Fix security vulnerability issue for multi user call redirections. am: 799347b6f6 (30b8bcaf) · Commits · e / os / android_packages_services_Telecomm

src/com/android/server/telecom/CallsManager.java

+15 −4

Original line number	Diff line number	Diff line
		@@ -2091,6 +2091,16 @@ public class CallsManager extends Call.ListenerBase
		boolean endEarly = false;
		String disconnectReason = "";
		String callRedirectionApp = mRoleManagerAdapter.getDefaultCallRedirectionApp();
		PhoneAccount phoneAccount = mPhoneAccountRegistrar
		.getPhoneAccountUnchecked(phoneAccountHandle);
		if (phoneAccount != null
		&& !phoneAccount.hasCapabilities(PhoneAccount.CAPABILITY_MULTI_USER)) {
		// Check if the phoneAccountHandle belongs to the current user
		if (phoneAccountHandle != null &&
		!phoneAccountHandle.getUserHandle().equals(call.getInitiatingUser())) {
		phoneAccountHandle = null;
		}
		}

		boolean isPotentialEmergencyNumber;
		try {
		@@ -2125,9 +2135,9 @@ public class CallsManager extends Call.ListenerBase
		endEarly = true;
		disconnectReason = "Null handle from Call Redirection Service";
		} else if (phoneAccountHandle == null) {
		Log.w(this, "onCallRedirectionComplete: phoneAccountHandle is null");
		Log.w(this, "onCallRedirectionComplete: phoneAccountHandle is unavailable");
		endEarly = true;
		disconnectReason = "Null phoneAccountHandle from Call Redirection Service";
		disconnectReason = "Unavailable phoneAccountHandle from Call Redirection Service";
		} else if (isPotentialEmergencyNumber) {
		Log.w(this, "onCallRedirectionComplete: emergency number %s is redirected from Call"
		+ " Redirection Service", handle.getSchemeSpecificPart());
		@@ -2148,6 +2158,7 @@ public class CallsManager extends Call.ListenerBase
		return;
		}

		final PhoneAccountHandle finalPhoneAccountHandle = phoneAccountHandle;
		if (uiAction.equals(CallRedirectionProcessor.UI_TYPE_USER_DEFINED_ASK_FOR_CONFIRM)) {
		Log.addEvent(call, LogUtils.Events.REDIRECTION_USER_CONFIRMATION);
		mPendingRedirectedOutgoingCall = call;
		@@ -2157,7 +2168,7 @@ public class CallsManager extends Call.ListenerBase
		@Override
		public void loggedRun() {
		Log.addEvent(call, LogUtils.Events.REDIRECTION_USER_CONFIRMED);
		call.setTargetPhoneAccount(phoneAccountHandle);
		call.setTargetPhoneAccount(finalPhoneAccountHandle);
		placeOutgoingCall(call, handle, gatewayInfo, speakerphoneOn,
		videoState);
		}
		@@ -2167,7 +2178,7 @@ public class CallsManager extends Call.ListenerBase
		new Runnable("CM.oCRC", mLock) {
		@Override
		public void loggedRun() {
		call.setTargetPhoneAccount(phoneAccountHandle);
		call.setTargetPhoneAccount(finalPhoneAccountHandle);
		placeOutgoingCall(call, handle, null, speakerphoneOn,
		videoState);
		}

tests/src/com/android/server/telecom/tests/CallsManagerTest.java

+22 −3

Original line number	Diff line number	Diff line
		@@ -37,7 +37,6 @@ import static org.mockito.Mockito.doReturn;
		import static org.mockito.Mockito.mock;
		import static org.mockito.Mockito.never;
		import static org.mockito.Mockito.reset;
		import static org.mockito.Mockito.spy;
		import static org.mockito.Mockito.timeout;
		import static org.mockito.Mockito.times;
		import static org.mockito.Mockito.verify;
		@@ -57,7 +56,7 @@ import android.os.UserHandle;
		import android.telecom.CallerInfo;
		import android.telecom.Connection;
		import android.telecom.DisconnectCause;
		import android.telecom.Log;
		import android.telecom.GatewayInfo;
		import android.telecom.PhoneAccount;
		import android.telecom.PhoneAccountHandle;
		import android.telecom.TelecomManager;
		@@ -77,7 +76,6 @@ import com.android.server.telecom.CallDiagnosticServiceController;
		import com.android.server.telecom.CallState;
		import com.android.server.telecom.CallerInfoLookupHelper;
		import com.android.server.telecom.CallsManager;
		import com.android.server.telecom.CallsManagerListenerBase;
		import com.android.server.telecom.ClockProxy;
		import com.android.server.telecom.ConnectionServiceFocusManager;
		import com.android.server.telecom.ConnectionServiceFocusManager.ConnectionServiceFocusManagerFactory;
		@@ -133,8 +131,12 @@ import java.util.concurrent.TimeUnit;
		@RunWith(JUnit4.class)
		public class CallsManagerTest extends TelecomTestCase {
		private static final int TEST_TIMEOUT = 5000; // milliseconds
		private static final int SECONDARY_USER_ID = 12;
		private static final PhoneAccountHandle SIM_1_HANDLE = new PhoneAccountHandle(
		ComponentName.unflattenFromString("com.foo/.Blah"), "Sim1");
		private static final PhoneAccountHandle SIM_1_HANDLE_SECONDARY = new PhoneAccountHandle(
		ComponentName.unflattenFromString("com.foo/.Blah"), "Sim1",
		new UserHandle(SECONDARY_USER_ID));
		private static final PhoneAccountHandle SIM_2_HANDLE = new PhoneAccountHandle(
		ComponentName.unflattenFromString("com.foo/.Blah"), "Sim2");
		private static final PhoneAccountHandle CONNECTION_MGR_1_HANDLE = new PhoneAccountHandle(
		@@ -1676,6 +1678,23 @@ public class CallsManagerTest extends TelecomTestCase {
		new UserHandle(90210)));
		}

		@SmallTest
		@Test
		public void testCrossUserCallRedirectionEndEarlyForIncapablePhoneAccount() {
		when(mPhoneAccountRegistrar.getPhoneAccountUnchecked(eq(SIM_1_HANDLE_SECONDARY)))
		.thenReturn(SIM_1_ACCOUNT);
		mCallsManager.onUserSwitch(UserHandle.SYSTEM);

		Call callSpy = addSpyCall(CallState.NEW);
		mCallsManager.onCallRedirectionComplete(callSpy, TEST_ADDRESS, SIM_1_HANDLE_SECONDARY,
		new GatewayInfo("foo", TEST_ADDRESS2, TEST_ADDRESS), true /* speakerphoneOn */,
		VideoProfile.STATE_AUDIO_ONLY, false /* shouldCancelCall /, "" / uiAction */);

		ArgumentCaptor<String> argumentCaptor = ArgumentCaptor.forClass(String.class);
		verify(callSpy).disconnect(argumentCaptor.capture());
		assertTrue(argumentCaptor.getValue().contains("Unavailable phoneAccountHandle"));
		}

		private Call addSpyCall() {
		return addSpyCall(SIM_2_HANDLE, CallState.ACTIVE);
		}