Resolve StatusHints image exploit across user. - platform/frameworks/base

diff options

author	Pranav Madapurmath <pmadapurmath@google.com>	2023-05-25 21:58:19 +0000
committer	Pranav Madapurmath <pmadapurmath@google.com>	2023-05-28 17:43:56 +0000
commit	c51386a033634a64b6d2d5823880b32a86da9e7e (patch)
tree	2e4149251c31e40da98953f4570b41cc17b298b3 /libs/androidfw/FileStream.cpp
parent	5dee137deb73163c658ae752119b8a4269727669 (diff)

Resolve StatusHints image exploit across user.

Because of the INTERACT_ACROSS_USERS permission, an app that implements a ConnectionService can upload an image icon belonging to another user by setting it in the StatusHints. Validating the construction of the StatusHints on the calling user would prevent a malicious app from registering a connection service with the embedded image icon from a different user. From additional feedback, this CL also addresses potential vulnerabilities in an app being able to directly invoke the binder for a means to manipulate the contents of the bundle that are passed with it. The targeted points of entry are in ConnectionServiceWrapper for the following APIs: handleCreateConnectionComplete, setStatusHints, addConferenceCall, and addExistingConnection. Fixes: 280797684 Test: Manual (verified that original exploit is no longer an issue). Test: Unit test for validating image in StatusHints constructor. Test: Unit tests to address vulnerabilities via the binder. Change-Id: I6e70e238b3a5ace1cab41ec5796a6bb4d79769f2 Merged-In: I6e70e238b3a5ace1cab41ec5796a6bb4d79769f2

Diffstat (limited to 'libs/androidfw/FileStream.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: