• R/O
  • HTTP
  • SSH
  • HTTPS

Commit

Tags
No Tags

Frequently used words (click to add to your profile)

javaandroidc++linuxc#objective-c誰得cocoaqtpythonrubywindowsphpgameguibathyscaphec翻訳omegat計画中(planning stage)frameworktwitterdombtronvb.nettestarduinodirectxpreviewerゲームエンジン

frameworks/base


Commit MetaInfo

Revision5e87848e2a8004168423e439ac9e998ba57a478d (tree)
Time2020-09-11 19:04:55
AuthorWinson <chiuwinson@goog...>
CommiterVasyl Gello

Log Message

DO NOT MERGE: Verify INSTALL_PACKAGES permissions when adding installer package

Without this check, any package can set the installer package of
another package whose installer has been removed or was never set.
This provides access to other privileged actions and is undesired.

Bug: 150857253

Test: manual verify with proof of concept in linked bug
Test: atest android.appsecurity.cts.PackageSetInstallerTest

[basilgello: Backport to 14.1:

- callingUid -> Binder.getCallingUid()]

Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>

Change-Id: I2159c357911ff39ffd819054b42f96ae86bc98bc
(cherry picked from commit fc8bfed55373821afc107eeee355bcc014629c7c)

Change Summary

Incremental Difference

--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -12593,20 +12593,26 @@ public class PackageManagerService extends IPackageManager.Stub {
1259312593
1259412594 // Verify: if target already has an installer package, it must
1259512595 // be signed with the same cert as the caller.
12596- if (targetPackageSetting.installerPackageName != null) {
12597- PackageSetting setting = mSettings.mPackages.get(
12598- targetPackageSetting.installerPackageName);
12599- // If the currently set package isn't valid, then it's always
12600- // okay to change it.
12601- if (setting != null) {
12602- if (compareSignatures(callerSignature,
12603- setting.signatures.mSignatures)
12604- != PackageManager.SIGNATURE_MATCH) {
12605- throw new SecurityException(
12606- "Caller does not have same cert as old installer package "
12607- + targetPackageSetting.installerPackageName);
12608- }
12596+ String targetInstallerPackageName =
12597+ targetPackageSetting.installerPackageName;
12598+ PackageSetting targetInstallerPkgSetting = targetInstallerPackageName == null ? null :
12599+ mSettings.mPackages.get(targetInstallerPackageName);
12600+
12601+ if (targetInstallerPkgSetting != null) {
12602+ if (compareSignatures(callerSignature,
12603+ targetInstallerPkgSetting.signatures.mSignatures)
12604+ != PackageManager.SIGNATURE_MATCH) {
12605+ throw new SecurityException(
12606+ "Caller does not have same cert as old installer package "
12607+ + targetInstallerPackageName);
1260912608 }
12609+ } else if (mContext.checkCallingOrSelfPermission(Manifest.permission.INSTALL_PACKAGES)
12610+ != PackageManager.PERMISSION_GRANTED) {
12611+ // This is probably an attempt to exploit vulnerability b/150857253 of taking
12612+ // privileged installer permissions when the installer has been uninstalled or
12613+ // was never set.
12614+ EventLog.writeEvent(0x534e4554, "150857253", Binder.getCallingUid(), "");
12615+ return;
1261012616 }
1261112617
1261212618 // Okay!