From e8492693c234853c76d19531dabea3aaa41970f3 Mon Sep 17 00:00:00 2001
From: Abodunrinwa Toki <toki@google.com>
Date: Mon, 1 Jul 2019 19:41:44 +0100
Subject: TextClassifier cross-user vulnerability in direct-reply

Sys UI runs on user 0. This can lead to the TextClassifier (TC)
running for the wrong user. Consequencies are user A can launch apps
in user B via the TC's predicted actions and selected text being
unintentionally shared from user A to an app running in user B.

This fix ensures that the correct user id is passed and verified for
every TC request going across process boundaries (i.e. via SystemTC).
- Sys UI sets the appropriate user id in the TextView
- TextClassificationManager (TCM) system service is constructed using
  a context generated from this user id
- SystemTC sets this user id before querying the TCMService
- TCMService validates the user id before forwarding the request to
  the TCService belonging to that user id.

Bug: 136483597
Test: atest android.view.textclassifier
      atest android.widget.TextViewActivityTest
      (manual) Verified according to steps in bug 123232892
Change-Id: I2fdffd8eb4221782cb1f34d2ddbe41dd3d36595c
---
 core/java/android/widget/TextView.java | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'core/java/android/widget/TextView.java')

diff --git a/core/java/android/widget/TextView.java b/core/java/android/widget/TextView.java
index 95cf9a914854..a4844eaa612c 100644
--- a/core/java/android/widget/TextView.java
+++ b/core/java/android/widget/TextView.java
@@ -11282,6 +11282,12 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
         return getServiceManagerForUser(getContext().getPackageName(), ClipboardManager.class);
     }
 
+    @Nullable
+    final TextClassificationManager getTextClassificationManagerForUser() {
+        return getServiceManagerForUser(
+                getContext().getPackageName(), TextClassificationManager.class);
+    }
+
     @Nullable
     final <T> T getServiceManagerForUser(String packageName, Class<T> managerClazz) {
         if (mTextOperationUser == null) {
@@ -12397,8 +12403,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
     @NonNull
     public TextClassifier getTextClassifier() {
         if (mTextClassifier == null) {
-            final TextClassificationManager tcm =
-                    mContext.getSystemService(TextClassificationManager.class);
+            final TextClassificationManager tcm = getTextClassificationManagerForUser();
             if (tcm != null) {
                 return tcm.getTextClassifier();
             }
@@ -12414,8 +12419,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
     @NonNull
     TextClassifier getTextClassificationSession() {
         if (mTextClassificationSession == null || mTextClassificationSession.isDestroyed()) {
-            final TextClassificationManager tcm =
-                    mContext.getSystemService(TextClassificationManager.class);
+            final TextClassificationManager tcm = getTextClassificationManagerForUser();
             if (tcm != null) {
                 final String widgetType;
                 if (isTextEditable()) {
-- 
cgit v1.2.3