Resolve cross-user image exploit for conference status hints
Ensure that status hint image icon is validated for cross-user exploits.
Currently, there is no check for this so a conference call can display
an image from another user, exposing a vulnerability.
Bug: 329058967
Test: Manual with POC
Change-Id: Ib9d701398d25d021cdb9abacbaa5b175f62bee1d
Merged-In: Ib9d701398d25d021cdb9abacbaa5b175f62bee1d
diff --git a/src/com/android/server/telecom/ConnectionServiceWrapper.java b/src/com/android/server/telecom/ConnectionServiceWrapper.java
index e4d1ecd..7802e08 100644
--- a/src/com/android/server/telecom/ConnectionServiceWrapper.java
+++ b/src/com/android/server/telecom/ConnectionServiceWrapper.java
@@ -136,10 +136,17 @@
ParcelableConference conference, Session.Info sessionInfo) {
Log.startSession(sessionInfo, LogUtils.Sessions.CSW_HANDLE_CREATE_CONNECTION_COMPLETE,
mPackageAbbreviation);
+ UserHandle callingUserHandle = Binder.getCallingUserHandle();
long token = Binder.clearCallingIdentity();
try {
synchronized (mLock) {
logIncoming("handleCreateConferenceComplete %s", callId);
+ // Check status hints image for cross user access
+ if (conference.getStatusHints() != null) {
+ Icon icon = conference.getStatusHints().getIcon();
+ conference.getStatusHints().setIcon(StatusHints.
+ validateAccountIconUserBoundary(icon, callingUserHandle));
+ }
Call call = mCallIdMapper.getCall(callId);
if (mScheduledFutureMap.containsKey(call)) {
ScheduledFuture<?> existingTimeout = mScheduledFutureMap.get(call);