Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9c4fc215 authored by Grace Jia's avatar Grace Jia Committed by Android Build Coastguard Worker
Browse files

Fix security vulnerability issue for multi user call redirections. 

Currently we won't check if the PhoneAccountHandle provided by a
CallRedirectionService has multi-user capability or belong to the same
user as the current user. Add the check and disconnect the call if this
is an unexpected cross-user call redirection.

Bug: 235098883
Test: CallsManagerTest, manual test with test app provided in
b/235098883.

Change-Id: Ia8b9468aa2bb8e3157c227e2617ff6a52e0af119
Merged-In: Ia8b9468aa2bb8e3157c227e2617ff6a52e0af119
(cherry picked from commit f29ab7e1)
(cherry picked from commit 735b84a9)
(cherry picked from commit b425d3f69f264b42be66c354709a40772398d5fa)
Merged-In: Ia8b9468aa2bb8e3157c227e2617ff6a52e0af119
parent 03bf117d

src/com/android/server/telecom/CallsManager.java

+15 −4
Original line number Diff line number Diff line
@@ -2091,6 +2091,16 @@ public class CallsManager extends Call.ListenerBase 
        boolean endEarly = false;

        String disconnectReason = "";

        String callRedirectionApp = mRoleManagerAdapter.getDefaultCallRedirectionApp();

        PhoneAccount phoneAccount = mPhoneAccountRegistrar

                .getPhoneAccountUnchecked(phoneAccountHandle);

        if (phoneAccount != null

                && !phoneAccount.hasCapabilities(PhoneAccount.CAPABILITY_MULTI_USER)) {

            // Check if the phoneAccountHandle belongs to the current user

            if (phoneAccountHandle != null &&

                    !phoneAccountHandle.getUserHandle().equals(mCurrentUserHandle)) {

                phoneAccountHandle = null;

            }

        }



        boolean isPotentialEmergencyNumber;

        try {
@@ -2125,9 +2135,9 @@ public class CallsManager extends Call.ListenerBase 
            endEarly = true;

            disconnectReason = "Null handle from Call Redirection Service";

        } else if (phoneAccountHandle == null) {

            Log.w(this, "onCallRedirectionComplete: phoneAccountHandle is null");

            Log.w(this, "onCallRedirectionComplete: phoneAccountHandle is unavailable");

            endEarly = true;

            disconnectReason = "Null phoneAccountHandle from Call Redirection Service";

            disconnectReason = "Unavailable phoneAccountHandle from Call Redirection Service";

        } else if (isPotentialEmergencyNumber) {

            Log.w(this, "onCallRedirectionComplete: emergency number %s is redirected from Call"

                    + " Redirection Service", handle.getSchemeSpecificPart());
@@ -2148,6 +2158,7 @@ public class CallsManager extends Call.ListenerBase 
            return;

        }



        final PhoneAccountHandle finalPhoneAccountHandle = phoneAccountHandle;

        if (uiAction.equals(CallRedirectionProcessor.UI_TYPE_USER_DEFINED_ASK_FOR_CONFIRM)) {

            Log.addEvent(call, LogUtils.Events.REDIRECTION_USER_CONFIRMATION);

            mPendingRedirectedOutgoingCall = call;
@@ -2157,7 +2168,7 @@ public class CallsManager extends Call.ListenerBase 
                        @Override

                        public void loggedRun() {

                            Log.addEvent(call, LogUtils.Events.REDIRECTION_USER_CONFIRMED);

                            call.setTargetPhoneAccount(phoneAccountHandle);

                            call.setTargetPhoneAccount(finalPhoneAccountHandle);

                            placeOutgoingCall(call, handle, gatewayInfo, speakerphoneOn,

                                    videoState);

                        }
@@ -2167,7 +2178,7 @@ public class CallsManager extends Call.ListenerBase 
                    new Runnable("CM.oCRC", mLock) {

                        @Override

                        public void loggedRun() {

                            call.setTargetPhoneAccount(phoneAccountHandle);

                            call.setTargetPhoneAccount(finalPhoneAccountHandle);

                            placeOutgoingCall(call, handle, null, speakerphoneOn,

                                    videoState);

                        }

tests/src/com/android/server/telecom/tests/CallsManagerTest.java

+22 −3
Original line number Diff line number Diff line
@@ -37,7 +37,6 @@ import static org.mockito.Mockito.doReturn; 
import static org.mockito.Mockito.mock;

import static org.mockito.Mockito.never;

import static org.mockito.Mockito.reset;

import static org.mockito.Mockito.spy;

import static org.mockito.Mockito.timeout;

import static org.mockito.Mockito.times;

import static org.mockito.Mockito.verify;
@@ -57,7 +56,7 @@ import android.os.UserHandle; 
import android.telecom.CallerInfo;

import android.telecom.Connection;

import android.telecom.DisconnectCause;

import android.telecom.Log;

import android.telecom.GatewayInfo;

import android.telecom.PhoneAccount;

import android.telecom.PhoneAccountHandle;

import android.telecom.TelecomManager;
@@ -77,7 +76,6 @@ import com.android.server.telecom.CallDiagnosticServiceController; 
import com.android.server.telecom.CallState;

import com.android.server.telecom.CallerInfoLookupHelper;

import com.android.server.telecom.CallsManager;

import com.android.server.telecom.CallsManagerListenerBase;

import com.android.server.telecom.ClockProxy;

import com.android.server.telecom.ConnectionServiceFocusManager;

import com.android.server.telecom.ConnectionServiceFocusManager.ConnectionServiceFocusManagerFactory;
@@ -133,8 +131,12 @@ import java.util.concurrent.TimeUnit; 
@RunWith(JUnit4.class)

public class CallsManagerTest extends TelecomTestCase {

    private static final int TEST_TIMEOUT = 5000;  // milliseconds

    private static final int SECONDARY_USER_ID = 12;

    private static final PhoneAccountHandle SIM_1_HANDLE = new PhoneAccountHandle(

            ComponentName.unflattenFromString("com.foo/.Blah"), "Sim1");

    private static final PhoneAccountHandle SIM_1_HANDLE_SECONDARY = new PhoneAccountHandle(

            ComponentName.unflattenFromString("com.foo/.Blah"), "Sim1",

            new UserHandle(SECONDARY_USER_ID));

    private static final PhoneAccountHandle SIM_2_HANDLE = new PhoneAccountHandle(

            ComponentName.unflattenFromString("com.foo/.Blah"), "Sim2");

    private static final PhoneAccountHandle CONNECTION_MGR_1_HANDLE = new PhoneAccountHandle(
@@ -1676,6 +1678,23 @@ public class CallsManagerTest extends TelecomTestCase { 
                new UserHandle(90210)));

    }



    @SmallTest

    @Test

    public void testCrossUserCallRedirectionEndEarlyForIncapablePhoneAccount() {

        when(mPhoneAccountRegistrar.getPhoneAccountUnchecked(eq(SIM_1_HANDLE_SECONDARY)))

                .thenReturn(SIM_1_ACCOUNT);

        mCallsManager.onUserSwitch(UserHandle.SYSTEM);



        Call callSpy = addSpyCall(CallState.NEW);

        mCallsManager.onCallRedirectionComplete(callSpy, TEST_ADDRESS, SIM_1_HANDLE_SECONDARY,

                new GatewayInfo("foo", TEST_ADDRESS2, TEST_ADDRESS), true /* speakerphoneOn */,

                VideoProfile.STATE_AUDIO_ONLY, false /* shouldCancelCall */, "" /* uiAction */);



        ArgumentCaptor<String> argumentCaptor = ArgumentCaptor.forClass(String.class);

        verify(callSpy).disconnect(argumentCaptor.capture());

        assertTrue(argumentCaptor.getValue().contains("Unavailable phoneAccountHandle"));

    }



    private Call addSpyCall() {

        return addSpyCall(SIM_2_HANDLE, CallState.ACTIVE);

    }