Merge tag 'android-security-10.0.0_r54' into int/10/fp2
Android Security 10.0.0 Release 54 (7250004)
* tag 'android-security-10.0.0_r54':
RESTRICT AUTOMERGE Fix exported broadcast receiver vulnerability
Change-Id: I5b538acc4966ad3a29d39c5de0d2373fe50a98b8
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index bfd79a5..275d695 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -130,6 +130,11 @@
</intent-filter>
</receiver>
+ <receiver android:name="com.android.cellbroadcastreceiver.CellBroadcastInternalReceiver"
+ android:exported="false">
+ <!-- No intent filter on purpose: this should only receive explicit intents -->
+ </receiver>
+
<provider
android:name="CellBroadcastSearchIndexableProvider"
android:authorities="com.android.cellbroadcastreceiver"
diff --git a/src/com/android/cellbroadcastreceiver/CellBroadcastAlertService.java b/src/com/android/cellbroadcastreceiver/CellBroadcastAlertService.java
index be8ba64..ec3c1db 100644
--- a/src/com/android/cellbroadcastreceiver/CellBroadcastAlertService.java
+++ b/src/com/android/cellbroadcastreceiver/CellBroadcastAlertService.java
@@ -667,9 +667,11 @@
final NotificationManager notificationManager = NotificationManager.from(context);
createNotificationChannels(context);
+ boolean isWatch = context.getPackageManager()
+ .hasSystemFeature(PackageManager.FEATURE_WATCH);
// Create intent to show the new messages when user selects the notification.
Intent intent;
- if (context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)) {
+ if (isWatch) {
// For FEATURE_WATCH we want to mark as read
intent = createMarkAsReadIntent(context, message.getDeliveryTime());
} else {
@@ -682,7 +684,7 @@
intent.putExtra(CellBroadcastAlertDialog.FROM_SAVE_STATE_NOTIFICATION_EXTRA, fromSaveState);
PendingIntent pi;
- if (context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)) {
+ if (isWatch) {
pi = PendingIntent.getBroadcast(context, 0, intent, 0);
} else {
pi = PendingIntent.getActivity(context, NOTIFICATION_ID, intent,
@@ -706,7 +708,7 @@
.setVisibility(Notification.VISIBILITY_PUBLIC)
.setOngoing(nonSwipeableNotification);
- if (context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)) {
+ if (isWatch) {
builder.setDeleteIntent(pi);
// FEATURE_WATCH/CWH devices see this as priority
builder.setVibrate(new long[]{0});
@@ -736,8 +738,7 @@
// Emergency messages use a different audio playback and display path. Since we use
// addToNotification for the emergency display on FEATURE WATCH devices vs the
// Alert Dialog, it will call this and override the emergency audio tone.
- if (context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)
- && !CellBroadcastChannelManager.isEmergencyMessage(context, message)) {
+ if (isWatch && !CellBroadcastChannelManager.isEmergencyMessage(context, message)) {
if (res.getBoolean(R.bool.watch_enable_non_emergency_audio)) {
// start audio/vibration/speech service for non emergency alerts
Intent audioIntent = new Intent(context, CellBroadcastAlertAudio.class);
@@ -785,7 +786,7 @@
* @return delete intent to add to the pending intent
*/
static Intent createMarkAsReadIntent(Context context, long deliveryTime) {
- Intent deleteIntent = new Intent(context, CellBroadcastReceiver.class);
+ Intent deleteIntent = new Intent(context, CellBroadcastInternalReceiver.class);
deleteIntent.setAction(CellBroadcastReceiver.ACTION_MARK_AS_READ);
deleteIntent.putExtra(CellBroadcastReceiver.EXTRA_DELIVERY_TIME, deliveryTime);
return deleteIntent;
diff --git a/src/com/android/cellbroadcastreceiver/CellBroadcastInternalReceiver.java b/src/com/android/cellbroadcastreceiver/CellBroadcastInternalReceiver.java
new file mode 100644
index 0000000..455c5b6
--- /dev/null
+++ b/src/com/android/cellbroadcastreceiver/CellBroadcastInternalReceiver.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.cellbroadcastreceiver;
+
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.provider.Telephony;
+
+import com.android.internal.annotations.VisibleForTesting;
+
+/**
+ * {@link BroadcastReceiver} used for handling internal broadcasts (e.g. generated from
+ * {@link android.app.PendingIntent}s).
+ */
+public class CellBroadcastInternalReceiver extends BroadcastReceiver {
+
+ /**
+ * helper method for easier testing. To generate a new CellBroadcastTask
+ * @param deliveryTime message delivery time
+ */
+ @VisibleForTesting
+ public void getCellBroadcastTask(Context context, long deliveryTime) {
+ new CellBroadcastContentProvider.AsyncCellBroadcastTask(context.getContentResolver())
+ .execute(new CellBroadcastContentProvider.CellBroadcastOperation() {
+ @Override
+ public boolean execute(CellBroadcastContentProvider provider) {
+ return provider.markBroadcastRead(Telephony.CellBroadcasts.DELIVERY_TIME,
+ deliveryTime);
+ }
+ });
+ }
+
+ @Override
+ public void onReceive(Context context, Intent intent) {
+ if (CellBroadcastReceiver.ACTION_MARK_AS_READ.equals(intent.getAction())) {
+ final long deliveryTime = intent.getLongExtra(
+ CellBroadcastReceiver.EXTRA_DELIVERY_TIME, -1);
+ getCellBroadcastTask(context, deliveryTime);
+ }
+ }
+}
diff --git a/src/com/android/cellbroadcastreceiver/CellBroadcastReceiver.java b/src/com/android/cellbroadcastreceiver/CellBroadcastReceiver.java
index 48a1573..496e34a 100644
--- a/src/com/android/cellbroadcastreceiver/CellBroadcastReceiver.java
+++ b/src/com/android/cellbroadcastreceiver/CellBroadcastReceiver.java
@@ -31,6 +31,7 @@
import android.telephony.ServiceState;
import android.telephony.SubscriptionManager;
import android.telephony.cdma.CdmaSmsCbProgramData;
+import android.util.EventLog;
import android.util.Log;
import com.android.internal.telephony.cdma.sms.SmsEnvelope;
@@ -62,15 +63,9 @@
String action = intent.getAction();
if (ACTION_MARK_AS_READ.equals(action)) {
- final long deliveryTime = intent.getLongExtra(EXTRA_DELIVERY_TIME, -1);
- new CellBroadcastContentProvider.AsyncCellBroadcastTask(context.getContentResolver())
- .execute(new CellBroadcastContentProvider.CellBroadcastOperation() {
- @Override
- public boolean execute(CellBroadcastContentProvider provider) {
- return provider.markBroadcastRead(CellBroadcasts.DELIVERY_TIME,
- deliveryTime);
- }
- });
+ // The only way this'll be called is if someone tries to maliciously set something as
+ // read. Log an event.
+ EventLog.writeEvent(0x534e4554, "162741784", -1, null);
} else if (CarrierConfigManager.ACTION_CARRIER_CONFIG_CHANGED.equals(action)) {
initializeSharedPreference(context.getApplicationContext());
startConfigService(context.getApplicationContext());