Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit df3584bb authored by Bishoy Gendy's avatar Bishoy Gendy
Browse files

Fix security vulnerability allowing apps to start from background 

Bug: 317048338
Test: Using the steps in b/317048338#comment12
Change-Id: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
(cherry picked from commit c5fc8ea9)
Merged-In: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
parent ffad8fe8

media/java/android/media/session/ParcelableListBinder.java

+11 −2
Original line number Original line Diff line number Diff line
@@ -45,6 +45,7 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder { 
    private static final int END_OF_PARCEL = 0;

    private static final int END_OF_PARCEL = 0;

    private static final int ITEM_CONTINUED = 1;

    private static final int ITEM_CONTINUED = 1;





    private final Class<T> mListElementsClass;

    private final Consumer<List<T>> mConsumer;

    private final Consumer<List<T>> mConsumer;





    private final Object mLock = new Object();

    private final Object mLock = new Object();
@@ -61,9 +62,11 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder { 
    /**

    /**

     * Creates an instance.

     * Creates an instance.

     *

     *

     * @param listElementsClass the class of the list elements.

     * @param consumer a consumer that consumes the list received

     * @param consumer a consumer that consumes the list received

     */

     */

    public ParcelableListBinder(@NonNull Consumer<List<T>> consumer) {

    public ParcelableListBinder(Class<T> listElementsClass, @NonNull Consumer<List<T>> consumer) {

        mListElementsClass = listElementsClass;

        mConsumer = consumer;

        mConsumer = consumer;

    }

    }
@@ -83,7 +86,13 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder { 
                mCount = data.readInt();

                mCount = data.readInt();

            }

            }

            while (i < mCount && data.readInt() != END_OF_PARCEL) {

            while (i < mCount && data.readInt() != END_OF_PARCEL) {

                mList.add(data.readParcelable(null));

                Object object = data.readParcelable(null);

                if (mListElementsClass.isAssignableFrom(object.getClass())) {

                    // Checking list items are of compaitible types to validate against malicious

                    // apps calling it directly via reflection with non compilable items.

                    // See b/317048338 for more details

                    mList.add((T) object);

                }

                i++;

                i++;

            }

            }

            if (i >= mCount) {

            if (i >= mCount) {

services/core/java/com/android/server/media/MediaSessionRecord.java

+8 −6
Original line number Original line Diff line number Diff line
@@ -1095,7 +1095,9 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR 




        @Override

        @Override

        public IBinder getBinderForSetQueue() throws RemoteException {

        public IBinder getBinderForSetQueue() throws RemoteException {

            return new ParcelableListBinder<QueueItem>((list) -> {

            return new ParcelableListBinder<QueueItem>(

                    QueueItem.class,

                    (list) -> {

                        synchronized (mLock) {

                        synchronized (mLock) {

                            mQueue = list;

                            mQueue = list;

                        }

                        }