Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c8ec3929 authored by Louis Chang's avatar Louis Chang Committed by mse1969
Browse files

Prevent activity token leaked to another process 

Malicious app could register the organizer via one-way binder call
to disguise as running on pid 0.

Bug: 367266072
Bug: 446678690
Test: verified via the sample app
Flag: EXEMPT bugfix
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:61ab2b65caf855c48fdb4166f94e02bf79c90e7b
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:787be3fc17ac4d7970ef8eed7c2906653ec67df2
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:5b63716bff30adbf12a4236e8acdb70fb1a4fa72
Merged-In: I51378c7d2da06fb83670abd082a089cfd82d699d
Change-Id: I51378c7d2da06fb83670abd082a089cfd82d699d
parent 757bdf51

services/core/java/com/android/server/wm/TaskFragmentOrganizerController.java

+6 −1
Original line number Diff line number Diff line
@@ -329,7 +329,7 @@ public class TaskFragmentOrganizerController extends ITaskFragmentOrganizerContr 
            }



            final IBinder activityToken;

            if (activity.getPid() == mOrganizerPid) {

            if (activity.getPid() == mOrganizerPid && activity.getUid() == mOrganizerUid) {

                // We only pass the actual token if the activity belongs to the organizer process.

                activityToken = activity.token;

            } else {
@@ -429,6 +429,11 @@ public class TaskFragmentOrganizerController extends ITaskFragmentOrganizerContr 
                throw new IllegalStateException(

                        "Replacing existing organizer currently unsupported");

            }



            if (pid <= 0) {

                throw new IllegalStateException("Cannot register from invalid pid: " + pid);

            }



            mTaskFragmentOrganizerState.put(organizer.asBinder(),

                    new TaskFragmentOrganizerState(organizer, pid, uid));

            mPendingTaskFragmentEvents.put(organizer.asBinder(), new ArrayList<>());