Google Git
Sign in
android / platform / frameworks / base / 263d7d0ba8818c471a27938c4e002bae33569f01^! / .
commit263d7d0ba8818c471a27938c4e002bae33569f01[log] [tgz]
authorPinyao Ting <pinyaoting@google.com>Thu Jul 14 11:25:54 2022 -0700
committerPinyao Ting <pinyaoting@google.com>Thu Jul 14 13:08:02 2022 -0700
tree7e6c0b3d592dd83736f3964a3e577317e9bf4fd7
parentdbdc3922fe174b3ba2514a2e064f4c7464286fb5 [diff]
Fix a security issue in app widget service.

Bug: 234013191
Test: atest RemoteViewsAdapterTest
Change-Id: Icd2eccb7a90124aca18a3dd463c3f79e3a595c20

diff --git a/core/java/android/appwidget/AppWidgetManager.java b/core/java/android/appwidget/AppWidgetManager.java
index 18c6381..a432b8d 100644
--- a/core/java/android/appwidget/AppWidgetManager.java
+++ b/core/java/android/appwidget/AppWidgetManager.java

@@ -1130,7 +1130,9 @@
      * @param intent        The intent of the service which will be providing the data to the
      *                      RemoteViewsAdapter.
      * @param connection    The callback interface to be notified when a connection is made or lost.
-     * @param flags         Flags used for binding to the service
+     * @param flags         Flags used for binding to the service. Currently only
+     *                     {@link Context#BIND_AUTO_CREATE} and
+     *                     {@link Context#BIND_FOREGROUND_SERVICE_WHILE_AWAKE} are supported.
      *
      * @see Context#getServiceDispatcher(ServiceConnection, Handler, int)
      * @hide

diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
index bd1a2a6..4892718 100644
--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java

@@ -1222,11 +1222,12 @@
             try {
                 // Ask ActivityManager to bind it. Notice that we are binding the service with the
                 // caller app instead of DevicePolicyManagerService.
-                if(ActivityManager.getService().bindService(
+                if (ActivityManager.getService().bindService(
                         caller, activtiyToken, intent,
                         intent.resolveTypeIfNeeded(mContext.getContentResolver()),
-                        connection, flags, mContext.getOpPackageName(),
-                        widget.provider.getUserId()) != 0) {
+                        connection, flags & (Context.BIND_AUTO_CREATE
+                                | Context.BIND_FOREGROUND_SERVICE_WHILE_AWAKE),
+                        mContext.getOpPackageName(), widget.provider.getUserId()) != 0) {
 
                     // Add it to the mapping of RemoteViewsService to appWidgetIds so that we
                     // can determine when we can call back to the RemoteViewsService later to