Fix bluetooth settings will broadcast to anywhere when some cases

BluetoothPermissionActivity and DevicePickerFragment will send broadcast to return the result to calling apps. As this broadcast intent is from Settings with uid 1000, it will be sent to any protected BroadcastReceivers in the device. It can make an attacker send broadcast to protected BroadcastReceivers like factory reset intent (android/com.android.server.MasterClearReceiver) via BluetoothPermissionActivity or DevicePickerFragment. This CL will compare to calling package name with launch package name. If they are not equal, the broadcast will not send to launch package name. Bug: 179386960 Bug: 179386068 Test: make -j42 RunSettingsRoboTests and use test apk to manually test to verify factory reset not started and no system UI notification. Change-Id: Ib8a5acde663e875912d300dd4912c4e9416f02f1
2021-03-12 10:40:20 +08:00
parent 6d513a2c67
commit 9d00364da4
5 changed files with 268 additions and 115 deletions
--- a/src/com/android/settings/bluetooth/DevicePickerFragment.java
+++ b/src/com/android/settings/bluetooth/DevicePickerFragment.java
@@ -27,12 +27,15 @@ import android.content.Context;
 import android.content.Intent;
 import android.os.Bundle;
 import android.os.UserManager;
+import android.text.TextUtils;
+import android.util.Log;
 import android.view.Menu;
 import android.view.MenuInflater;

 import androidx.annotation.VisibleForTesting;

 import com.android.settings.R;
+import com.android.settings.password.PasswordUtils;
 import com.android.settingslib.bluetooth.CachedBluetoothDevice;
 import com.android.settingslib.core.AbstractPreferenceController;

@@ -48,10 +51,16 @@ public final class DevicePickerFragment extends DeviceListPreferenceFragment {

    @VisibleForTesting
    BluetoothProgressCategory mAvailableDevicesCategory;
+    @VisibleForTesting
+    String mLaunchPackage;
+    @VisibleForTesting
+    String mLaunchClass;
+    @VisibleForTesting
+    String mCallingAppPackageName;
+    @VisibleForTesting
+    Context mContext;

    private boolean mNeedAuth;
-    private String mLaunchPackage;
-    private String mLaunchClass;
    private boolean mScanAllowed;

    public DevicePickerFragment() {
@@ -85,6 +94,9 @@ public final class DevicePickerFragment extends DeviceListPreferenceFragment {
        getActivity().setTitle(getString(R.string.device_picker));
        UserManager um = (UserManager) getSystemService(Context.USER_SERVICE);
        mScanAllowed = !um.hasUserRestriction(DISALLOW_CONFIG_BLUETOOTH);
+        mCallingAppPackageName = PasswordUtils.getCallingAppPackageName(
+                getActivity().getActivityToken());
+        mContext = getContext();
        setHasOptionsMenu(true);
    }

@@ -188,11 +200,17 @@ public final class DevicePickerFragment extends DeviceListPreferenceFragment {
    }

    private void sendDevicePickedIntent(BluetoothDevice device) {
+        if (!TextUtils.equals(mCallingAppPackageName, mLaunchPackage)) {
+            Log.w(TAG, "sendDevicePickedIntent() launch package name is not equivalent to"
+                    + " calling package name!");
+            return;
+        }
+
        Intent intent = new Intent(BluetoothDevicePicker.ACTION_DEVICE_SELECTED);
        intent.putExtra(BluetoothDevice.EXTRA_DEVICE, device);
        if (mLaunchPackage != null && mLaunchClass != null) {
            intent.setClassName(mLaunchPackage, mLaunchClass);
        }
-        getActivity().sendBroadcast(intent, Manifest.permission.BLUETOOTH_ADMIN);
+        mContext.sendBroadcast(intent, Manifest.permission.BLUETOOTH_ADMIN);
    }
 }