TextClassifier cross-user vulnerability in direct-reply

Sys UI runs on user 0. This can lead to the TextClassifier (TC) running for the wrong user. Consequencies are user A can launch apps in user B via the TC's predicted actions and selected text being unintentionally shared from user A to an app running in user B. This fix ensures that the correct user id is passed and verified for every TC request going across process boundaries (i.e. via SystemTC). - Sys UI sets the appropriate user id in the TextView - TextClassificationManager (TCM) system service is constructed using a context generated from this user id - SystemTC sets this user id before querying the TCMService - TCMService validates the user id before forwarding the request to the TCService belonging to that user id. Bug: 136483597 Test: atest android.view.textclassifier atest android.widget.TextViewActivityTest (manual) Verified according to steps in bug 123232892 Change-Id: I2fdffd8eb4221782cb1f34d2ddbe41dd3d36595c
author: Abodunrinwa Toki <toki@google.com> 2019-07-01 19:41:44 +0100
committer: Abodunrinwa Toki <toki@google.com> 2019-07-08 15:16:19 +0100
commit: e8492693c234853c76d19531dabea3aaa41970f3 (patch)
tree: 3346a787b877e6213d4d5548709f08494b302fcb /core/java/android/widget/TextView.java
parent: d6f8273add3ddfc9bf5aae45f0d826a2749a6a98 (diff)
1 files changed, 8 insertions, 4 deletions
diff --git a/core/java/android/widget/TextView.java b/core/java/android/widget/TextView.java
index 95cf9a914854..a4844eaa612c 100644
--- a/core/java/android/widget/TextView.java
+++ b/core/java/android/widget/TextView.java
@@ -11283,6 +11283,12 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
     }
 
     @Nullable
+    final TextClassificationManager getTextClassificationManagerForUser() {
+        return getServiceManagerForUser(
+                getContext().getPackageName(), TextClassificationManager.class);
+    }
+
+    @Nullable
     final <T> T getServiceManagerForUser(String packageName, Class<T> managerClazz) {
         if (mTextOperationUser == null) {
             return getContext().getSystemService(managerClazz);
@@ -12397,8 +12403,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
     @NonNull
     public TextClassifier getTextClassifier() {
         if (mTextClassifier == null) {
-            final TextClassificationManager tcm =
-                    mContext.getSystemService(TextClassificationManager.class);
+            final TextClassificationManager tcm = getTextClassificationManagerForUser();
             if (tcm != null) {
                 return tcm.getTextClassifier();
             }
@@ -12414,8 +12419,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
     @NonNull
     TextClassifier getTextClassificationSession() {
         if (mTextClassificationSession == null || mTextClassificationSession.isDestroyed()) {
-            final TextClassificationManager tcm =
-                    mContext.getSystemService(TextClassificationManager.class);
+            final TextClassificationManager tcm = getTextClassificationManagerForUser();
             if (tcm != null) {
                 final String widgetType;
                 if (isTextEditable()) {
author	Abodunrinwa Toki <toki@google.com>	2019-07-01 19:41:44 +0100
committer	Abodunrinwa Toki <toki@google.com>	2019-07-08 15:16:19 +0100
commit	e8492693c234853c76d19531dabea3aaa41970f3 (patch)
tree	3346a787b877e6213d4d5548709f08494b302fcb /core/java/android/widget/TextView.java
parent	d6f8273add3ddfc9bf5aae45f0d826a2749a6a98 (diff)