Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit ae81043a authored by Jeff Chang's avatar Jeff Chang
Browse files

Fix security bug for startActivityInTaskFragment

A malicious application uses startActivityInTaskFragment to launch
activity from the background in case the setting application is in
the foreground. System allows activity to start if the realCallingUid
has a visible window from
ActivityStarter#shouldAbortBackgroundActivityStart. For this case,
resolving the caller’s reallCallingUid is a system uid while using the
Binder.getCallingUid() after clearCallingIdentity(). If the setting
app in the forground that make system believe there is a visible
window now and allow the background activity to start.

This CL passes in the caller realCallingUid/Pid for activity starter
instead of using Binder.getCallingUid() after clearCallingIdentity()
to fix.

Bug: 230493191
Test: atest WmTests:TaskFragmentOrganizerControllerTest
      1. Install the PoC APP and open it.
      2. open the Settings APP and then check if the activity has
      started.
Change-Id: I8b427de13eac760924bf5a2e7975a60b202a559c
parent b8b3d5e1
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment