Fix vulnerability that allowed attackers to start arbitary

activities Test: atest DreamServiceTest Test: flashed device and verified dream settings works as expected Fixes: 242845514 Change-Id: I6e90e3a0d513dceb7d7f5c59d6807ebe164c5716
author: Lucas Silva <lusilva@google.com> 2022-08-30 15:29:11 -0400
committer: Lucas Silva <lusilva@google.com> 2022-08-31 11:10:21 -0400
commit: 2ce1b7fd37273ea19fbbb6daeeaa6212357b9a70 (patch)
tree: 89e8f9713e29043948dc82f2bdae604ad1f78480 /core/java
parent: b2f2546b5bb555a56dc36bdc887bee0f52a2cef0 (diff)
1 files changed, 17 insertions, 3 deletions
diff --git a/core/java/android/service/dreams/DreamService.java b/core/java/android/service/dreams/DreamService.java
index 2d461c6cf92e..75155383855b 100644
--- a/core/java/android/service/dreams/DreamService.java
+++ b/core/java/android/service/dreams/DreamService.java
@@ -22,6 +22,7 @@ import android.annotation.NonNull;
 import android.annotation.Nullable;
 import android.annotation.SdkConstant;
 import android.annotation.SdkConstant.SdkConstantType;
+import android.annotation.TestApi;
 import android.app.Activity;
 import android.app.ActivityTaskManager;
 import android.app.AlarmManager;
@@ -1124,7 +1125,8 @@ public class DreamService extends Service implements Window.Callback {
      * @hide
      */
     @Nullable
-    public static DreamMetadata getDreamMetadata(Context context,
+    @TestApi
+    public static DreamMetadata getDreamMetadata(@NonNull Context context,
             @Nullable ServiceInfo serviceInfo) {
         if (serviceInfo == null) return null;
 
@@ -1183,7 +1185,8 @@ public class DreamService extends Service implements Window.Callback {
         }
     }
 
-    private static ComponentName convertToComponentName(String flattenedString,
+    @Nullable
+    private static ComponentName convertToComponentName(@Nullable String flattenedString,
             ServiceInfo serviceInfo) {
         if (flattenedString == null) {
             return null;
@@ -1193,7 +1196,17 @@ public class DreamService extends Service implements Window.Callback {
             return new ComponentName(serviceInfo.packageName, flattenedString);
         }
 
-        return ComponentName.unflattenFromString(flattenedString);
+        // Ensure that the component is from the same package as the dream service. If not,
+        // treat the component as invalid and return null instead.
+        final ComponentName cn = ComponentName.unflattenFromString(flattenedString);
+        if (cn == null) return null;
+        if (!cn.getPackageName().equals(serviceInfo.packageName)) {
+            Log.w(TAG,
+                    "Inconsistent package name in component: " + cn.getPackageName()
+                            + ", should be: " + serviceInfo.packageName);
+            return null;
+        }
+        return cn;
     }
 
     /**
@@ -1489,6 +1502,7 @@ public class DreamService extends Service implements Window.Callback {
      *
      * @hide
      */
+    @TestApi
     public static final class DreamMetadata {
         @Nullable
         public final ComponentName settingsActivity;
author	Lucas Silva <lusilva@google.com>	2022-08-30 15:29:11 -0400
committer	Lucas Silva <lusilva@google.com>	2022-08-31 11:10:21 -0400
commit	2ce1b7fd37273ea19fbbb6daeeaa6212357b9a70 (patch)
tree	89e8f9713e29043948dc82f2bdae604ad1f78480 /core/java
parent	b2f2546b5bb555a56dc36bdc887bee0f52a2cef0 (diff)