Fix vulnerability in AttributionSource due to incorrect Binder call (5d79e535) · Commits · e / os / android_frameworks_base

core/java/android/content/AttributionSource.java

+17 −3

Original line number	Diff line number	Diff line
		@@ -31,6 +31,7 @@ import android.os.Parcelable;
		import android.os.Process;
		import android.permission.PermissionManager;
		import android.util.ArraySet;
		import android.util.Log;

		import com.android.internal.annotations.Immutable;

		@@ -87,6 +88,8 @@ import java.util.Set;
		*/
		@Immutable
		public final class AttributionSource implements Parcelable {
		private static final String TAG = "AttributionSource";

		private static final String DESCRIPTOR = "android.content.AttributionSource";

		private static final Binder sDefaultToken = new Binder(DESCRIPTOR);
		@@ -154,10 +157,21 @@ public final class AttributionSource implements Parcelable {
		AttributionSource(@NonNull Parcel in) {
		this(AttributionSourceState.CREATOR.createFromParcel(in));

		if (!Binder.isDirectlyHandlingTransaction()) {
		Log.e(TAG, "Unable to verify calling UID #" + mAttributionSourceState.uid + " PID #"
		+ mAttributionSourceState.pid + " when not handling Binder transaction; "
		+ "clearing.");
		mAttributionSourceState.pid = -1;
		mAttributionSourceState.uid = -1;
		mAttributionSourceState.packageName = null;
		mAttributionSourceState.attributionTag = null;
		mAttributionSourceState.next = null;
		} else {
		// Since we just unpacked this object as part of it transiting a Binder
		// call, this is the perfect time to enforce that its UID and PID can be trusted
		enforceCallingUidAndPid();
		}
		}

		/** @hide */
		public AttributionSource(@NonNull AttributionSourceState attributionSourceState) {