From 6926fd15fb16c51468dde270bd61ee68772b8c14 Mon Sep 17 00:00:00 2001 From: Will Leshner Date: Tue, 31 Oct 2023 13:23:08 -0700 Subject: Fix vulnerability that allowed attackers to start arbitary activities Test: Flashed device and verified dream settings works as expected Test: Installed APK from bug and verified the dream didn't allow launching the inappropriate settings activity. Fixes: 300090204 Merged-In: I6e90e3a0d513dceb7d7f5c59d6807ebe164c5716 Merged-In: I146415ad400827d0a798e27f34f098feb5e96422 Merged-In: I7f2351fc7d9a82778ce21f67018a45ac67c9aaf8 Change-Id: I573040df84bf98a493b39f96c8581e4303206bac --- .../src/com/android/settingslib/dream/DreamBackend.java | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java index ab7b54d98285..beadd821957b 100644 --- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java +++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java @@ -351,7 +351,17 @@ public class DreamBackend { if (cn != null && cn.indexOf('/') < 0) { cn = resolveInfo.serviceInfo.packageName + "/" + cn; } - return cn == null ? null : ComponentName.unflattenFromString(cn); + // Ensure that the component is from the same package as the dream service. If not, + // treat the component as invalid and return null instead. + final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null; + if (result != null + && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) { + Log.w(TAG, + "Inconsistent package name in component: " + result.getPackageName() + + ", should be: " + resolveInfo.serviceInfo.packageName); + return null; + } + return result; } private static void logd(String msg, Object... args) { -- cgit v1.2.3-59-g8ed1b