diff options
| author | Dichen Zhang <dichenzhang@google.com> | 2020-03-12 12:25:09 -0700 | 
|---|---|---|
| committer | Dichen Zhang <dichenzhang@google.com> | 2020-03-25 17:05:43 -0700 | 
| commit | 23c04c6f62f26809488d6f1710689fc408e03160 (patch) | |
| tree | 21f03bfc734810428f1555e54667bc560d98c417 /graphics/java/android/renderscript/ProgramStore.java | |
| parent | e6dddc99898fe5da4d24e6c3caf6e93386da5b2c (diff) | |
Fix command injection on screencap
There is a potential injection by using screencap in case of user handled parameters.
"dumpstate" command launches "screencap", when "-p" is argument is set. At that moment, content of "-o" parameter generates a path with ".png" extension to define "screencap" argument.
"dumpstate" is often run as a service with "root" privileged such as defined in "dumpstate.rc". For instance "bugreportz" call "ctl.start" property with "dumpstatez".
Launching "dumpstate" with "-p" option and a user input as "-o" would result in a root command execution. SE Linux might protect part of this attack.
Cherry-pick from ag/10651695 with fix ag/10700515
Bug: 123230379
Test: please see commands #4 and #5
Change-Id: Icd88cdf4af153e07addb4449cdb117b1a3c881d3
Diffstat (limited to 'graphics/java/android/renderscript/ProgramStore.java')
0 files changed, 0 insertions, 0 deletions
