Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bc2c4155 authored by Winson's avatar Winson
Browse files

Fix permission equality check 

Class name is not unique, and only defines the name of the permission in XML.
Package name must be included in the comparison, otherwise it's possible
to override a permission's attributes.

Test: verify vulnerability with test apps requesting privileged permission
Test: verify fixed with patch

Bug: 141854898

Change-Id: I3ede88b3b8395e78ddee0508a86381d63472ffde
parent f3c1392b

services/core/java/com/android/server/pm/permission/BasePermission.java

+10 −18
Original line number Diff line number Diff line
@@ -115,6 +115,12 @@ public final class BasePermission { 
        protectionLevel = PermissionInfo.PROTECTION_SIGNATURE;

    }



    @Override

    public String toString() {

        return "BasePermission{" + Integer.toHexString(System.identityHashCode(this)) + " " + name

                + "}";

    }



    public String getName() {

        return name;

    }
@@ -170,7 +176,8 @@ public final class BasePermission { 
        if (this.perm == null) {

            return false;

        }

        return Objects.equals(this.perm.className, perm.className);

        return Objects.equals(this.perm.getPackageName(), perm.getPackageName())

                && Objects.equals(this.perm.className, perm.className);

    }



    public boolean isDynamic() {
@@ -406,7 +413,8 @@ public final class BasePermission { 
            r.append("DUP:");

            r.append(p.getName());

        }

        if (bp.perm != null && Objects.equals(bp.perm.className, p.className)) {

        if (bp.perm != null && Objects.equals(bp.perm.getPackageName(), p.getPackageName())

                && Objects.equals(bp.perm.className, p.className)) {

            bp.protectionLevel = p.protectionLevel;

        }

        if (PackageManagerService.DEBUG_PACKAGE_SCANNING && r != null) {
@@ -643,20 +651,4 @@ public final class BasePermission { 
        }

        return true;

    }



    @Override

    public String toString() {

        return "BasePermission{" +

                "name='" + name + '\'' +

                ", type=" + type +

                ", sourcePackageName='" + sourcePackageName + '\'' +

                ", sourcePackageSetting=" + sourcePackageSetting +

                ", protectionLevel=" + protectionLevel +

                ", perm=" + perm +

                ", pendingPermissionInfo=" + pendingPermissionInfo +

                ", uid=" + uid +

                ", gids=" + Arrays.toString(gids) +

                ", perUser=" + perUser +

                '}';

    }

}