Fix vulnerability in LockSettings service am: 2d71384a13
am: 485fbda04c
Change-Id: I07def32199ecdbbb32aa6ecaca20724cfc81265c
diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java
index 2e9f4f63..af0cc7e 100644
--- a/core/java/com/android/internal/widget/LockPatternUtils.java
+++ b/core/java/com/android/internal/widget/LockPatternUtils.java
@@ -296,7 +296,7 @@
return false;
}
} catch (RemoteException re) {
- return true;
+ return false;
}
}
@@ -345,7 +345,7 @@
return false;
}
} catch (RemoteException re) {
- return true;
+ return false;
}
}
diff --git a/services/core/java/com/android/server/LockSettingsService.java b/services/core/java/com/android/server/LockSettingsService.java
index f1678d2..7eaec16 100644
--- a/services/core/java/com/android/server/LockSettingsService.java
+++ b/services/core/java/com/android/server/LockSettingsService.java
@@ -523,6 +523,9 @@
private VerifyCredentialResponse doVerifyPattern(String pattern, boolean hasChallenge,
long challenge, int userId) throws RemoteException {
checkPasswordReadPermission(userId);
+ if (TextUtils.isEmpty(pattern)) {
+ throw new IllegalArgumentException("Pattern can't be null or empty");
+ }
CredentialHash storedHash = mStorage.readPatternHash(userId);
boolean shouldReEnrollBaseZero = storedHash != null && storedHash.isBaseZeroPattern;
@@ -579,6 +582,9 @@
private VerifyCredentialResponse doVerifyPassword(String password, boolean hasChallenge,
long challenge, int userId) throws RemoteException {
checkPasswordReadPermission(userId);
+ if (TextUtils.isEmpty(password)) {
+ throw new IllegalArgumentException("Password can't be null or empty");
+ }
CredentialHash storedHash = mStorage.readPasswordHash(userId);
return verifyCredential(userId, storedHash, password, hasChallenge, challenge,
new CredentialUtil() {