pendingIntent, componentName,
                     componentType);
         }
diff --git a/services/core/java/com/android/server/media/MediaSessionRecord.java b/services/core/java/com/android/server/media/MediaSessionRecord.java
index 4822d6a62ac7..ca5e97c8aabe 100644
--- a/services/core/java/com/android/server/media/MediaSessionRecord.java
+++ b/services/core/java/com/android/server/media/MediaSessionRecord.java
@@ -53,6 +53,7 @@ import android.os.RemoteException;
 import android.os.ResultReceiver;
 import android.os.SystemClock;
 import android.text.TextUtils;
+import android.util.EventLog;
 import android.util.Log;
 import android.view.KeyEvent;
 
@@ -934,6 +935,14 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR
         @Override
         public void setMediaButtonReceiver(PendingIntent pi, String sessionPackageName)
                 throws RemoteException {
+            //mPackageName has been verified in MediaSessionService.enforcePackageName().
+            if (!TextUtils.equals(sessionPackageName, mPackageName)) {
+                EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging
+                throw new IllegalArgumentException("sessionPackageName name does not match "
+                        + "package name provided to MediaSessionRecord. sessionPackageName = "
+                        + sessionPackageName + ", pkg = "
+                        + mPackageName);
+            }
             final long token = Binder.clearCallingIdentity();
             try {
                 if ((mPolicies & MediaSessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)
@@ -952,6 +961,15 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR
         public void setMediaButtonBroadcastReceiver(ComponentName receiver) throws RemoteException {
             final long token = Binder.clearCallingIdentity();
             try {
+                //mPackageName has been verified in MediaSessionService.enforcePackageName().
+                if (receiver != null && !TextUtils.equals(
+                        mPackageName, receiver.getPackageName())) {
+                    EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging
+                    throw new IllegalArgumentException("receiver does not belong to "
+                            + "package name provided to MediaSessionRecord. Pkg = " + mPackageName
+                            + ", Receiver Pkg = " + receiver.getPackageName());
+                }
+
                 if ((mPolicies & MediaSessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)
                         != 0) {
                     return;
author	Iván Budnik <ivanbuper@google.com>	2022-07-19 13:22:09 +0000
committer	Iván Budnik <ivanbuper@google.com>	2022-08-09 16:39:43 +0000
commit	b479180b73c07082394b96ec0f17d6fcdb67950a (patch)
tree	e29e05f6032edc3e36837451af8e9966011a44d0
parent	7c5b922af83e73dde27741dd472ca6e195e01a46 (diff)