Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit accb88c8 authored by Austin Borger's avatar Austin Borger Committed by Android (Google) Code Review
Browse files

Merge "Fix vulnerability in AttributionSource due to incorrect Binder call" into sc-dev

parents 5e82ca79 2fc07dea
Loading
Loading
Loading
Loading
+17 −3
Original line number Diff line number Diff line
@@ -30,6 +30,7 @@ import android.os.Parcelable;
import android.os.Process;
import android.permission.PermissionManager;
import android.util.ArraySet;
import android.util.Log;

import com.android.internal.annotations.Immutable;

@@ -86,6 +87,8 @@ import java.util.Set;
 */
@Immutable
public final class AttributionSource implements Parcelable {
    private static final String TAG = "AttributionSource";

    private static final String DESCRIPTOR = "android.content.AttributionSource";

    private static final Binder sDefaultToken = new Binder(DESCRIPTOR);
@@ -153,10 +156,21 @@ public final class AttributionSource implements Parcelable {
    AttributionSource(@NonNull Parcel in) {
        this(AttributionSourceState.CREATOR.createFromParcel(in));

        if (!Binder.isHandlingTransaction()) {
            Log.e(TAG, "Unable to verify calling UID #" + mAttributionSourceState.uid + " PID #"
                    + mAttributionSourceState.pid + " when not handling Binder transaction; "
                    + "clearing.");
            mAttributionSourceState.pid = -1;
            mAttributionSourceState.uid = -1;
            mAttributionSourceState.packageName = null;
            mAttributionSourceState.attributionTag = null;
            mAttributionSourceState.next = null;
        } else {
            // Since we just unpacked this object as part of it transiting a Binder
            // call, this is the perfect time to enforce that its UID and PID can be trusted
            enforceCallingUidAndPid();
        }
    }

    /** @hide */
    public AttributionSource(@NonNull AttributionSourceState attributionSourceState) {