From ff7be9912fae5a04c2703a113160782dad9509a8 Mon Sep 17 00:00:00 2001
From: Iván Budnik <ivanbuper@google.com>
Date: Tue, 19 Jul 2022 13:22:09 +0000
Subject: Enforce ComponentName belongs to caller app

Add checks that enforce ComponentName's package belongs to calling app
in MediaButtonReceiverHolder and MediaSessionRecord. This avoids
privileged execution of arbitrary code.

Bug: 238177121
Test: atest CtsMediaBetterTogetherTestCases
Change-Id: Iac143d8bbc9422f3ca3f42f8c0154b9906ecd897
Merged-In: Iac143d8bbc9422f3ca3f42f8c0154b9906ecd897
---
 .../android/server/media/MediaSessionRecord.java   | 23 ++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/services/core/java/com/android/server/media/MediaSessionRecord.java b/services/core/java/com/android/server/media/MediaSessionRecord.java
index 02b7582a8637..d03cf0648083 100644
--- a/services/core/java/com/android/server/media/MediaSessionRecord.java
+++ b/services/core/java/com/android/server/media/MediaSessionRecord.java
@@ -18,6 +18,7 @@ package com.android.server.media;
 
 import android.annotation.Nullable;
 import android.app.PendingIntent;
+import android.content.ComponentName;
 import android.content.Context;
 import android.content.Intent;
 import android.content.pm.ParceledListSlice;
@@ -49,6 +50,8 @@ import android.os.Process;
 import android.os.RemoteException;
 import android.os.ResultReceiver;
 import android.os.SystemClock;
+import android.text.TextUtils;
+import android.util.EventLog;
 import android.util.Log;
 import android.util.Slog;
 import android.view.KeyEvent;
@@ -834,10 +837,30 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR
             mHandler.post(MessageHandler.MSG_UPDATE_SESSION_STATE);
         }
 
+        private boolean checkComponentNamePackage(PendingIntent pi, String packageName) {
+            ComponentName componentName = null;
+            if (pi != null && pi.getIntent() != null) {
+                componentName = pi.getIntent().getComponent();
+            }
+
+            if(componentName != null
+                   && !TextUtils.equals(packageName, componentName.getPackageName())) {
+                return false;
+            }
+
+            return true;
+        }
+
         @Override
         public void setMediaButtonReceiver(PendingIntent pi) throws RemoteException {
             final long token = Binder.clearCallingIdentity();
             try {
+                if (!checkComponentNamePackage(pi, mPackageName)) {
+                    EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging
+                    throw new IllegalArgumentException("Component Name package does not match "
+                            + "package name provided to MediaSessionRecord.");
+                }
+
                 if ((mPolicies & SessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)
                         != 0) {
                     return;
-- 
cgit v1.2.3-59-g8ed1b