commit | 3ba41b36f2f8f9b5253a2e94375515c278128ff9 | [log] [tgz] |
---|---|---|
author | Ayush Sharma <ayushsha@google.com> | Wed Mar 16 10:32:23 2022 +0000 |
committer | Justin Dunlap <justindunlap@google.com> | Mon May 02 21:29:56 2022 +0000 |
tree | fd8b7f4ccf09a5620914f5b0729bc6f149c013c0 | |
parent | 99c7c0687b6135a5011cff59dc0590c2b8ad61f9 [diff] |
Fix security hole in GateKeeperResponse GateKeeperResponse has inconsistent writeToParcel() and createFromParcel() methods, making it possible for a malicious app to create a Bundle that changes contents after reserialization. Such Bundles can be used to execute Intents with system privileges. We fixed related issues previously for GateKeeperResponse class, but one of the case was remaining when payload is byte array of size 0, Fixing this case now. Bug: 220303465 Test: With the POC provided in the bug. Change-Id: Ida28d611edd674e76ed39dd8037f52abcba82586 Merged-In: Ida28d611edd674e76ed39dd8037f52abcba82586 (cherry picked from commit 46653a91c30245ca29d41d69174813979a910496) Change-Id: I486348c7a01c6f59c952b20fb4a36429fff22958 (cherry picked from commit 658c53c47c0d1b6a74d3c0a72372aaaba16c2516) Merged-In: I486348c7a01c6f59c952b20fb4a36429fff22958
diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java index 7ed733c..9d648a6 100644 --- a/core/java/android/service/gatekeeper/GateKeeperResponse.java +++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java
@@ -105,7 +105,7 @@ dest.writeInt(mTimeout); } else if (mResponseCode == RESPONSE_OK) { dest.writeInt(mShouldReEnroll ? 1 : 0); - if (mPayload != null) { + if (mPayload != null && mPayload.length > 0) { dest.writeInt(mPayload.length); dest.writeByteArray(mPayload); } else {