Merge tag 'android-security-10.0.0_r54' into int/10/fp2 Android Security 10.0.0 Release 54 (7250004) * tag 'android-security-10.0.0_r54': RESTRICT AUTOMERGE Fix exported broadcast receiver vulnerability Change-Id: I5b538acc4966ad3a29d39c5de0d2373fe50a98b8

commit: 020ed38cff787322e23e62a3ba86b216b0b6e2a4 [log] [tgz]
author: Karsten Tausche <karsten@fairphone.com> Thu Aug 26 19:09:15 2021 +0200
committer: Karsten Tausche <karsten@fairphone.com> Thu Aug 26 19:09:15 2021 +0200
tree: b7e337ffed73947f4425eff5317210712db8df31
parent: 05606c33b0350e5de22fc489fd2491b9985c2f6f [diff]
parent: 1616b2851c2fb17210ed78275830f296876174da [diff]
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index bfd79a5..275d695 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml

@@ -130,6 +130,11 @@
             </intent-filter>
         </receiver>
 
+        <receiver android:name="com.android.cellbroadcastreceiver.CellBroadcastInternalReceiver"
+                  android:exported="false">
+            <!-- No intent filter on purpose: this should only receive explicit intents -->
+        </receiver>
+
         <provider
                 android:name="CellBroadcastSearchIndexableProvider"
                 android:authorities="com.android.cellbroadcastreceiver"

diff --git a/src/com/android/cellbroadcastreceiver/CellBroadcastAlertService.java b/src/com/android/cellbroadcastreceiver/CellBroadcastAlertService.java
index be8ba64..ec3c1db 100644
--- a/src/com/android/cellbroadcastreceiver/CellBroadcastAlertService.java
+++ b/src/com/android/cellbroadcastreceiver/CellBroadcastAlertService.java

@@ -667,9 +667,11 @@
         final NotificationManager notificationManager = NotificationManager.from(context);
         createNotificationChannels(context);
 
+        boolean isWatch = context.getPackageManager()
+                .hasSystemFeature(PackageManager.FEATURE_WATCH);
         // Create intent to show the new messages when user selects the notification.
         Intent intent;
-        if (context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)) {
+        if (isWatch) {
             // For FEATURE_WATCH we want to mark as read
             intent = createMarkAsReadIntent(context, message.getDeliveryTime());
         } else {
@@ -682,7 +684,7 @@
         intent.putExtra(CellBroadcastAlertDialog.FROM_SAVE_STATE_NOTIFICATION_EXTRA, fromSaveState);
 
         PendingIntent pi;
-        if (context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)) {
+        if (isWatch) {
             pi = PendingIntent.getBroadcast(context, 0, intent, 0);
         } else {
             pi = PendingIntent.getActivity(context, NOTIFICATION_ID, intent,
@@ -706,7 +708,7 @@
                         .setVisibility(Notification.VISIBILITY_PUBLIC)
                         .setOngoing(nonSwipeableNotification);
 
-        if (context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)) {
+        if (isWatch) {
             builder.setDeleteIntent(pi);
             // FEATURE_WATCH/CWH devices see this as priority
             builder.setVibrate(new long[]{0});
@@ -736,8 +738,7 @@
         // Emergency messages use a different audio playback and display path. Since we use
         // addToNotification for the emergency display on FEATURE WATCH devices vs the
         // Alert Dialog, it will call this and override the emergency audio tone.
-        if (context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)
-                && !CellBroadcastChannelManager.isEmergencyMessage(context, message)) {
+        if (isWatch && !CellBroadcastChannelManager.isEmergencyMessage(context, message)) {
             if (res.getBoolean(R.bool.watch_enable_non_emergency_audio)) {
                 // start audio/vibration/speech service for non emergency alerts
                 Intent audioIntent = new Intent(context, CellBroadcastAlertAudio.class);
@@ -785,7 +786,7 @@
      * @return delete intent to add to the pending intent
      */
     static Intent createMarkAsReadIntent(Context context, long deliveryTime) {
-        Intent deleteIntent = new Intent(context, CellBroadcastReceiver.class);
+        Intent deleteIntent = new Intent(context, CellBroadcastInternalReceiver.class);
         deleteIntent.setAction(CellBroadcastReceiver.ACTION_MARK_AS_READ);
         deleteIntent.putExtra(CellBroadcastReceiver.EXTRA_DELIVERY_TIME, deliveryTime);
         return deleteIntent;

diff --git a/src/com/android/cellbroadcastreceiver/CellBroadcastInternalReceiver.java b/src/com/android/cellbroadcastreceiver/CellBroadcastInternalReceiver.java
new file mode 100644
index 0000000..455c5b6
--- /dev/null
+++ b/src/com/android/cellbroadcastreceiver/CellBroadcastInternalReceiver.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.cellbroadcastreceiver;
+
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.provider.Telephony;
+
+import com.android.internal.annotations.VisibleForTesting;
+
+/**
+ * {@link BroadcastReceiver} used for handling internal broadcasts (e.g. generated from
+ * {@link android.app.PendingIntent}s).
+ */
+public class CellBroadcastInternalReceiver extends BroadcastReceiver {
+
+    /**
+     * helper method for easier testing. To generate a new CellBroadcastTask
+     * @param deliveryTime message delivery time
+     */
+    @VisibleForTesting
+    public void getCellBroadcastTask(Context context, long deliveryTime) {
+        new CellBroadcastContentProvider.AsyncCellBroadcastTask(context.getContentResolver())
+                .execute(new CellBroadcastContentProvider.CellBroadcastOperation() {
+                    @Override
+                    public boolean execute(CellBroadcastContentProvider provider) {
+                        return provider.markBroadcastRead(Telephony.CellBroadcasts.DELIVERY_TIME,
+                                deliveryTime);
+                    }
+                });
+    }
+
+    @Override
+    public void onReceive(Context context, Intent intent) {
+        if (CellBroadcastReceiver.ACTION_MARK_AS_READ.equals(intent.getAction())) {
+            final long deliveryTime = intent.getLongExtra(
+                    CellBroadcastReceiver.EXTRA_DELIVERY_TIME, -1);
+            getCellBroadcastTask(context, deliveryTime);
+        }
+    }
+}

diff --git a/src/com/android/cellbroadcastreceiver/CellBroadcastReceiver.java b/src/com/android/cellbroadcastreceiver/CellBroadcastReceiver.java
index 48a1573..496e34a 100644
--- a/src/com/android/cellbroadcastreceiver/CellBroadcastReceiver.java
+++ b/src/com/android/cellbroadcastreceiver/CellBroadcastReceiver.java

@@ -31,6 +31,7 @@
 import android.telephony.ServiceState;
 import android.telephony.SubscriptionManager;
 import android.telephony.cdma.CdmaSmsCbProgramData;
+import android.util.EventLog;
 import android.util.Log;
 
 import com.android.internal.telephony.cdma.sms.SmsEnvelope;
@@ -62,15 +63,9 @@
         String action = intent.getAction();
 
         if (ACTION_MARK_AS_READ.equals(action)) {
-            final long deliveryTime = intent.getLongExtra(EXTRA_DELIVERY_TIME, -1);
-            new CellBroadcastContentProvider.AsyncCellBroadcastTask(context.getContentResolver())
-                    .execute(new CellBroadcastContentProvider.CellBroadcastOperation() {
-                        @Override
-                        public boolean execute(CellBroadcastContentProvider provider) {
-                            return provider.markBroadcastRead(CellBroadcasts.DELIVERY_TIME,
-                                    deliveryTime);
-                        }
-                    });
+            // The only way this'll be called is if someone tries to maliciously set something as
+            // read. Log an event.
+            EventLog.writeEvent(0x534e4554, "162741784", -1, null);
         } else if (CarrierConfigManager.ACTION_CARRIER_CONFIG_CHANGED.equals(action)) {
             initializeSharedPreference(context.getApplicationContext());
             startConfigService(context.getApplicationContext());
commit	020ed38cff787322e23e62a3ba86b216b0b6e2a4	[log] [tgz]
author	Karsten Tausche <karsten@fairphone.com>	Thu Aug 26 19:09:15 2021 +0200
committer	Karsten Tausche <karsten@fairphone.com>	Thu Aug 26 19:09:15 2021 +0200
tree	b7e337ffed73947f4425eff5317210712db8df31
parent	05606c33b0350e5de22fc489fd2491b9985c2f6f [diff]
parent	1616b2851c2fb17210ed78275830f296876174da [diff]