From 945f31cc121426a2f00204a3edf6723413257dd5 Mon Sep 17 00:00:00 2001
From: Feng Cao <fengcao@google.com>
Date: Wed, 10 Jun 2020 19:57:12 -0700
Subject: Fix content capture session id collision bug

* The content capture session id should be globally unique
* Before this change, the id is genrated from a static random
  number generator created with new Random(). It appears that
  it all has the same seed value, so the sequence it generates
  is identical across processes
* Ideally the session id should be generated from a center
  place to ensure uniqueness (e.g. system server), or be a UUID
  which is more unlikely to conflict. We will explore that as
  a longer term solution in S
* For now the less invasive solution is to use SecureRandom,
  which produces non-deterministic output
* Other approaches tried:
  1) new Random(android.os.Process.myPid()). This doesn't work
     as the pid value is all the same at static loading time
  2) offset the generated number by pid. This will work but the
     ids are not so random
  3) make Random a non-static variable. This will work but it
     creates a new object for every class

Test: manual
Bug: 158714891

Change-Id: I158f45680a961b32f3b01dc4eabb45e7215cdeec
---
 core/java/android/view/contentcapture/ContentCaptureSession.java | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/core/java/android/view/contentcapture/ContentCaptureSession.java b/core/java/android/view/contentcapture/ContentCaptureSession.java
index 301ce9f013e4..3f5ef5a2651d 100644
--- a/core/java/android/view/contentcapture/ContentCaptureSession.java
+++ b/core/java/android/view/contentcapture/ContentCaptureSession.java
@@ -39,8 +39,8 @@ import com.android.internal.util.Preconditions;
 import java.io.PrintWriter;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
+import java.security.SecureRandom;
 import java.util.ArrayList;
-import java.util.Random;
 
 /**
  * Session used when the Android a system-provided content capture service
@@ -50,7 +50,9 @@ public abstract class ContentCaptureSession implements AutoCloseable {
 
     private static final String TAG = ContentCaptureSession.class.getSimpleName();
 
-    private static final Random sIdGenerator = new Random();
+    // TODO(b/158778794): to make the session ids truly globally unique across
+    //  processes, we may need to explore other options.
+    private static final SecureRandom ID_GENERATOR = new SecureRandom();
 
     /**
      * Initial state, when there is no session.
@@ -622,7 +624,7 @@ public abstract class ContentCaptureSession implements AutoCloseable {
     private static int getRandomSessionId() {
         int id;
         do {
-            id = sIdGenerator.nextInt();
+            id = ID_GENERATOR.nextInt();
         } while (id == NO_SESSION_ID);
         return id;
     }
-- 
cgit v1.2.3-59-g8ed1b