Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9f623983 authored by Hao Ke's avatar Hao Ke
Browse files

Fix checkKeyIntentParceledCorrectly's bypass 

The checkKeyIntentParceledCorrectly method was added in checkKeyIntent, which was originaly  only invoked when AccountManagerService deserializes the KEY_INTENT value as not NULL. However, due to the self-changing bundle technique in Parcel mismatch problems, the Intent value can change after reparceling; hence would bypass the added checkKeyIntentParceledCorrectly call.

This CL did the following:

- Ensure the checkKeyIntent method is also called when result.getParcelable(AccountManager.KEY_INTENT) == null.

Bug: 260567867
Bug: 262230405
Test: local test, see b/262230405
Test: atest CtsAccountManagerTestCases
Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477
Change-Id: I7b528f52c41767ae12731838fdd36aa26a8f3477
parent a7dce649

services/core/java/com/android/server/accounts/AccountManagerService.java

+9 −6
Original line number Diff line number Diff line
@@ -3429,8 +3429,7 @@ public class AccountManagerService 
            Bundle.setDefusable(result, true);

            mNumResults++;

            Intent intent = null;

            if (result != null

                    && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {

            if (result != null) {

                if (!checkKeyIntent(

                        Binder.getCallingUid(),

                        result)) {
@@ -4789,8 +4788,10 @@ public class AccountManagerService 
            	EventLog.writeEvent(0x534e4554, "250588548", authUid, "");

                return false;

            }



            Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);

            if (intent == null) {

                return true;

            }

            // Explicitly set an empty ClipData to ensure that we don't offer to

            // promote any Uris contained inside for granting purposes

            if (intent.getClipData() == null) {
@@ -4843,7 +4844,10 @@ public class AccountManagerService 
            p.recycle();

            Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);

            Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);

            return (intent.filterEquals(simulateIntent));

            if (intent == null) {

                return (simulateIntent == null);

            }

            return intent.filterEquals(simulateIntent);

        }



        private boolean isExportedSystemActivity(ActivityInfo activityInfo) {
@@ -4988,8 +4992,7 @@ public class AccountManagerService 
                    }

                }

            }

            if (result != null

                    && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {

            if (result != null) {

                if (!checkKeyIntent(

                        Binder.getCallingUid(),

                        result)) {