Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 17dd1124 authored by Lokesh Kumar Goel's avatar Lokesh Kumar Goel Committed by Android Build Coastguard Worker
Browse files

Fix vulnerability in AttributionSource due to incorrect Binder call 

AttributionSource uses Binder.getCallingUid to verify the UID of the
caller from another process. However, getCallingUid does not always
behave as expected. If the AttributionSource is unparceled outside a
transaction thread, which is quite possible, getCallingUid will return
the UID of the current process instead. If this is a system process,
the UID check gets bypassed entirely, meaning any uid can be provided.

This patch fixes the vulnerability by emptying out the state of the
AttributionSource, so that the service checking its credentials will
fail to give permission to the app.

Bug: 267231571
Test: v2/android-virtual-infra/test_mapping/presubmit-avd
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d79e535b9a802680062545e15fc1faaf779c0bf)
Merged-In: I3f228064fbd62e1c907f1ebe870cb61102f788f0
Change-Id: I3f228064fbd62e1c907f1ebe870cb61102f788f0
parent a7245613
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment