Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d136e51a authored by Jeff Sharkey's avatar Jeff Sharkey
Browse files

Defuse Bundles parsed by the system process. 

It's easy for apps to throw custom Parcelables into Bundles, but
if the system tries peeking inside one of these Bundles, it triggers
a BadParcelableException.  If that Bundle was passed away from the
Binder thread that delivered it into the system, we end up with a
nasty runtime restart.

This change mitigates this trouble by "defusing" any Bundles parsed by
the system server.  That is, if it encounters BadParcelableException
while unpacking a Bundle, it logs and delivers an empty Bundle as
the result.

Simultaneously, to help catch the system process sticking its
fingers into Bundles that are destined for other processes, a Bundle
now tracks if it's "defusable."  For example, any Intents delivered
through ActivityThread are marked as being defusable, since they've
arrived at their final destination.  Any other Bundles are considered
to be "in transit" and we log if the system tries unparceling them.

Merges several Parcel boolean fields into a flags int.  Add better
docs to several classes.

Bug: 27581063
Change-Id: I28cf3e7439503b5dc9a429bafae5eb48f21f0d93
parent 08e59364

core/java/android/app/ActivityOptions.java

+4 −0
Original line number Diff line number Diff line
@@ -710,6 +710,10 @@ public class ActivityOptions { 


    /** @hide */

    public ActivityOptions(Bundle opts) {

        // If the remote side sent us bad parcelables, they won't get the

        // results they want, which is their loss.

        opts.setDefusable(true);



        mPackageName = opts.getString(KEY_PACKAGE_NAME);

        try {

            mUsageTimeReport = opts.getParcelable(KEY_USAGE_TIME_REPORT);

core/java/android/app/ContextImpl.java

+6 −1
Original line number Diff line number Diff line
@@ -1332,9 +1332,14 @@ class ContextImpl extends Context { 
            }

        }

        try {

            return ActivityManagerNative.getDefault().registerReceiver(

            final Intent intent = ActivityManagerNative.getDefault().registerReceiver(

                    mMainThread.getApplicationThread(), mBasePackageName,

                    rd, filter, broadcastPermission, userId);

            if (intent != null) {

                intent.setExtrasClassLoader(getClassLoader());

                intent.prepareToEnterProcess();

            }

            return intent;

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

core/java/android/app/LoadedApk.java

+3 −0
Original line number Diff line number Diff line
@@ -913,6 +913,8 @@ public final class LoadedApk { 
                mDispatcher = new WeakReference<LoadedApk.ReceiverDispatcher>(rd);

                mStrongRef = strong ? rd : null;

            }



            @Override

            public void performReceive(Intent intent, int resultCode, String data,

                    Bundle extras, boolean ordered, boolean sticky, int sendingUser) {

                LoadedApk.ReceiverDispatcher rd = mDispatcher.get();
@@ -996,6 +998,7 @@ public final class LoadedApk { 
                try {

                    ClassLoader cl =  mReceiver.getClass().getClassLoader();

                    intent.setExtrasClassLoader(cl);

                    intent.prepareToEnterProcess();

                    setExtrasClassLoader(cl);

                    receiver.setPendingResult(this);

                    receiver.onReceive(mContext, intent);

core/java/android/content/ClipData.java

+11 −0
Original line number Diff line number Diff line
@@ -836,6 +836,17 @@ public class ClipData implements Parcelable { 
        }

    }



    /** {@hide} */

    public void prepareToEnterProcess() {

        final int size = mItems.size();

        for (int i = 0; i < size; i++) {

            final Item item = mItems.get(i);

            if (item.mIntent != null) {

                item.mIntent.prepareToEnterProcess();

            }

        }

    }



    /** @hide */

    public void fixUris(int contentUserHint) {

        final int size = mItems.size();

core/java/android/content/Intent.java

+19 −1
Original line number Diff line number Diff line
@@ -6037,13 +6037,20 @@ public class Intent implements Parcelable, Cloneable { 
        return mExtras != null && mExtras.hasFileDescriptors();

    }



    /** @hide */

    /** {@hide} */

    public void setAllowFds(boolean allowFds) {

        if (mExtras != null) {

            mExtras.setAllowFds(allowFds);

        }

    }



    /** {@hide} */

    public void setDefusable(boolean defusable) {

        if (mExtras != null) {

            mExtras.setDefusable(defusable);

        }

    }



    /**

     * Retrieve extended data from the intent.

     *
@@ -8938,6 +8945,17 @@ public class Intent implements Parcelable, Cloneable { 
     * @hide

     */

    public void prepareToEnterProcess() {

        // We just entered destination process, so we should be able to read all

        // parcelables inside.

        setDefusable(true);



        if (mSelector != null) {

            mSelector.prepareToEnterProcess();

        }

        if (mClipData != null) {

            mClipData.prepareToEnterProcess();

        }



        if (mContentUserHint != UserHandle.USER_CURRENT) {

            if (UserHandle.getAppId(Process.myUid()) != Process.SYSTEM_UID) {

                fixUris(mContentUserHint);