Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit cc6c7828 authored by Vishnu Nair's avatar Vishnu Nair Committed by Michael Bestas
Browse files

Validate originating process for transferTouchGesture API 

Addresses a security vulnerability where a malicious process could
potentially steal an active touch gesture from its host or embedded
process. The fix ensures that the requested is the owner of the
InputTransferToken. This adds an additional verification on top of
the existing  association checks between the transferFrom and
transferTo processes.

Flag: EXEMPT security fix
Bug: 364037868
Test: presubmit
Change-Id: I2654ccab807a62a341c8af69bf64bb33e56c4252
parent da8d0448

services/core/java/com/android/server/wm/EmbeddedWindowController.java

+10 −2
Original line number Original line Diff line number Diff line
@@ -178,22 +178,30 @@ class EmbeddedWindowController { 
        return true;

        return true;

    }

    }





    boolean transferToHost(@NonNull InputTransferToken embeddedWindowToken,

    boolean transferToHost(int callingUid, @NonNull InputTransferToken embeddedWindowToken,

            @NonNull WindowState transferToHostWindowState) {

            @NonNull WindowState transferToHostWindowState) {

        EmbeddedWindow ew = getByInputTransferToken(embeddedWindowToken);

        EmbeddedWindow ew = getByInputTransferToken(embeddedWindowToken);

        if (!isValidTouchGestureParams(transferToHostWindowState, ew)) {

        if (!isValidTouchGestureParams(transferToHostWindowState, ew)) {

            return false;

            return false;

        }

        }

        if (callingUid != ew.mOwnerUid) {

            throw new SecurityException(

                    "Transfer request must originate from owner of transferFromToken");

        }

        return mInputManagerService.transferTouchGesture(ew.getInputChannelToken(),

        return mInputManagerService.transferTouchGesture(ew.getInputChannelToken(),

                transferToHostWindowState.mInputChannelToken);

                transferToHostWindowState.mInputChannelToken);

    }

    }





    boolean transferToEmbedded(WindowState hostWindowState,

    boolean transferToEmbedded(int callingUid, WindowState hostWindowState,

            @NonNull InputTransferToken transferToToken) {

            @NonNull InputTransferToken transferToToken) {

        final EmbeddedWindowController.EmbeddedWindow ew = getByInputTransferToken(transferToToken);

        final EmbeddedWindowController.EmbeddedWindow ew = getByInputTransferToken(transferToToken);

        if (!isValidTouchGestureParams(hostWindowState, ew)) {

        if (!isValidTouchGestureParams(hostWindowState, ew)) {

            return false;

            return false;

        }

        }

        if (callingUid != hostWindowState.mOwnerUid) {

            throw new SecurityException(

                    "Transfer request must originate from owner of transferFromToken");

        }

        return mInputManagerService.transferTouchGesture(hostWindowState.mInputChannelToken,

        return mInputManagerService.transferTouchGesture(hostWindowState.mInputChannelToken,

                ew.getInputChannelToken());

                ew.getInputChannelToken());

    }

    }

services/core/java/com/android/server/wm/WindowManagerService.java

+7 −2
Original line number Original line Diff line number Diff line
@@ -9081,6 +9081,8 @@ public class WindowManagerService extends IWindowManager.Stub 
        final InputApplicationHandle applicationHandle;

        final InputApplicationHandle applicationHandle;

        final String name;

        final String name;

        Objects.requireNonNull(outInputChannel);

        Objects.requireNonNull(outInputChannel);

        Objects.requireNonNull(inputTransferToken);



        synchronized (mGlobalLock) {

        synchronized (mGlobalLock) {

            WindowState hostWindowState = hostInputTransferToken != null

            WindowState hostWindowState = hostInputTransferToken != null

                    ? mInputToWindowMap.get(hostInputTransferToken.mToken) : null;

                    ? mInputToWindowMap.get(hostInputTransferToken.mToken) : null;
@@ -9105,6 +9107,7 @@ public class WindowManagerService extends IWindowManager.Stub 
        Objects.requireNonNull(transferFromToken);

        Objects.requireNonNull(transferFromToken);

        Objects.requireNonNull(transferToToken);

        Objects.requireNonNull(transferToToken);





        final int callingUid = Binder.getCallingUid();

        final long identity = Binder.clearCallingIdentity();

        final long identity = Binder.clearCallingIdentity();

        boolean didTransfer;

        boolean didTransfer;

        try {

        try {
@@ -9114,11 +9117,13 @@ public class WindowManagerService extends IWindowManager.Stub 
                // represents an embedded window so transfer from host to embedded.

                // represents an embedded window so transfer from host to embedded.

                WindowState windowStateTo = mInputToWindowMap.get(transferToToken.mToken);

                WindowState windowStateTo = mInputToWindowMap.get(transferToToken.mToken);

                if (windowStateTo != null) {

                if (windowStateTo != null) {

                    didTransfer = mEmbeddedWindowController.transferToHost(transferFromToken,

                    didTransfer = mEmbeddedWindowController.transferToHost(callingUid,

                            transferFromToken,

                            windowStateTo);

                            windowStateTo);

                } else {

                } else {

                    WindowState windowStateFrom = mInputToWindowMap.get(transferFromToken.mToken);

                    WindowState windowStateFrom = mInputToWindowMap.get(transferFromToken.mToken);

                    didTransfer = mEmbeddedWindowController.transferToEmbedded(windowStateFrom,

                    didTransfer = mEmbeddedWindowController.transferToEmbedded(callingUid,

                            windowStateFrom,

                            transferToToken);

                            transferToToken);

                }

                }

            }

            }