From a206a0f17eeac58d00800db5841a08ac32ad26d1 Mon Sep 17 00:00:00 2001
From: Tom O'Neill <tomo@google.com>
Date: Thu, 15 Dec 2016 10:26:28 -0800
Subject: Fix exploit where can hide the fact that a location was mocked

- Even if call setTestProviderLocation() with inconsistent providers,
should still end up with a location that is flagged as mocked

- Bug: 33091107

Change-Id: I39e038f25b975989c2e8651bfd9ec9e74073e6cd
---
 .../java/com/android/server/LocationManagerService.java | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/services/java/com/android/server/LocationManagerService.java b/services/java/com/android/server/LocationManagerService.java
index eebd1c5e9642..5a8be7b2b60b 100644
--- a/services/java/com/android/server/LocationManagerService.java
+++ b/services/java/com/android/server/LocationManagerService.java
@@ -57,6 +57,8 @@ import android.os.SystemClock;
 import android.os.UserHandle;
 import android.os.WorkSource;
 import android.provider.Settings;
+import android.text.TextUtils;
+import android.util.EventLog;
 import android.util.Log;
 import android.util.Slog;
 import com.android.internal.content.PackageMonitor;
@@ -2247,9 +2249,22 @@ public class LocationManagerService extends ILocationManager.Stub {
             if (mockProvider == null) {
                 throw new IllegalArgumentException("Provider \"" + provider + "\" unknown");
             }
+
+            // Ensure that the location is marked as being mock. There's some logic to do this in
+            // handleLocationChanged(), but it fails if loc has the wrong provider (bug 33091107).
+            Location mock = new Location(loc);
+            mock.setIsFromMockProvider(true);
+
+            if (!TextUtils.isEmpty(loc.getProvider()) && !provider.equals(loc.getProvider())) {
+                // The location has an explicit provider that is different from the mock provider
+                // name. The caller may be trying to fool us via bug 33091107.
+                EventLog.writeEvent(0x534e4554, "33091107", Binder.getCallingUid(),
+                        provider + "!=" + loc.getProvider());
+            }
+
             // clear calling identity so INSTALL_LOCATION_PROVIDER permission is not required
             long identity = Binder.clearCallingIdentity();
-            mockProvider.setLocation(loc);
+            mockProvider.setLocation(mock);
             Binder.restoreCallingIdentity(identity);
         }
     }
-- 
cgit v1.2.3-59-g8ed1b