Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9ba4f769 authored May 02, 2023 by Daniel Norman

Moves A11yServiceInfo size check in the system_server.

Previously malicious AccessibilityServices could use reflection to find
their IAccessibilityServiceConnection and invoke setServiceInfo,
bypassing the size check in the AccessibilityService process.

Bug: 277072324
Test: new test in AccessibilityServiceInfoTest using reflection
Change-Id: I72e879c27bff65f836756d223aa71fb11a6e3cf0

parent 7cf8a5da

core/java/android/accessibilityservice/AccessibilityService.java

+0 −4

Original line number	Diff line number	Diff line
		@@ -2580,10 +2580,6 @@ public abstract class AccessibilityService extends Service {
		IAccessibilityServiceConnection connection =
		AccessibilityInteractionClient.getInstance(this).getConnection(mConnectionId);
		if (mInfo != null && connection != null) {
		if (!mInfo.isWithinParcelableSize()) {
		throw new IllegalStateException(
		"Cannot update service info: size is larger than safe parcelable limits.");
		}
		try {
		connection.setServiceInfo(mInfo);
		mInfo = null;

services/accessibility/java/com/android/server/accessibility/AbstractAccessibilityServiceConnection.java

+4 −0

Original line number	Diff line number	Diff line
		@@ -478,6 +478,10 @@ abstract class AbstractAccessibilityServiceConnection extends IAccessibilityServ
		if (svcConnTracingEnabled()) {
		logTraceSvcConn("setServiceInfo", "info=" + info);
		}
		if (!info.isWithinParcelableSize()) {
		throw new IllegalStateException(
		"Cannot update service info: size is larger than safe parcelable limits.");
		}
		final long identity = Binder.clearCallingIdentity();
		try {
		synchronized (mLock) {