pa-fazil
/
android_packages_services_Telecomm
mirror of https://github.com/fazilsheik96/android_packages_services_Telecomm.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Resolve cross-user image exploit for conference status hints 

Ensure that status hint image icon is validated for cross-user exploits.
Currently, there is no check for this so a conference call can display
an image from another user, exposing a vulnerability.

Bug: 329058967
Test: Manual with POC
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a8e2bf9c77cd94f683979c849015b78ef0537802)
Merged-In: Ib9d701398d25d021cdb9abacbaa5b175f62bee1d
Change-Id: Ib9d701398d25d021cdb9abacbaa5b175f62bee1d
This commit is contained in:
Pranav Madapurmath 2024-06-11 22:50:08 -07:00 committed by Fazil Sheik
parent 55a785a6b5
commit 797472ce3a
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/com/android/server/telecom/ConnectionServiceWrapper.java
View File

@ -154,10 +154,17 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
ParcelableConference conference, Session.Info sessionInfo) {
Log.startSession(sessionInfo, LogUtils.Sessions.CSW_HANDLE_CREATE_CONNECTION_COMPLETE,
mPackageAbbreviation);
UserHandle callingUserHandle = Binder.getCallingUserHandle();
long token = Binder.clearCallingIdentity();
try {
synchronized (mLock) {
logIncoming("handleCreateConferenceComplete %s", callId);
// Check status hints image for cross user access
if (conference.getStatusHints() != null) {
Icon icon = conference.getStatusHints().getIcon();
conference.getStatusHints().setIcon(StatusHints.
validateAccountIconUserBoundary(icon, callingUserHandle));
}
Call call = mCallIdMapper.getCall(callId);
if (mScheduledFutureMap.containsKey(call)) {
ScheduledFuture<?> existingTimeout = mScheduledFutureMap.get(call);