Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6297ade0 authored by Tetiana Meronyk's avatar Tetiana Meronyk Committed by Android Build Coastguard Worker
Browse files

Truncate user data to a limit of 500 characters 

Fix vulnerability that allows creating users with no restrictions. This is done by creating an intent to create a user and putting extras that are too long to be serialized. It causes IOException and the restrictions are not written in the file.

By truncating the string values when writing them to the file, we ensure that the exception does not happen and it can be recorded correctly.

Bug: 293602317
Test: install app provided in the bug, open app and click add. Check logcat to see there is no more IOException. Reboot the device by either opening User details page or running adb shell dumpsys user | grep -A12 heen and see that the restrictions are in place.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48d45b507df64708a214a800082b970c8b2bf827)
Merged-In: I633dc10974a64ef2abd07e67ff2d209847129989
Change-Id: I633dc10974a64ef2abd07e67ff2d209847129989
parent 81b4778d

services/core/java/com/android/server/pm/UserManagerService.java

+20 −7
Original line number Original line Diff line number Diff line
@@ -239,6 +239,8 @@ public class UserManagerService extends IUserManager.Stub { 




    private static final int USER_VERSION = 9;

    private static final int USER_VERSION = 9;





    private static final int MAX_USER_STRING_LENGTH = 500;



    private static final long EPOCH_PLUS_30_YEARS = 30L * 365 * 24 * 60 * 60 * 1000L; // ms

    private static final long EPOCH_PLUS_30_YEARS = 30L * 365 * 24 * 60 * 60 * 1000L; // ms





    static final int WRITE_USER_MSG = 1;

    static final int WRITE_USER_MSG = 1;
@@ -2908,15 +2910,17 @@ public class UserManagerService extends IUserManager.Stub { 
        // Write seed data

        // Write seed data

        if (userData.persistSeedData) {

        if (userData.persistSeedData) {

            if (userData.seedAccountName != null) {

            if (userData.seedAccountName != null) {

                serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, userData.seedAccountName);

                serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME,

                        truncateString(userData.seedAccountName));

            }

            }

            if (userData.seedAccountType != null) {

            if (userData.seedAccountType != null) {

                serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, userData.seedAccountType);

                serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE,

                        truncateString(userData.seedAccountType));

            }

            }

        }

        }

        if (userInfo.name != null) {

        if (userInfo.name != null) {

            serializer.startTag(null, TAG_NAME);

            serializer.startTag(null, TAG_NAME);

            serializer.text(userInfo.name);

            serializer.text(truncateString(userInfo.name));

            serializer.endTag(null, TAG_NAME);

            serializer.endTag(null, TAG_NAME);

        }

        }

        synchronized (mRestrictionsLock) {

        synchronized (mRestrictionsLock) {
@@ -2956,6 +2960,13 @@ public class UserManagerService extends IUserManager.Stub { 
        serializer.endDocument();

        serializer.endDocument();

    }

    }





    private String truncateString(String original) {

        if (original == null || original.length() <= MAX_USER_STRING_LENGTH) {

            return original;

        }

        return original.substring(0, MAX_USER_STRING_LENGTH);

    }



    /*

    /*

     * Writes the user list file in this format:

     * Writes the user list file in this format:

     *

     *
@@ -3365,6 +3376,7 @@ public class UserManagerService extends IUserManager.Stub { 
            @NonNull String userType, @UserInfoFlag int flags, @UserIdInt int parentId,

            @NonNull String userType, @UserInfoFlag int flags, @UserIdInt int parentId,

            boolean preCreate, @Nullable String[] disallowedPackages,

            boolean preCreate, @Nullable String[] disallowedPackages,

            @NonNull TimingsTraceAndSlog t) throws UserManager.CheckedUserOperationException {

            @NonNull TimingsTraceAndSlog t) throws UserManager.CheckedUserOperationException {

        String truncatedName = truncateString(name);

        final UserTypeDetails userTypeDetails = mUserTypes.get(userType);

        final UserTypeDetails userTypeDetails = mUserTypes.get(userType);

        if (userTypeDetails == null) {

        if (userTypeDetails == null) {

            Slog.e(LOG_TAG, "Cannot create user of invalid user type: " + userType);

            Slog.e(LOG_TAG, "Cannot create user of invalid user type: " + userType);
@@ -3390,7 +3402,8 @@ public class UserManagerService extends IUserManager.Stub { 




        // Try to use a pre-created user (if available).

        // Try to use a pre-created user (if available).

        if (!preCreate && parentId < 0 && isUserTypeEligibleForPreCreation(userTypeDetails)) {

        if (!preCreate && parentId < 0 && isUserTypeEligibleForPreCreation(userTypeDetails)) {

            final UserInfo preCreatedUser = convertPreCreatedUserIfPossible(userType, flags, name);

            final UserInfo preCreatedUser = convertPreCreatedUserIfPossible(userType, flags,

                    truncatedName);

            if (preCreatedUser != null) {

            if (preCreatedUser != null) {

                return preCreatedUser;

                return preCreatedUser;

            }

            }
@@ -3482,7 +3495,7 @@ public class UserManagerService extends IUserManager.Stub { 
                        flags &= ~UserInfo.FLAG_EPHEMERAL;

                        flags &= ~UserInfo.FLAG_EPHEMERAL;

                    }

                    }





                    userInfo = new UserInfo(userId, name, null, flags, userType);

                    userInfo = new UserInfo(userId, truncatedName, null, flags, userType);

                    userInfo.serialNumber = mNextSerialNumber++;

                    userInfo.serialNumber = mNextSerialNumber++;

                    userInfo.creationTime = getCreationTime();

                    userInfo.creationTime = getCreationTime();

                    userInfo.partial = true;

                    userInfo.partial = true;
@@ -4552,8 +4565,8 @@ public class UserManagerService extends IUserManager.Stub { 
                    Slog.e(LOG_TAG, "No such user for settings seed data u=" + userId);

                    Slog.e(LOG_TAG, "No such user for settings seed data u=" + userId);

                    return;

                    return;

                }

                }

                userData.seedAccountName = accountName;

                userData.seedAccountName = truncateString(accountName);

                userData.seedAccountType = accountType;

                userData.seedAccountType = truncateString(accountType);

                userData.seedAccountOptions = accountOptions;

                userData.seedAccountOptions = accountOptions;

                userData.persistSeedData = persist;

                userData.persistSeedData = persist;

            }

            }