Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9515a944 authored by Louis Chang's avatar Louis Chang Committed by Android Build Coastguard Worker
Browse files

Prevent activity token leaked to another process 

Malicious app could register the organizer via one-way binder call
to disguise as running on pid 0.

Bug: 367266072
Test: verified via the sample app
Flag: EXEMPT bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:61ab2b65caf855c48fdb4166f94e02bf79c90e7b)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6ab778a0dd3d09c6e3e2b6176245d3c99b5170ce)
Merged-In: I51378c7d2da06fb83670abd082a089cfd82d699d
Change-Id: I51378c7d2da06fb83670abd082a089cfd82d699d
parent 2b4d662a

services/core/java/com/android/server/wm/TaskFragmentOrganizerController.java

+8 −2
Original line number Diff line number Diff line
@@ -390,7 +390,7 @@ public class TaskFragmentOrganizerController extends ITaskFragmentOrganizerContr 
            }



            final IBinder activityToken;

            if (activity.getPid() == mOrganizerPid) {

            if (activity.getPid() == mOrganizerPid && activity.getUid() == mOrganizerUid) {

                // We only pass the actual token if the activity belongs to the organizer process.

                activityToken = activity.token;

            } else {
@@ -420,7 +420,8 @@ public class TaskFragmentOrganizerController extends ITaskFragmentOrganizerContr 
            }

            // Only pass the activity token to the client if it belongs to the same process.

            if (Flags.fixPipRestoreToOverlay() && nextFillTaskActivity != null

                    && nextFillTaskActivity.getPid() == mOrganizerPid) {

                    && nextFillTaskActivity.getPid() == mOrganizerPid

                    && nextFillTaskActivity.getUid() == mOrganizerUid) {

                change.setOtherActivityToken(nextFillTaskActivity.token);

            }

            return change;
@@ -517,6 +518,11 @@ public class TaskFragmentOrganizerController extends ITaskFragmentOrganizerContr 
                throw new IllegalStateException(

                        "Replacing existing organizer currently unsupported");

            }



            if (pid <= 0) {

                throw new IllegalStateException("Cannot register from invalid pid: " + pid);

            }



            mTaskFragmentOrganizerState.put(organizer.asBinder(),

                    new TaskFragmentOrganizerState(organizer, pid, uid, isSystemOrganizer));

            mPendingTaskFragmentEvents.put(organizer.asBinder(), new ArrayList<>());