Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dfd7091a authored by Iván Budnik's avatar Iván Budnik Committed by Android Build Coastguard Worker
Browse files

Enforce MediaButtonReceiver ComponentName belongs to app 

Adds check that enforces ComponentName's package belongs to calling app.
This avoids privileged execution of arbitrary code through media button
events.

This is a partial revert revert of ag/19338169.

Bug: 238177121
Test: atest CtsMediaBetterTogetherTestCases
Change-Id: I4aba866a9758366175ea4af0d434729ad98fa48d
(cherry picked from commit 1b2fa248)
Merged-In: I4aba866a9758366175ea4af0d434729ad98fa48d
(cherry picked from commit 863d396f)
(cherry picked from commit d07187b77899a5fe6dc0ad45e978435368132819)
Merged-In: I4aba866a9758366175ea4af0d434729ad98fa48d
parent 4d6872dd

services/core/java/com/android/server/media/MediaSessionRecord.java

+10 −0
Original line number Original line Diff line number Diff line
@@ -52,6 +52,8 @@ import android.os.Process; 
import android.os.RemoteException;

import android.os.RemoteException;

import android.os.ResultReceiver;

import android.os.ResultReceiver;

import android.os.SystemClock;

import android.os.SystemClock;

import android.text.TextUtils;

import android.util.EventLog;

import android.util.Log;

import android.util.Log;

import android.view.KeyEvent;

import android.view.KeyEvent;
@@ -955,6 +957,14 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR 
        public void setMediaButtonBroadcastReceiver(ComponentName receiver) throws RemoteException {

        public void setMediaButtonBroadcastReceiver(ComponentName receiver) throws RemoteException {

            final long token = Binder.clearCallingIdentity();

            final long token = Binder.clearCallingIdentity();

            try {

            try {

                //mPackageName has been verified in MediaSessionService.enforcePackageName().

                if (receiver != null && !TextUtils.equals(

                        mPackageName, receiver.getPackageName())) {

                    EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging.

                    throw new IllegalArgumentException("receiver does not belong to "

                            + "package name provided to MediaSessionRecord. Pkg = " + mPackageName

                            + ", Receiver Pkg = " + receiver.getPackageName());

                }

                if ((mPolicies & MediaSessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)

                if ((mPolicies & MediaSessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)

                        != 0) {

                        != 0) {

                    return;

                    return;