diff options
| author | Dichen Zhang <dichenzhang@google.com> | 2020-03-12 12:25:09 -0700 |
|---|---|---|
| committer | Dichen Zhang <dichenzhang@google.com> | 2020-03-26 00:09:21 +0000 |
| commit | eab2d8c0463dc29e594d6422a5610b729adce14b (patch) | |
| tree | 05fc5029f97362668375819302137edddecb3a60 /rs/java/android/renderscript/ProgramFragmentFixedFunction.java | |
| parent | 56e3510bda83985780e89b60c5ebcce458731933 (diff) | |
Fix command injection on screencap
There is a potential injection by using screencap in case of user handled parameters.
"dumpstate" command launches "screencap", when "-p" is argument is set. At that moment, content of "-o" parameter generates a path with ".png" extension to define "screencap" argument.
"dumpstate" is often run as a service with "root" privileged such as defined in "dumpstate.rc". For instance "bugreportz" call "ctl.start" property with "dumpstatez".
Launching "dumpstate" with "-p" option and a user input as "-o" would result in a root command execution. SE Linux might protect part of this attack.
Cherry-pick from ag/10651695 with fix ag/10700515
Bug: 123230379
Test: please see commands #4 and #5
Change-Id: Icd88cdf4af153e07addb4449cdb117b1a3c881d3
Diffstat (limited to 'rs/java/android/renderscript/ProgramFragmentFixedFunction.java')
0 files changed, 0 insertions, 0 deletions