Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 922e52bc authored by Austin Borger's avatar Austin Borger
Browse files

Fix vulnerability in AttributionSource due to incorrect Binder call 

AttributionSource uses Binder.getCallingUid to verify the UID of the
caller from another process. However, getCallingUid does not always
behave as expected. If the AttributionSource is unparceled outside a
transaction thread, which is quite possible, getCallingUid will return
the UID of the current process instead. If this is a system process,
the UID check gets bypassed entirely, meaning any uid can be provided.

This patch fixes the vulnerability by enforcing that the AttributionSource
be unparceled in a transaction only. If it is not, a SecurityException
will be thrown.

Bug: 267231571
Test: Smoke test on cuttlefish.
Test: v2/android-virtual-infra/test_mapping/presubmit-avd
Change-Id: Ic301a8518b8e57e1c9a2c9f2f845e51dca145257
parent d2b13f41

core/java/android/content/AttributionSource.java

+5 −0
Original line number Diff line number Diff line
@@ -155,6 +155,11 @@ public final class AttributionSource implements Parcelable { 
    AttributionSource(@NonNull Parcel in) {

        this(AttributionSourceState.CREATOR.createFromParcel(in));



        if (!Binder.isDirectlyHandlingTransaction()) {

            throw new SecurityException("AttributionSource should be unparceled during a binder "

                    + "transaction for proper verification.");

        }



        // Since we just unpacked this object as part of it transiting a Binder

        // call, this is the perfect time to enforce that its UID and PID can be trusted

        enforceCallingUidAndPid();