Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a0755747 authored by Yohei Yukawa's avatar Yohei Yukawa
Browse files

Hardening token validation in InputMethodManagerService 

This CL adds missing token validations in
InputMethodManagerService#switchToNextInputMethod and
InputMethodManagerService#shouldOfferSwitchingToNextInputMethod.

This CL also fixes a possible race condition when validating
the token in InputMethodManagerService#updateStatusIcon.

BUG: 15420379
Change-Id: I043aa30a19c821f33effd57dfd6590b0e3ed817b
parent 43eb1012

services/core/java/com/android/server/InputMethodManagerService.java

+18 −6
Original line number Diff line number Diff line
@@ -1442,15 +1442,15 @@ public class InputMethodManagerService extends IInputMethodManager.Stub 


    @Override

    public void updateStatusIcon(IBinder token, String packageName, int iconId) {

        int uid = Binder.getCallingUid();

        long ident = Binder.clearCallingIdentity();

        try {

            synchronized (mMethodMap) {

                if (!calledWithValidToken(token)) {

                    final int uid = Binder.getCallingUid();

                    Slog.e(TAG, "Ignoring updateStatusIcon due to an invalid token. uid:" + uid

                            + " token:" + token);

                    return;

                }

            synchronized (mMethodMap) {

                if (iconId == 0) {

                    if (DEBUG) Slog.d(TAG, "hide the small icon for the input method");

                    if (mStatusBar != null) {
@@ -2202,6 +2202,12 @@ public class InputMethodManagerService extends IInputMethodManager.Stub 
            return false;

        }

        synchronized (mMethodMap) {

            if (!calledWithValidToken(token)) {

                final int uid = Binder.getCallingUid();

                Slog.e(TAG, "Ignoring switchToNextInputMethod due to an invalid token. uid:" + uid

                        + " token:" + token);

                return false;

            }

            final ImeSubtypeListItem nextSubtype = mSwitchingController.getNextInputMethodLocked(

                    onlyCurrentIme, mMethodMap.get(mCurMethodId), mCurrentSubtype);

            if (nextSubtype == null) {
@@ -2219,6 +2225,12 @@ public class InputMethodManagerService extends IInputMethodManager.Stub 
            return false;

        }

        synchronized (mMethodMap) {

            if (!calledWithValidToken(token)) {

                final int uid = Binder.getCallingUid();

                Slog.e(TAG, "Ignoring shouldOfferSwitchingToNextInputMethod due to an invalid "

                        + "token. uid:" + uid + " token:" + token);

                return false;

            }

            final ImeSubtypeListItem nextSubtype = mSwitchingController.getNextInputMethodLocked(

                    false /* onlyCurrentIme */, mMethodMap.get(mCurMethodId), mCurrentSubtype);

            if (nextSubtype == null) {