| commit | 5b335401d1c8de7d1c85f4a0cf353f7f9fc30218 | [log] [tgz] |
|---|---|---|
| author | Grace Jia <[email protected]> | Thu Jul 20 13:42:50 2023 -0700 |
| committer | Android Build Coastguard Worker <[email protected]> | Thu Aug 10 17:13:01 2023 +0000 |
| tree | 85b52fe7ec98818de079ea0df2d775b8c39a2655 | |
| parent | dd302d211bd8b935464b48551a76ef718bf33ccc [diff] |
Fix vulnerability in CallRedirectionService. Currently when the CallRedirectionService binding died, we didn't do anything, which cause malicious app start activities even not run in the background by implementing a CallRedirectionService and overriding the onPlaceCall method to schedule a activity start job in an independent process and then kill itself. In that way, the activity can still start after the CallRedirectionService died. Fix this by unbinding the service when the binding died. Bug: b/289809991 Test: Using testapp provided in bug to make sure the test activity can't be started (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:29b52e3cd027da2d8644450a4dee3a7d95dc0043) Merged-In: I065d361b83700474a1efab2a75928427ee0a14ba Change-Id: I065d361b83700474a1efab2a75928427ee0a14ba
diff --git a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java index 226382b..02debcd 100644 --- a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java +++ b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
@@ -175,6 +175,20 @@ Log.endSession(); } } + + @Override + public void onBindingDied(ComponentName componentName) { + // Make sure we unbind the service if binding died to avoid background stating + // activity leaks + Log.startSession("CRSC.oBD"); + try { + synchronized (mTelecomLock) { + finishCallRedirection(); + } + } finally { + Log.endSession(); + } + } } private class CallRedirectionAdapter extends ICallRedirectionAdapter.Stub {