Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e3f0ca01 authored by John Wu's avatar John Wu
Browse files

Do not resolve ActivityInfo in navigateUpTo 

During navigateUpTo, it will first resolve the activity before creating
the ActivityStarter. This bypasses the explicit intent filter
enforcement introduced in T, exposing a security flaw that allows
non-matching intents to be delivered to components.

Bug: 238602879
Test: atest CtsWindowManagerDeviceTestCases
Change-Id: I9aa3e27f753f2f809e74a8f421f8b68e4d610702
parent 9720e32d

core/java/android/app/Activity.java

+3 −2
Original line number Diff line number Diff line
@@ -8051,8 +8051,9 @@ public class Activity extends ContextThemeWrapper 
                resultData.prepareToLeaveProcess(this);

            }

            upIntent.prepareToLeaveProcess(this);

            return ActivityClient.getInstance().navigateUpTo(mToken, upIntent, resultCode,

                    resultData);

            String resolvedType = upIntent.resolveTypeIfNeeded(getContentResolver());

            return ActivityClient.getInstance().navigateUpTo(mToken, upIntent, resolvedType,

                    resultCode, resultData);

        } else {

            return mParent.navigateUpToFromChild(this, upIntent);

        }

core/java/android/app/ActivityClient.java

+3 −3
Original line number Diff line number Diff line
@@ -141,11 +141,11 @@ public class ActivityClient { 
        }

    }



    boolean navigateUpTo(IBinder token, Intent destIntent, int resultCode,

    boolean navigateUpTo(IBinder token, Intent destIntent, String resolvedType, int resultCode,

            Intent resultData) {

        try {

            return getActivityClientController().navigateUpTo(token, destIntent, resultCode,

                    resultData);

            return getActivityClientController().navigateUpTo(token, destIntent, resolvedType,

                    resultCode, resultData);

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

core/java/android/app/IActivityClientController.aidl

+2 −2
Original line number Diff line number Diff line
@@ -60,8 +60,8 @@ interface IActivityClientController { 
            in SizeConfigurationBuckets sizeConfigurations);

    boolean moveActivityTaskToBack(in IBinder token, boolean nonRoot);

    boolean shouldUpRecreateTask(in IBinder token, in String destAffinity);

    boolean navigateUpTo(in IBinder token, in Intent target, int resultCode,

            in Intent resultData);

    boolean navigateUpTo(in IBinder token, in Intent target, in String resolvedType,

            int resultCode, in Intent resultData);

    boolean releaseActivityInstance(in IBinder token);

    boolean finishActivity(in IBinder token, int code, in Intent data, int finishTask);

    boolean finishActivityAffinity(in IBinder token);

services/core/java/com/android/server/wm/ActivityClientController.java

+3 −3
Original line number Diff line number Diff line
@@ -332,8 +332,8 @@ class ActivityClientController extends IActivityClientController.Stub { 
    }



    @Override

    public boolean navigateUpTo(IBinder token, Intent destIntent, int resultCode,

            Intent resultData) {

    public boolean navigateUpTo(IBinder token, Intent destIntent, String resolvedType,

            int resultCode, Intent resultData) {

        final ActivityRecord r;

        synchronized (mGlobalLock) {

            r = ActivityRecord.isInRootTaskLocked(token);
@@ -348,7 +348,7 @@ class ActivityClientController extends IActivityClientController.Stub { 


        synchronized (mGlobalLock) {

            return r.getRootTask().navigateUpTo(

                    r, destIntent, destGrants, resultCode, resultData, resultGrants);

                    r, destIntent, resolvedType, destGrants, resultCode, resultData, resultGrants);

        }

    }

services/core/java/com/android/server/wm/Task.java

+23 −28
Original line number Diff line number Diff line
@@ -5278,8 +5278,9 @@ class Task extends TaskFragment { 
        return false;

    }



    boolean navigateUpTo(ActivityRecord srec, Intent destIntent, NeededUriGrants destGrants,

            int resultCode, Intent resultData, NeededUriGrants resultGrants) {

    boolean navigateUpTo(ActivityRecord srec, Intent destIntent, String resolvedType,

            NeededUriGrants destGrants, int resultCode, Intent resultData,

            NeededUriGrants resultGrants) {

        if (!srec.attachedToProcess()) {

            // Nothing to do if the caller is not attached, because this method should be called

            // from an alive activity.
@@ -5348,15 +5349,12 @@ class Task extends TaskFragment { 


        if (parent != null && foundParentInTask) {

            final int callingUid = srec.info.applicationInfo.uid;

            try {

                ActivityInfo aInfo = AppGlobals.getPackageManager().getActivityInfo(

                        destIntent.getComponent(), ActivityManagerService.STOCK_PM_FLAGS,

                        srec.mUserId);

            // TODO(b/64750076): Check if calling pid should really be -1.

            final int res = mAtmService.getActivityStartController()

                    .obtainStarter(destIntent, "navigateUpTo")

                    .setResolvedType(resolvedType)

                    .setUserId(srec.mUserId)

                    .setCaller(srec.app.getThread())

                        .setActivityInfo(aInfo)

                    .setResultTo(parent.token)

                    .setIntentGrants(destGrants)

                    .setCallingPid(-1)
@@ -5372,9 +5370,6 @@ class Task extends TaskFragment { 
                parent.finishIfPossible(resultCode, resultData, resultGrants,

                        "navigate-top", true /* oomAdj */);

            }

            } catch (RemoteException e) {

                foundParentInTask = false;

            }

        }

        Binder.restoreCallingIdentity(origId);

        return foundParentInTask;