Loading services/core/java/com/android/server/accounts/AccountManagerService.java +30 −4 Original line number Diff line number Diff line Loading @@ -89,6 +89,7 @@ import android.os.UserHandle; import android.os.UserManager; import android.stats.devicepolicy.DevicePolicyEnums; import android.text.TextUtils; import android.util.EventLog; import android.util.Log; import android.util.Pair; import android.util.Slog; Loading Loading @@ -3100,7 +3101,7 @@ public class AccountManagerService */ if (!checkKeyIntent( Binder.getCallingUid(), intent)) { result)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; Loading Loading @@ -3519,7 +3520,7 @@ public class AccountManagerService && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { if (!checkKeyIntent( Binder.getCallingUid(), intent)) { result)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; Loading Loading @@ -4870,7 +4871,13 @@ public class AccountManagerService * into launching arbitrary intents on the device via by tricking to click authenticator * supplied entries in the system Settings app. */ protected boolean checkKeyIntent(int authUid, Intent intent) { protected boolean checkKeyIntent(int authUid, Bundle bundle) { if (!checkKeyIntentParceledCorrectly(bundle)) { EventLog.writeEvent(0x534e4554, "250588548", authUid, ""); return false; } Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT, Intent.class); // Explicitly set an empty ClipData to ensure that we don't offer to // promote any Uris contained inside for granting purposes if (intent.getClipData() == null) { Loading Loading @@ -4905,6 +4912,25 @@ public class AccountManagerService } } /** * Simulate the client side's deserialization of KEY_INTENT value, to make sure they don't * violate our security policy. * * In particular we want to make sure the Authenticator doesn't trick users * into launching arbitrary intents on the device via exploiting any other Parcel read/write * mismatch problems. */ private boolean checkKeyIntentParceledCorrectly(Bundle bundle) { Parcel p = Parcel.obtain(); p.writeBundle(bundle); p.setDataPosition(0); Bundle simulateBundle = p.readBundle(); p.recycle(); Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT, Intent.class); return (intent.filterEquals(simulateBundle.getParcelable(AccountManager.KEY_INTENT, Intent.class))); } private boolean isExportedSystemActivity(ActivityInfo activityInfo) { String className = activityInfo.name; return "android".equals(activityInfo.packageName) && Loading Loading @@ -5051,7 +5077,7 @@ public class AccountManagerService && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { if (!checkKeyIntent( Binder.getCallingUid(), intent)) { result)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; Loading Loading
services/core/java/com/android/server/accounts/AccountManagerService.java +30 −4 Original line number Diff line number Diff line Loading @@ -89,6 +89,7 @@ import android.os.UserHandle; import android.os.UserManager; import android.stats.devicepolicy.DevicePolicyEnums; import android.text.TextUtils; import android.util.EventLog; import android.util.Log; import android.util.Pair; import android.util.Slog; Loading Loading @@ -3100,7 +3101,7 @@ public class AccountManagerService */ if (!checkKeyIntent( Binder.getCallingUid(), intent)) { result)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; Loading Loading @@ -3519,7 +3520,7 @@ public class AccountManagerService && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { if (!checkKeyIntent( Binder.getCallingUid(), intent)) { result)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; Loading Loading @@ -4870,7 +4871,13 @@ public class AccountManagerService * into launching arbitrary intents on the device via by tricking to click authenticator * supplied entries in the system Settings app. */ protected boolean checkKeyIntent(int authUid, Intent intent) { protected boolean checkKeyIntent(int authUid, Bundle bundle) { if (!checkKeyIntentParceledCorrectly(bundle)) { EventLog.writeEvent(0x534e4554, "250588548", authUid, ""); return false; } Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT, Intent.class); // Explicitly set an empty ClipData to ensure that we don't offer to // promote any Uris contained inside for granting purposes if (intent.getClipData() == null) { Loading Loading @@ -4905,6 +4912,25 @@ public class AccountManagerService } } /** * Simulate the client side's deserialization of KEY_INTENT value, to make sure they don't * violate our security policy. * * In particular we want to make sure the Authenticator doesn't trick users * into launching arbitrary intents on the device via exploiting any other Parcel read/write * mismatch problems. */ private boolean checkKeyIntentParceledCorrectly(Bundle bundle) { Parcel p = Parcel.obtain(); p.writeBundle(bundle); p.setDataPosition(0); Bundle simulateBundle = p.readBundle(); p.recycle(); Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT, Intent.class); return (intent.filterEquals(simulateBundle.getParcelable(AccountManager.KEY_INTENT, Intent.class))); } private boolean isExportedSystemActivity(ActivityInfo activityInfo) { String className = activityInfo.name; return "android".equals(activityInfo.packageName) && Loading Loading @@ -5051,7 +5077,7 @@ public class AccountManagerService && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { if (!checkKeyIntent( Binder.getCallingUid(), intent)) { result)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; Loading
