From 54e74cae5ffb42cf31af7b90193d4a17d26310fd Mon Sep 17 00:00:00 2001
From: Jakub Pawlowski <jpawlowski@google.com>
Date: Thu, 1 Apr 2021 22:29:36 +0200
Subject: [PATCH] Fix app name label spoofing

Fix idea was copied from
frameworks/base/core/java/android/accounts/ChooseAccountActivity.java

Bug: 183710549
Test: verified with POC app from bug that the fix is working
Change-Id: I40131965ed0d1e11cdf4b56daef39a95b80fdd7d
---
 .../bluetooth/RequestPermissionActivity.java   | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/com/android/settings/bluetooth/RequestPermissionActivity.java b/src/com/android/settings/bluetooth/RequestPermissionActivity.java
index 4446fb6d8d4..362849d850d 100644
--- a/src/com/android/settings/bluetooth/RequestPermissionActivity.java
+++ b/src/com/android/settings/bluetooth/RequestPermissionActivity.java
@@ -29,6 +29,8 @@ import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageItemInfo;
 import android.content.pm.PackageManager;
 import android.os.Bundle;
+import android.os.Process;
+import android.os.UserHandle;
 import android.text.TextUtils;
 import android.util.Log;
 
@@ -315,16 +317,26 @@ public class RequestPermissionActivity extends Activity implements
             }
         } else {
             Log.e(TAG, "Error: this activity may be started only with intent "
-                    + BluetoothAdapter.ACTION_REQUEST_ENABLE + " or "
+                    + BluetoothAdapter.ACTION_REQUEST_ENABLE + ", "
+                    + BluetoothAdapter.ACTION_REQUEST_DISABLE + " or "
                     + BluetoothAdapter.ACTION_REQUEST_DISCOVERABLE);
             setResult(RESULT_CANCELED);
             return true;
         }
 
-        String packageName = getCallingPackage();
-        if (TextUtils.isEmpty(packageName)) {
+        String packageName = getLaunchedFromPackage();
+        int mCallingUid = getLaunchedFromUid();
+
+        if (UserHandle.isSameApp(mCallingUid, Process.SYSTEM_UID)
+                && getIntent().getStringExtra(Intent.EXTRA_PACKAGE_NAME) != null) {
             packageName = getIntent().getStringExtra(Intent.EXTRA_PACKAGE_NAME);
         }
+
+        if (!UserHandle.isSameApp(mCallingUid, Process.SYSTEM_UID)
+                && getIntent().getStringExtra(Intent.EXTRA_PACKAGE_NAME) != null) {
+            Log.w(TAG, "Non-system Uid: " + mCallingUid + " tried to override packageName \n");
+        }
+
         if (!TextUtils.isEmpty(packageName)) {
             try {
                 ApplicationInfo applicationInfo = getPackageManager().getApplicationInfo(