diff options
| author | Bishoy Gendy <bishoygendy@google.com> | 2024-04-11 16:37:10 +0000 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2024-05-14 05:40:20 +0000 |
| commit | 23265610e3906b160736a49b10bd389485fdb80c (patch) | |
| tree | b836e5f31f573645b0f602dcd5827a74330cc308 | |
| parent | 516b41eee1abfc1b4bed00479443a6ef1b29a94c (diff) | |
Fix security vulnerability allowing apps to start from background
Bug: 317048338
Test: Using the steps in b/317048338#comment12
(cherry picked from commit c5fc8ea92c0aabbb2fdccc23b743c18a8bf62e64)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df3584bb93ab89d7e174f7d39e42d4b22cb92fe0)
Merged-In: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
Change-Id: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
| -rw-r--r-- | media/java/android/media/session/ParcelableListBinder.java | 13 | ||||
| -rw-r--r-- | services/core/java/com/android/server/media/MediaSessionRecord.java | 14 |
2 files changed, 19 insertions, 8 deletions
diff --git a/media/java/android/media/session/ParcelableListBinder.java b/media/java/android/media/session/ParcelableListBinder.java index bbf1e0889b68..d78828462b1e 100644 --- a/media/java/android/media/session/ParcelableListBinder.java +++ b/media/java/android/media/session/ParcelableListBinder.java @@ -45,6 +45,7 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder { private static final int END_OF_PARCEL = 0; private static final int ITEM_CONTINUED = 1; + private final Class<T> mListElementsClass; private final Consumer<List<T>> mConsumer; private final Object mLock = new Object(); @@ -61,9 +62,11 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder { /** * Creates an instance. * + * @param listElementsClass the class of the list elements. * @param consumer a consumer that consumes the list received */ - public ParcelableListBinder(@NonNull Consumer<List<T>> consumer) { + public ParcelableListBinder(Class<T> listElementsClass, @NonNull Consumer<List<T>> consumer) { + mListElementsClass = listElementsClass; mConsumer = consumer; } @@ -83,7 +86,13 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder { mCount = data.readInt(); } while (i < mCount && data.readInt() != END_OF_PARCEL) { - mList.add(data.readParcelable(null)); + Object object = data.readParcelable(null); + if (mListElementsClass.isAssignableFrom(object.getClass())) { + // Checking list items are of compaitible types to validate against malicious + // apps calling it directly via reflection with non compilable items. + // See b/317048338 for more details + mList.add((T) object); + } i++; } if (i >= mCount) { diff --git a/services/core/java/com/android/server/media/MediaSessionRecord.java b/services/core/java/com/android/server/media/MediaSessionRecord.java index 4084462d3f28..4ff83b296a2a 100644 --- a/services/core/java/com/android/server/media/MediaSessionRecord.java +++ b/services/core/java/com/android/server/media/MediaSessionRecord.java @@ -1197,12 +1197,14 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR @Override public IBinder getBinderForSetQueue() throws RemoteException { - return new ParcelableListBinder<QueueItem>((list) -> { - synchronized (mLock) { - mQueue = list; - } - mHandler.post(MessageHandler.MSG_UPDATE_QUEUE); - }); + return new ParcelableListBinder<QueueItem>( + QueueItem.class, + (list) -> { + synchronized (mLock) { + mQueue = list; + } + mHandler.post(MessageHandler.MSG_UPDATE_QUEUE); + }); } @Override |