Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 61ab2b65 authored by Louis Chang's avatar Louis Chang
Browse files

Prevent activity token leaked to another process 

Malicious app could register the organizer via one-way binder call
to disguise as running on pid 0.

Bug: 367266072
Test: verified via the sample app
Flag: EXEMPT bugfix
Change-Id: I51378c7d2da06fb83670abd082a089cfd82d699d
parent 64358d6a

services/core/java/com/android/server/wm/TaskFragmentOrganizerController.java

+7 −2
Original line number Original line Diff line number Diff line
@@ -429,7 +429,7 @@ public class TaskFragmentOrganizerController extends ITaskFragmentOrganizerContr 
            }

            }





            final IBinder activityToken;

            final IBinder activityToken;

            if (activity.getPid() == mOrganizerPid) {

            if (activity.getPid() == mOrganizerPid && activity.getUid() == mOrganizerUid) {

                // We only pass the actual token if the activity belongs to the organizer process.

                // We only pass the actual token if the activity belongs to the organizer process.

                activityToken = activity.token;

                activityToken = activity.token;

            } else {

            } else {
@@ -458,7 +458,8 @@ public class TaskFragmentOrganizerController extends ITaskFragmentOrganizerContr 
                change.setTaskFragmentToken(lastParentTfToken);

                change.setTaskFragmentToken(lastParentTfToken);

            }

            }

            // Only pass the activity token to the client if it belongs to the same process.

            // Only pass the activity token to the client if it belongs to the same process.

            if (nextFillTaskActivity != null && nextFillTaskActivity.getPid() == mOrganizerPid) {

            if (nextFillTaskActivity != null && nextFillTaskActivity.getPid() == mOrganizerPid

                    && nextFillTaskActivity.getUid() == mOrganizerUid) {

                change.setOtherActivityToken(nextFillTaskActivity.token);

                change.setOtherActivityToken(nextFillTaskActivity.token);

            }

            }

            return change;

            return change;
@@ -553,6 +554,10 @@ public class TaskFragmentOrganizerController extends ITaskFragmentOrganizerContr 
                        "Replacing existing organizer currently unsupported");

                        "Replacing existing organizer currently unsupported");

            }

            }





            if (pid <= 0) {

                throw new IllegalStateException("Cannot register from invalid pid: " + pid);

            }



            if (restoreFromCachedStateIfPossible(organizer, pid, uid, outSavedState)) {

            if (restoreFromCachedStateIfPossible(organizer, pid, uid, outSavedState)) {

                return;

                return;

            }

            }