commit be5b449337e48039f03e421d24f57cff7d630ca1
author Max Bires <jbires@google.com> Thu Dec 07 03:48:54 2017 +0000
committer android-build-merger <android-build-merger@google.com> Thu Dec 07 03:48:54 2017 +0000
tree 4a88e096c950e45d93689ed42898a4e339484da8
parent efcaf661e738c658b8139c18670735398d34867b
parent e92a8975f4f0e72db9e605c8524b940965f845e9

Fixing security vuln by tightening race condition window.
am: e92a8975f4

Change-Id: I1fb05a0ab32c3fab839fd3c0364f1b3fbc06e8ab

keystore/key_store_service.cpp

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 4432b56..5d505ae 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -691,6 +691,8 @@
                                                        const hidl_vec<uint8_t>& entropy, int uid,
                                                        int flags,
                                                        KeyCharacteristics* outCharacteristics) {
+    // TODO(jbires): remove this getCallingUid call upon implementation of b/25646100
+    uid_t originalUid = IPCThreadState::self()->getCallingUid();
     uid = getEffectiveUid(uid);
     KeyStoreServiceReturnCode rc =
         checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
@@ -703,7 +705,10 @@
     }
 
     if (containsTag(params, Tag::INCLUDE_UNIQUE_ID)) {
-        if (!checkBinderPermission(P_GEN_UNIQUE_ID)) return ResponseCode::PERMISSION_DENIED;
+        if (!checkBinderPermission(P_GEN_UNIQUE_ID) &&
+              originalUid != IPCThreadState::self()->getCallingUid()) {
+            return ResponseCode::PERMISSION_DENIED;
+        }
     }
 
     bool usingFallback = false;