Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6efd55e7 authored by Yohei Yukawa's avatar Yohei Yukawa
Browse files

Lock down IInputMethodManger.{add,remove}Client() 

User mode processes are mistakenly allowed to call
IInputMethodManger.{add,remove}Client(), which may allow malicious
apps to register fake IInputMethodClient binder endpoints to
InputMethodManagerService (IMMS).

Luckily IMMS also checks whether the client process has a focused
window or not by calling IWindowManager.inputMethodClientHasFocus()
before doing some critical operations such as establishing a new
InputConnection between the client app and the current IME.

With this CL, IInputMethodManger.{add,remove}Client() start correctly
checking the caller process ID so that only the system process can
use those internal callbacks.

Bug: 112670859
Test: atest CtsInputMethodTestCases CtsInputMethodServiceHostTestCases
Change-Id: Ib9b588d11bd4017e431e3d494863987dd67384fc
parent b4fff5c9

services/core/java/com/android/server/InputMethodManagerService.java

+5 −6
Original line number Original line Diff line number Diff line
@@ -1714,10 +1714,9 @@ public class InputMethodManagerService extends IInputMethodManager.Stub 
    }

    }





    @Override

    @Override

    public void addClient(IInputMethodClient client,

    public void addClient(IInputMethodClient client, IInputContext inputContext, int uid, int pid) {

            IInputContext inputContext, int uid, int pid) {

        if (Binder.getCallingUid() != Process.SYSTEM_UID) {

        if (!calledFromValidUser()) {

            throw new SecurityException("Only system process can call this method.");

            return;

        }

        }

        synchronized (mMethodMap) {

        synchronized (mMethodMap) {

            mClients.put(client.asBinder(), new ClientState(client,

            mClients.put(client.asBinder(), new ClientState(client,
@@ -1727,8 +1726,8 @@ public class InputMethodManagerService extends IInputMethodManager.Stub 




    @Override

    @Override

    public void removeClient(IInputMethodClient client) {

    public void removeClient(IInputMethodClient client) {

        if (!calledFromValidUser()) {

        if (Binder.getCallingUid() != Process.SYSTEM_UID) {

            return;

            throw new SecurityException("Only system process can call this method.");

        }

        }

        synchronized (mMethodMap) {

        synchronized (mMethodMap) {

            ClientState cs = mClients.remove(client.asBinder());

            ClientState cs = mClients.remove(client.asBinder());