PawletOS/app_Settings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix bluetooth settings will broadcast to anywhere when some cases

Browse Source 
BluetoothPermissionActivity and DevicePickerFragment will send
broadcast to return the result to calling apps. As this broadcast
intent is from Settings with uid 1000, it will be sent to any
protected BroadcastReceivers in the device. It can make an attacker
send broadcast to protected BroadcastReceivers like factory reset intent
(android/com.android.server.MasterClearReceiver) via
BluetoothPermissionActivity or DevicePickerFragment.

This CL will not allow to set package name and class name to avoid
the attacker.

Bug: 179386960
Bug: 179386068
Test: make -j42 RunSettingsRoboTests and use test apk to manually test
to verify factory reset not started and no system UI notification.

Change-Id: Id27a78091ab578077853b8fbb97a4422cff0a158
This commit is contained in:
Hugh Chen
2021-03-12 10:40:20 +08:00
parent 0a03f8e2d2
commit 8adedc6249
5 changed files with 107 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/com/android/settings/bluetooth/BluetoothPermissionRequest.java
View File

@@ -56,8 +56,6 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver {
Context mContext;
int mRequestType;
BluetoothDevice mDevice;
String mReturnPackage = null;
String mReturnClass = null;
@Override
public void onReceive(Context context, Intent intent) {
@@ -77,11 +75,10 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver {
mDevice = intent.getParcelableExtra(BluetoothDevice.EXTRA_DEVICE);
mRequestType = intent.getIntExtra(BluetoothDevice.EXTRA_ACCESS_REQUEST_TYPE,
BluetoothDevice.REQUEST_TYPE_PROFILE_CONNECTION);
mReturnPackage = intent.getStringExtra(BluetoothDevice.EXTRA_PACKAGE_NAME);
mReturnClass = intent.getStringExtra(BluetoothDevice.EXTRA_CLASS_NAME);
if (DEBUG) Log.d(TAG, "onReceive request type: " + mRequestType + " return "
+ mReturnPackage + "," + mReturnClass);
if (DEBUG) {
Log.d(TAG, "onReceive request type: " + mRequestType);
}
// Even if the user has already made the choice, Bluetooth still may not know that if
// the user preference data have not been migrated from Settings app's shared
@@ -110,8 +107,6 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver {
connectionAccessIntent.putExtra(BluetoothDevice.EXTRA_ACCESS_REQUEST_TYPE,
mRequestType);
connectionAccessIntent.putExtra(BluetoothDevice.EXTRA_DEVICE, mDevice);
connectionAccessIntent.putExtra(BluetoothDevice.EXTRA_PACKAGE_NAME, mReturnPackage);
connectionAccessIntent.putExtra(BluetoothDevice.EXTRA_CLASS_NAME, mReturnClass);
String deviceAddress = mDevice != null ? mDevice.getAddress() : null;
String deviceName = mDevice != null ? mDevice.getName() : null;
@@ -231,7 +226,7 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver {
LocalBluetoothManager bluetoothManager = Utils.getLocalBtManager(mContext);
CachedBluetoothDeviceManager cachedDeviceManager =
bluetoothManager.getCachedDeviceManager();
bluetoothManager.getCachedDeviceManager();
CachedBluetoothDevice cachedDevice = cachedDeviceManager.findDevice(mDevice);
if (cachedDevice == null) {
cachedDevice = cachedDeviceManager.addDevice(mDevice);
@@ -289,13 +284,9 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver {
private void sendReplyIntentToReceiver(final boolean allowed) {
Intent intent = new Intent(BluetoothDevice.ACTION_CONNECTION_ACCESS_REPLY);
if (mReturnPackage != null && mReturnClass != null) {
intent.setClassName(mReturnPackage, mReturnClass);
}
intent.putExtra(BluetoothDevice.EXTRA_CONNECTION_ACCESS_RESULT,
allowed ? BluetoothDevice.CONNECTION_ACCESS_YES
: BluetoothDevice.CONNECTION_ACCESS_NO);
allowed ? BluetoothDevice.CONNECTION_ACCESS_YES
: BluetoothDevice.CONNECTION_ACCESS_NO);
intent.putExtra(BluetoothDevice.EXTRA_DEVICE, mDevice);
intent.putExtra(BluetoothDevice.EXTRA_ACCESS_REQUEST_TYPE, mRequestType);
mContext.sendBroadcast(intent, android.Manifest.permission.BLUETOOTH_ADMIN);