Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f5b75876 authored by Iván Budnik's avatar Iván Budnik
Browse files

Enforce ComponentName belongs to caller app 

Add checks that enforce ComponentName's package belongs to calling app
in MediaButtonReceiverHolder and MediaSessionRecord. This avoids
privileged execution of arbitrary code.

Bug: 238177121
Test: atest CtsMediaBetterTogetherTestCases
Change-Id: Iac143d8bbc9422f3ca3f42f8c0154b9906ecd897
parent 1da0f88b

services/core/java/com/android/server/media/MediaButtonReceiverHolder.java

+7 −0
Original line number Diff line number Diff line
@@ -32,6 +32,7 @@ import android.os.Handler; 
import android.os.PowerWhitelistManager;

import android.os.UserHandle;

import android.text.TextUtils;

import android.util.EventLog;

import android.util.Log;

import android.view.KeyEvent;
@@ -117,6 +118,12 @@ final class MediaButtonReceiverHolder { 
        int componentType = getComponentType(pendingIntent);

        ComponentName componentName = getComponentName(pendingIntent, componentType);

        if (componentName != null) {

            if (!TextUtils.equals(componentName.getPackageName(), sessionPackageName)) {

                EventLog.writeEvent(0x534e4554, "238177121", -1, "");

                throw new IllegalArgumentException("ComponentName does not belong to "

                        + "sessionPackageName. sessionPackageName = " + sessionPackageName

                        + ", ComponentName pkg = " + componentName.getPackageName());

            }

            return new MediaButtonReceiverHolder(userId, pendingIntent, componentName,

                    componentType);

        }

services/core/java/com/android/server/media/MediaSessionRecord.java

+19 −0
Original line number Diff line number Diff line
@@ -50,6 +50,8 @@ import android.os.Process; 
import android.os.RemoteException;

import android.os.ResultReceiver;

import android.os.SystemClock;

import android.text.TextUtils;

import android.util.EventLog;

import android.util.Log;

import android.view.KeyEvent;
@@ -914,6 +916,14 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR 
        @Override

        public void setMediaButtonReceiver(PendingIntent pi, String sessionPackageName)

                throws RemoteException {

            //mPackageName has been verified in MediaSessionService.enforcePackageName().

            if (!TextUtils.equals(sessionPackageName, mPackageName)) {

                EventLog.writeEvent(0x534e4554, "238177121", -1, "");

                throw new IllegalArgumentException("sessionPackageName name does not match "

                        + "package name provided to MediaSessionRecord. sessionPackageName = "

                        + sessionPackageName + ", pkg = "

                        + mPackageName);

            }

            final long token = Binder.clearCallingIdentity();

            try {

                if ((mPolicies & MediaSessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)
@@ -932,6 +942,15 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR 
        public void setMediaButtonBroadcastReceiver(ComponentName receiver) throws RemoteException {

            final long token = Binder.clearCallingIdentity();

            try {

                //mPackageName has been verified in MediaSessionService.enforcePackageName().

                if (receiver != null && !TextUtils.equals(

                        mPackageName, receiver.getPackageName())) {

                    EventLog.writeEvent(0x534e4554, "238177121", -1, "");

                    throw new IllegalArgumentException("receiver does not belong to "

                            + "package name provided to MediaSessionRecord. Pkg = " + mPackageName

                            + ", Receiver Pkg = " + receiver.getPackageName());

                }



                if ((mPolicies & MediaSessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)

                        != 0) {

                    return;