Fix vulnerability in AttributionSource due to incorrect Binder call (2fc07dea) · Commits · e / os / android_frameworks_base

core/java/android/content/AttributionSource.java

+17 −3

Original line number	Diff line number	Diff line
		@@ -30,6 +30,7 @@ import android.os.Parcelable;
		import android.os.Process;
		import android.permission.PermissionManager;
		import android.util.ArraySet;
		import android.util.Log;

		import com.android.internal.annotations.Immutable;

		@@ -86,6 +87,8 @@ import java.util.Set;
		*/
		@Immutable
		public final class AttributionSource implements Parcelable {
		private static final String TAG = "AttributionSource";

		private static final String DESCRIPTOR = "android.content.AttributionSource";

		private static final Binder sDefaultToken = new Binder(DESCRIPTOR);
		@@ -153,10 +156,21 @@ public final class AttributionSource implements Parcelable {
		AttributionSource(@NonNull Parcel in) {
		this(AttributionSourceState.CREATOR.createFromParcel(in));

		if (!Binder.isHandlingTransaction()) {
		Log.e(TAG, "Unable to verify calling UID #" + mAttributionSourceState.uid + " PID #"
		+ mAttributionSourceState.pid + " when not handling Binder transaction; "
		+ "clearing.");
		mAttributionSourceState.pid = -1;
		mAttributionSourceState.uid = -1;
		mAttributionSourceState.packageName = null;
		mAttributionSourceState.attributionTag = null;
		mAttributionSourceState.next = null;
		} else {
		// Since we just unpacked this object as part of it transiting a Binder
		// call, this is the perfect time to enforce that its UID and PID can be trusted
		enforceCallingUidAndPid();
		}
		}

		/** @hide */
		public AttributionSource(@NonNull AttributionSourceState attributionSourceState) {