Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8a1eea02 authored by Eric Miao's avatar Eric Miao Committed by Michael Bestas
Browse files

Enforce permission and debuggability for `am dumpbitmaps` 

The previous implementation did not check for permission and
debuggability for `am dumpbitmaps`, which allows a malicious
app to access bitmaps in memory of other processes.

Detailed vulnerability and how a malicious app could make use
of it are documented in b/465136263.

This CL enforces both permission check (with the same permission
as `am dumpheap`) and debuggability.

Bug: 465136263
Bug: 475543853
Flag: EXEMPT BUGFIX
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:93b72e5a84815c09d5eac89fe8f974a44002c629
Merged-In: I10836ce46969f50d837f7f8bf6336f977e830f05
Change-Id: I10836ce46969f50d837f7f8bf6336f977e830f05
See: b/465136263#comment27
parent dc4811db

services/core/java/com/android/server/am/ActivityManagerService.java

+11 −0
Original line number Diff line number Diff line
@@ -16189,6 +16189,10 @@ public class ActivityManagerService extends IActivityManager.Stub 
    @NeverCompile // Avoid size overhead of debugging code.

    public void dumpBitmapsProto(ParcelFileDescriptor fd, String[] processes, int userId,

                            boolean allPkgs, String dumpFormat) {

        // note: re-use the same permission as dumpHeap until its own permission is available

        enforceCallingPermission(android.Manifest.permission.SET_ACTIVITY_WATCHER,

                "dumpBitmapsProto()");















        ProtoOutputStream proto = new ProtoOutputStream(fd.getFileDescriptor());















        final ArrayList<ProcessRecord> procs = collectProcesses(null, 0, allPkgs, processes);















        if (procs == null) {









@@ -16205,6 +16209,13 @@ public class ActivityManagerService extends IActivityManager.Stub













                if (thread == null) {















                    continue;















                }

























                // check process debuggability













                if (!Build.IS_DEBUGGABLE && !r.isDebuggable()) {













                    Slog.w(TAG, "Process not debuggable: " + r.info.packageName);













                    continue;













                }



























                try {















                    if (pid == Process.myPid()) {















                        // Directly dump to target proto for local dump to avoid hang.