Security Patches :D #1
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 30 commits
April 4, 2019 03:04
Change-Id: I95c8d72de2db2f07621eca2111c947ee17afa5f3
Change-Id: I22fd3781c2aa7654fc4d8c5aebdd710d08f98c5e
Change-Id: I725a27be5854b2e6a4f8190334f7982ad38e0a2f
Change-Id: Iac8d1aa1d00abd3d3fdaa39fd2d7bc8b7e3f15ca
Change-Id: I6e20ad4959eb960088fa932dce0c89ea2f7a8d50
Change-Id: I70e5cba26fa9302d5f30578450b30a63300ccf3d
Change-Id: Ie70614863b01fcd6217ca0b8bb94eb71130c09fd
Change-Id: I3847aa329c54e605ae8a963f5890d823ee83bd9e
Change-Id: Ifc7141bd7435309684b60a57fa8621073eb88ae1
Change-Id: Id99c51ced5eb524c6ff6a37c8eefaae4aae35edc
Change-Id: Ia542caad7df42386fbae4250c4545f79ad5d8303
Change-Id: If9515bef4f6d3f3be36068e3e6f1012d8469ac74
Change-Id: If1f5650a6bd8b7cd02a4856bd1bf6de679191894
Change-Id: I3d1169a64ff9511c359f724977d3a6b206310e3f
Change-Id: I29ba9056ba1f446811f93090acc2eda3b3e688da
Change-Id: Ibd3a6b8e3e3e950faea23bde8e80e7681a82ff1e
Change-Id: I74049c1c7a1bcc9d5d11553691a28e05f4db8432
Change-Id: I1068cf636f5b01827c6b10c56dff8ae1d56335fc
Change-Id: I909cb434c3b4bb7fcadcb1652ce75cec374a5fa7
Change-Id: I8d9a4196645d65f1501e29969adb2c0a0af9cc5c
Change-Id: I88892e20d49017f455c6f8494cd88990f2af80d1
Change-Id: I168b12dd7a9118980863ab4116c186c232a9dc29
Change-Id: Ia5f18240034eccea9e6b0a7871e33c8949bf910d
Change-Id: If2f9cfbf371b184e999c1dc12ea50557a21b207c
Change-Id: I0054c43f74473ebec278388b35cd71682537efc2
Change-Id: Idedac458e2cd3864f9a21b4b0c7e3dd26e1f36ed
Change-Id: I43da954a4001eeb1f667b712edd72b1a04160c2d
Change-Id: I99c98f03b31363fd6589330cdaeb79ae61b58b61
Change-Id: Id856d448c16db0cf5523296c6a179d4b617b4844
Change-Id: I132fe28a912556e19012a2d78772aec5380635d9
When a ConnectionService returns a null binding, immediately unbind from the ConnectionService and cancel any ongoing calls related to it. Bug: 211114016 Test: Added new CTS test to verify auto unbind from null binding ConnectionService. Test: Manually tested using test app which implements null binding ConnectionService and verified via telecom log inspection that the service is unbound and the call is terminated. Change-Id: I0757557e66725dddfd871cd9857071a8749bd7ba (cherry picked from commit 410ce026004bb485c39afcc7d86e89d26ff1af94) Merged-In: I0757557e66725dddfd871cd9857071a8749bd7ba
Change-Id: I36419f755963520cb8d52541d4e8aba49fb6c416
bug: 209814693 Bug: 217934478 Test: CTS Change-Id: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af Merged-In: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af (cherry picked from commit eb3394e3a8e21cd07c4f7a7ad43494ba14a8cbf4) Merged-In: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af
Change-Id: Icc41f882f32f32ed311499c1adf9f196d236d3f0
…ge_android-security-11.0.0_r55 Android Security 11.0.0 Release 55 (8287685) * tag 'android-security-11.0.0_r55': Handle null bindings returned from ConnectionService. Change-Id: Ie5aae76cf1144e5bbc0c58bd7cf9758ddda2a76e
…ce.com/platform/packages/services/Telecomm into staging/lineage-18.1_merge_android-security-11.0.0_r56 Android Security 11.0.0 Release 56 (8528208) * tag 'android-security-11.0.0_r56' of https://android.googlesource.com/platform/packages/services/Telecomm: limit TelecomManager#registerPhoneAccount to 10 Change-Id: Ia1385e921c74cc734156a9fb4b1c0a0f974de62e
It was shown that given a large phoneAccountHandles that are
over 1 mb, a TransactionTooLarge exception can be silently thrown
causing an empty list to be returned.
In order to prevent this behavior, all Lists that return a
PhoneAccountHandle or PhoneAccount have been switched to
ParceledListSlice.
bug: 236263294
Test: atest android.telecom.cts.PhoneAccountRegistrarTest
#testRegisterPhoneAccountHandleWithFieldOverLimit
Change-Id: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015
Merged-In: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015
(cherry picked from commit 9f8c7709457c8c898760f556049aefafc62cf907)
Merged-In: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015
Fix security vulnerability issue for multi user call redirections. Currently we won't check if the PhoneAccountHandle provided by a CallRedirectionService has multi-user capability or belong to the same user as the current user. Add the check and disconnect the call if this is an unexpected cross-user call redirection. Bug: 235098883 Test: CallsManagerTest, manual test with test app provided in b/235098883. Change-Id: Ia8b9468aa2bb8e3157c227e2617ff6a52e0af119 Merged-In: Ia8b9468aa2bb8e3157c227e2617ff6a52e0af119 (cherry picked from commit f29ab7e1ec0e480e2d39d289d5aa3fc95aed2142) (cherry picked from commit 256ef21f54f70e5b3d32058806ceeff546d7e07a) Merged-In: Ia8b9468aa2bb8e3157c227e2617ff6a52e0af119
…ase. Change-Id: I6de9285d94f4399d72dcda96929dd0d5b89ca72d
Hide any system alert window overlays when the screen that lets the user enable/disable phone accounts is shown. Test: Manual test with overlay shown from test app; verify that the overlay is hidden when the phone account selection screen is opened. Bug: 246933359 Change-Id: Ia0209d57ee9a672cde4196076845d77941dc3f68 (cherry picked from commit a7d57ace5819c4eef340aaf6744ad441d0369035) Merged-In: Ia0209d57ee9a672cde4196076845d77941dc3f68
Change-Id: I775f7cff16fce2c42d05a71e2594271657134960
…ce.com/platform/packages/services/Telecomm into staging/lineage-18.1_merge_android-security-11.0.0_r61 Android security 11.0.0 release 61 * tag 'android-security-11.0.0_r61' of https://android.googlesource.com/platform/packages/services/Telecomm: DO NOT MERGE Fix security vulnerability issue for multi user call redirections. switch TelecomManager List getters to ParceledListSlice Change-Id: Icd5c6d1cd6eb09180b6ea52ae1bd3235e335c569
Currently if the registered self-managed phone account updated to a call provider phone account, the enable state will be directly copied to the updated one so that malicious app can perform call spoofing attack without any permission requirements. Fix this by disallowing change a self-managed phone account to a managed phone account. Bug: 246930197 Test: CtsTelecomTestCases:SelfManagedConnectionSreviceTest Change-Id: I8f7984cd491632b3219133044438b82ca4dec80e Merged-In: I8f7984cd491632b3219133044438b82ca4dec80e (cherry picked from commit 833dd8480adc773e36d388521a14fd8cd11d6a30) Merged-In: I8f7984cd491632b3219133044438b82ca4dec80e
Change-Id: I496fc02afebfb6775c7ffab1186eefe5eed78313
…ce.com/platform/packages/services/Telecomm into staging/lineage-18.1_merge_android-security-11.0.0_r62 Android Security 11.0.0 Release 62 (9269287) * tag 'android-security-11.0.0_r62' of https://android.googlesource.com/platform/packages/services/Telecomm: Hide overlay windows when showing phone account enable/disable screen. Change-Id: I7ab1e54b576ca1883d038eb8e95dab4308c781cf
…ce.com/platform/packages/services/Telecomm into staging/lineage-18.1_merge_android-security-11.0.0_r63 Android security 11.0.0 release 63 * tag 'android-security-11.0.0_r63' of https://android.googlesource.com/platform/packages/services/Telecomm: Fix security vulnerability when register phone accounts. Change-Id: If17392ccccd35dddf679cf8043fcf09e69ed7762
… onBind. Currently, we do not unbind the call screening service when a null service is returned from onBind when placing MO calls. CallScreeningServiceHelper (MO) now overrides onNullBinding to ensure future completion and that we unbind the service after. Similarly, we need to unbind the service in onServiceDisconnected. CallScreeningServiceFilter (MT) has also been updated to ensure we unbind in places when we know that the connection should not exist. Also, there is a timeout in CallScreeningServiceHelper. This does not require a call to unbind the service because CallScreeningAdapter also places a call to unbind the service in onScreeningResponse. We would risk having duplicate calls to unbind the service, which would cause a fatal exception. This is demonstrated by the existing CTS tests, namely, ThirdPartyCallScreeningServiceTest.java. Bug: 252762941 Test: Manual (no breakage in existing flow), CTS for MO/MT cases Change-Id: Ia5b62bb93dc666b6b8b8daccb8ef41eb55dde7ea Merged-In: Ia5b62bb93dc666b6b8b8daccb8ef41eb55dde7ea (cherry picked from commit 14927c6f0b4154ee31dc4e339ea4a692f73ad2e0) Merged-In: Ia5b62bb93dc666b6b8b8daccb8ef41eb55dde7ea
Add checks in Telecom so content uris are not processed Bug: 257030107 Test: atest NewOutgoingCallIntentBroadcasterTest Test: adb shell am start -a android.intent.action.CALL -d tel:xxx Change-Id: Ic2c3014cecfd5db84dc2023b4c247d96ad1c3414 Merged-In: Ic2c3014cecfd5db84dc2023b4c247d96ad1c3414 (cherry picked from commit 9636518478fb887dd1834c0433eb3a71eb72faaf) Merged-In: Ic2c3014cecfd5db84dc2023b4c247d96ad1c3414
…24930', 'googleplex-android-review.googlesource.com/20660096'] into security-aosp-rvc-release. Change-Id: I8d92e217f8024175d3cb1b7b90a0910821f5f9d6
- include disable accounts when looking up accounts for a package to check if the limit is reached (10) - put a new limit of 10 supported schemes - put a new limit of 256 characters per scheme - put a new limit of 256 characters per address - ensure the Icon can write to memory w/o an exception bug: 259064622 bug: 256819769 Test: cts + unit Change-Id: I5eb2a127a44d5ec725d0ba39cb0ef478b12013de Merged-In: I5eb2a127a44d5ec725d0ba39cb0ef478b12013de (cherry picked from commit on googleplex-android-review.googlesource.com host: 56ef9e15506f71ae555a4535d5c0ac9bd3f587f1) Merged-In: I5eb2a127a44d5ec725d0ba39cb0ef478b12013de
…20805'] into security-aosp-rvc-release. Change-Id: I6447fca426a504d03c96050f86d385067af98956
…ce.com/platform/packages/services/Telecomm into staging/lineage-18.1_merge_android-security-11.0.0_r66 Android Security 11.0.0 Release 66 (9682389) * tag 'android-security-11.0.0_r66' of https://android.googlesource.com/platform/packages/services/Telecomm: DO NOT MERGE do not process content uri in call Intents Ensure service unbind when receiving a null call screening service in onBind. Change-Id: Ie07614b071a9fa5564edc6ee74f85d4b6d435fa8
Change-Id: I228cbdd8db7cce47bb4efcb8a4c3c9771d8a0057
…ce.com/platform/packages/services/Telecomm into staging/lineage-18.1_merge_android-security-11.0.0_r67 Android security 11.0.0 release 67 * tag 'android-security-11.0.0_r67' of https://android.googlesource.com/platform/packages/services/Telecomm: enforce stricter rules when registering phoneAccounts Change-Id: I491858087fa6d9a0847f09f1771273cb2f9a6c4f
The call redirection service does not handle the corner case of onNullBinding (occurs when onBind returns null). This vulnerability would give the app that has the call redirection role unintentional access to launch background activities outside the scope of a call lifecycle. Fixes: 273260090 Test: Unit test to ensure we unbind the service on null onBind Test: CTS for similar assertion (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c3580d96071a7232ce11ad83848d6394b93121d8) Merged-In: Ib9d44d239833131eb055e83801cb635e8efe0b81 Change-Id: Ib9d44d239833131eb055e83801cb635e8efe0b81
Because of the INTERACT_ACROSS_USERS permission, an app that implements a ConnectionService can upload an image icon belonging to another user by setting it in the StatusHints. Validating the construction of the StatusHints on the calling user would prevent a malicious app from registering a connection service with the embedded image icon from a different user. From additional feedback, this CL also addresses potential vulnerabilities in an app being able to directly invoke the binder for a means to manipulate the contents of the bundle that are passed with it. The targeted points of entry are in ConnectionServiceWrapper for the following APIs: handleCreateConnectionComplete, setStatusHints, addConferenceCall, and addExistingConnection. Fixes: 280797684 Test: Manual (verified that original exploit is no longer an issue). Test: Unit test for validating image in StatusHints constructor. Test: Unit tests to address vulnerabilities via the binder. (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:49d19dd265bee669b230efa29bf98c83650efea6) Merged-In: Ie1f6a8866d31d5f1099dd0630cf8e9ee782d389c Change-Id: Ie1f6a8866d31d5f1099dd0630cf8e9ee782d389c
Currently when the CallRedirectionService binding died, we didn't do anything, which cause malicious app start activities even not run in the background by implementing a CallRedirectionService and overriding the onPlaceCall method to schedule a activity start job in an independent process and then kill itself. In that way, the activity can still start after the CallRedirectionService died. Fix this by unbinding the service when the binding died. Bug: b/289809991 Test: Using testapp provided in bug to make sure the test activity can't be started (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:29b52e3cd027da2d8644450a4dee3a7d95dc0043) Merged-In: I065d361b83700474a1efab2a75928427ee0a14ba Change-Id: I065d361b83700474a1efab2a75928427ee0a14ba
Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit is possible where the user can upload an image icon (belonging to another user) via registering a phone account. This CL provides a lightweight solution for parsing the image URI to detect profile exploitation. Fixes: 273502295 Fixes: 296915211 Test: Unit test to enforce successful/failure path (cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7) (cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42) Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.