Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a8e2bf9c authored by Pranav Madapurmath's avatar Pranav Madapurmath
Browse files

Resolve cross-user image exploit for conference status hints 

Ensure that status hint image icon is validated for cross-user exploits.
Currently, there is no check for this so a conference call can display
an image from another user, exposing a vulnerability.

Bug: 329058967
Test: Manual with POC
Change-Id: Ib9d701398d25d021cdb9abacbaa5b175f62bee1d
Merged-In: Ib9d701398d25d021cdb9abacbaa5b175f62bee1d
parent 286781df

src/com/android/server/telecom/ConnectionServiceWrapper.java

+7 −0
Original line number Diff line number Diff line
@@ -136,10 +136,17 @@ public class ConnectionServiceWrapper extends ServiceBinder implements 
                ParcelableConference conference, Session.Info sessionInfo) {

            Log.startSession(sessionInfo, LogUtils.Sessions.CSW_HANDLE_CREATE_CONNECTION_COMPLETE,

                    mPackageAbbreviation);

            UserHandle callingUserHandle = Binder.getCallingUserHandle();

            long token = Binder.clearCallingIdentity();

            try {

                synchronized (mLock) {

                    logIncoming("handleCreateConferenceComplete %s", callId);

                    // Check status hints image for cross user access

                    if (conference.getStatusHints() != null) {

                        Icon icon = conference.getStatusHints().getIcon();

                        conference.getStatusHints().setIcon(StatusHints.

                                validateAccountIconUserBoundary(icon, callingUserHandle));

                    }

                    Call call = mCallIdMapper.getCall(callId);

                    if (mScheduledFutureMap.containsKey(call)) {

                        ScheduledFuture<?> existingTimeout = mScheduledFutureMap.get(call);