Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_services_Telephony / 0ddb361714773df27eba84c3480639371a48e8f7^! / . / src / com / android / phone / PhoneInterfaceManager.java
commit0ddb361714773df27eba84c3480639371a48e8f7[log] [tgz]
authorGrace Jia <xiaotonj@google.com>Thu Apr 22 13:35:26 2021 -0700
committerGrace Jia <xiaotonj@google.com>Thu Apr 22 21:23:13 2021 +0000
treee328188a47e94b2cadd7230aed5f4230501405e7
parentb4d904229fd21843b5af45dbb4d3d0ae052f3857 [diff] [blame]
Fix security vulnerability in getImeiForSlot.

Check the calling package identity before other permission check so
that user can't use this method to figure out if a package is installed
or not.

Bug: 185591473
Test: Manually use test app
Change-Id: I5824a008a73549a822aea187b4be6250c3c05fb3

diff --git a/src/com/android/phone/PhoneInterfaceManager.java b/src/com/android/phone/PhoneInterfaceManager.java
index 3b3b696..e5bc0e7 100755
--- a/src/com/android/phone/PhoneInterfaceManager.java
+++ b/src/com/android/phone/PhoneInterfaceManager.java

@@ -355,6 +355,7 @@
     private ImsResolver mImsResolver;
     private UserManager mUserManager;
     private AppOpsManager mAppOps;
+    private PackageManager mPm;
     private MainThreadHandler mMainThreadHandler;
     private SubscriptionController mSubscriptionController;
     private SharedPreferences mTelephonySharedPreferences;
@@ -2165,6 +2166,7 @@
         mImsResolver = PhoneGlobals.getInstance().getImsResolver();
         mUserManager = (UserManager) app.getSystemService(Context.USER_SERVICE);
         mAppOps = (AppOpsManager)app.getSystemService(Context.APP_OPS_SERVICE);
+        mPm = app.getSystemService(PackageManager.class);
         mMainThreadHandler = new MainThreadHandler();
         mSubscriptionController = SubscriptionController.getInstance();
         mTelephonySharedPreferences =
@@ -3102,6 +3104,7 @@
             return null;
         }
         int subId = phone.getSubId();
+        enforceCallingPackage(callingPackage, Binder.getCallingUid(), "getImeiForSlot");
         if (!TelephonyPermissions.checkCallingOrSelfReadDeviceIdentifiers(mApp, subId,
                 callingPackage, callingFeatureId, "getImeiForSlot")) {
             return null;
@@ -3247,6 +3250,24 @@
     //
 
     /**
+     * Make sure the caller is the calling package itself
+     *
+     * @throws SecurityException if the caller is not the calling package
+     */
+    private void enforceCallingPackage(String callingPackage, int callingUid, String message) {
+        int packageUid = -1;
+        try {
+            packageUid = mPm.getPackageUid(callingPackage, 0);
+        } catch (PackageManager.NameNotFoundException e) {
+            // packageUid is -1
+        }
+        if (packageUid != callingUid) {
+            throw new SecurityException(message + ": Package " + callingPackage
+                    + " does not belong to " + callingUid);
+        }
+    }
+
+    /**
      * Make sure the caller has the MODIFY_PHONE_STATE permission.
      *
      * @throws SecurityException if the caller does not have the required permission