commit 1adf4562e2990eff2d092ffb93d65594fe5c09a0
author Nazanin <nazaninb@google.com> Mon Mar 29 15:35:30 2021 -0700
committer Nazanin Bakhshi <nazaninb@google.com> Tue Apr 20 15:47:12 2021 +0000
tree 3801b4c6c419bede78b85f9bb9a7e9a9ad9b2088
parent 2d01a224c24225d308e0213888a2a113274f6016

Security fix: enforce read privilege permission to check package
privileges in PhoneInterfaceManager

Bug: 180938364
Test: cts
Change-Id: I03ae773fa76f2f23842eee0b7a9948ca474befc8

src/com/android/phone/CarrierConfigLoader.java

diff --git a/src/com/android/phone/CarrierConfigLoader.java b/src/com/android/phone/CarrierConfigLoader.java
index 2b91a24..54b1054 100644
--- a/src/com/android/phone/CarrierConfigLoader.java
+++ b/src/com/android/phone/CarrierConfigLoader.java
@@ -892,9 +892,15 @@
     /** Returns the package name of a priveleged carrier app, or null if there is none. */
     @Nullable
     private String getCarrierPackageForPhoneId(int phoneId) {
-        List<String> carrierPackageNames = TelephonyManager.from(mContext)
+        List<String> carrierPackageNames;
+        final long token = Binder.clearCallingIdentity();
+        try {
+            carrierPackageNames = TelephonyManager.from(mContext)
                 .getCarrierPackageNamesForIntentAndPhone(
-                        new Intent(CarrierService.CARRIER_SERVICE_INTERFACE), phoneId);
+                    new Intent(CarrierService.CARRIER_SERVICE_INTERFACE), phoneId);
+        } finally {
+            Binder.restoreCallingIdentity(token);
+        }
         if (carrierPackageNames != null && carrierPackageNames.size() > 0) {
             return carrierPackageNames.get(0);
         } else {