diff options
| author | Tom O'Neill <tomo@google.com> | 2016-12-22 17:59:47 +0000 |
|---|---|---|
| committer | Sean McCreary <mccreary@mcwest.org> | 2017-04-06 17:08:44 -0600 |
| commit | 51d0b0fc52891ec3714c5bb4fedd9f1598e0224c (patch) | |
| tree | 29645fe314ecbab73e554b108771d75178ba8ff8 /services | |
| parent | d81dca8b1a4786940cfcb8c7aeba72ab541bd58a (diff) | |
| download | frameworks_base-51d0b0fc52891ec3714c5bb4fedd9f1598e0224c.zip frameworks_base-51d0b0fc52891ec3714c5bb4fedd9f1598e0224c.tar.gz frameworks_base-51d0b0fc52891ec3714c5bb4fedd9f1598e0224c.tar.bz2 | |
Fix exploit where can hide the fact that a location was mocked
am: a206a0f17e am: d417e54872 am: 3380a77516 am: 0a8978f04b am: 1684e5f344 am: d28eef0cc2 am: 1f458fdc66 am: d82f8a67fc am: 1ac8affd51 am: 56098f81b6 am: 7cec76de0f
am: 2da05d0f9e
AOSP-Change-Id: I8c94a06f5fa722312436484609bafcb0585d6d18
CVE-2017-0489
Change-Id: I7bf939b05b7bfc5a855b212fe8c92fc58943e7d6
(cherry picked from commit d22261fef84481651e12995062105239d551cbc6)
Diffstat (limited to 'services')
| -rw-r--r-- | services/core/java/com/android/server/LocationManagerService.java | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/LocationManagerService.java b/services/core/java/com/android/server/LocationManagerService.java index 6cd8e10..5019161 100644 --- a/services/core/java/com/android/server/LocationManagerService.java +++ b/services/core/java/com/android/server/LocationManagerService.java @@ -88,6 +88,8 @@ import android.os.UserHandle; import android.os.UserManager; import android.os.WorkSource; import android.provider.Settings; +import android.text.TextUtils; +import android.util.EventLog; import android.util.Log; import android.util.Slog; @@ -2638,9 +2640,22 @@ public class LocationManagerService extends ILocationManager.Stub { if (mockProvider == null) { throw new IllegalArgumentException("Provider \"" + provider + "\" unknown"); } + + // Ensure that the location is marked as being mock. There's some logic to do this in + // handleLocationChanged(), but it fails if loc has the wrong provider (bug 33091107). + Location mock = new Location(loc); + mock.setIsFromMockProvider(true); + + if (!TextUtils.isEmpty(loc.getProvider()) && !provider.equals(loc.getProvider())) { + // The location has an explicit provider that is different from the mock provider + // name. The caller may be trying to fool us via bug 33091107. + EventLog.writeEvent(0x534e4554, "33091107", Binder.getCallingUid(), + provider + "!=" + loc.getProvider()); + } + // clear calling identity so INSTALL_LOCATION_PROVIDER permission is not required long identity = Binder.clearCallingIdentity(); - mockProvider.setLocation(loc); + mockProvider.setLocation(mock); Binder.restoreCallingIdentity(identity); } } |