Enforce ComponentName belongs to caller app
Add checks that enforce ComponentName's package belongs to calling app
in MediaButtonReceiverHolder and MediaSessionRecord. This avoids
privileged execution of arbitrary code.
Bug: 238177121
Test: atest CtsMediaBetterTogetherTestCases
Change-Id: Iac143d8bbc9422f3ca3f42f8c0154b9906ecd897
(cherry picked from commit f5b75876def5bc973df4590ebd4ea67591afc2be)
Merged-In: Iac143d8bbc9422f3ca3f42f8c0154b9906ecd897
diff --git a/services/core/java/com/android/server/media/MediaButtonReceiverHolder.java b/services/core/java/com/android/server/media/MediaButtonReceiverHolder.java
index 9a19031..6759d79 100644
--- a/services/core/java/com/android/server/media/MediaButtonReceiverHolder.java
+++ b/services/core/java/com/android/server/media/MediaButtonReceiverHolder.java
@@ -32,6 +32,7 @@
import android.os.PowerWhitelistManager;
import android.os.UserHandle;
import android.text.TextUtils;
+import android.util.EventLog;
import android.util.Log;
import android.view.KeyEvent;
@@ -117,6 +118,12 @@
int componentType = getComponentType(pendingIntent);
ComponentName componentName = getComponentName(pendingIntent, componentType);
if (componentName != null) {
+ if (!TextUtils.equals(componentName.getPackageName(), sessionPackageName)) {
+ EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging
+ throw new IllegalArgumentException("ComponentName does not belong to "
+ + "sessionPackageName. sessionPackageName = " + sessionPackageName
+ + ", ComponentName pkg = " + componentName.getPackageName());
+ }
return new MediaButtonReceiverHolder(userId, pendingIntent, componentName,
componentType);
}
diff --git a/services/core/java/com/android/server/media/MediaSessionRecord.java b/services/core/java/com/android/server/media/MediaSessionRecord.java
index 604e8f3..b8131a8 100644
--- a/services/core/java/com/android/server/media/MediaSessionRecord.java
+++ b/services/core/java/com/android/server/media/MediaSessionRecord.java
@@ -52,6 +52,8 @@
import android.os.RemoteException;
import android.os.ResultReceiver;
import android.os.SystemClock;
+import android.text.TextUtils;
+import android.util.EventLog;
import android.util.Log;
import android.view.KeyEvent;
@@ -938,6 +940,14 @@
@Override
public void setMediaButtonReceiver(PendingIntent pi, String sessionPackageName)
throws RemoteException {
+ //mPackageName has been verified in MediaSessionService.enforcePackageName().
+ if (!TextUtils.equals(sessionPackageName, mPackageName)) {
+ EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging
+ throw new IllegalArgumentException("sessionPackageName name does not match "
+ + "package name provided to MediaSessionRecord. sessionPackageName = "
+ + sessionPackageName + ", pkg = "
+ + mPackageName);
+ }
final long token = Binder.clearCallingIdentity();
try {
if ((mPolicies & MediaSessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)
@@ -956,6 +966,15 @@
public void setMediaButtonBroadcastReceiver(ComponentName receiver) throws RemoteException {
final long token = Binder.clearCallingIdentity();
try {
+ //mPackageName has been verified in MediaSessionService.enforcePackageName().
+ if (receiver != null && !TextUtils.equals(
+ mPackageName, receiver.getPackageName())) {
+ EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging
+ throw new IllegalArgumentException("receiver does not belong to "
+ + "package name provided to MediaSessionRecord. Pkg = " + mPackageName
+ + ", Receiver Pkg = " + receiver.getPackageName());
+ }
+
if ((mPolicies & MediaSessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)
!= 0) {
return;