diff options
| author | 2022-05-10 16:28:36 +0800 | |
|---|---|---|
| committer | 2022-05-11 14:54:26 +0800 | |
| commit | ae81043a322d4e99ecaa4cd38ae54d05ec42302a (patch) | |
| tree | 1ce466a7e5600f3b98f1e039e42ef1c6670e329c /libs/androidfw/StringPool.cpp | |
| parent | b8b3d5e1efe041a9e27126ded0e73b35b7779c40 (diff) | |
Fix security bug for startActivityInTaskFragment
A malicious application uses startActivityInTaskFragment to launch
activity from the background in case the setting application is in
the foreground. System allows activity to start if the realCallingUid
has a visible window from
ActivityStarter#shouldAbortBackgroundActivityStart. For this case,
resolving the caller’s reallCallingUid is a system uid while using the
Binder.getCallingUid() after clearCallingIdentity(). If the setting
app in the forground that make system believe there is a visible
window now and allow the background activity to start.
This CL passes in the caller realCallingUid/Pid for activity starter
instead of using Binder.getCallingUid() after clearCallingIdentity()
to fix.
Bug: 230493191
Test: atest WmTests:TaskFragmentOrganizerControllerTest
1. Install the PoC APP and open it.
2. open the Settings APP and then check if the activity has
started.
Change-Id: I8b427de13eac760924bf5a2e7975a60b202a559c
Diffstat (limited to 'libs/androidfw/StringPool.cpp')
0 files changed, 0 insertions, 0 deletions