Google Git
Sign in
android / platform / frameworks / base / b87c968e5a41a1a09166199bf54eee12608f3900
commitb87c968e5a41a1a09166199bf54eee12608f3900[log] [tgz]
authorCharles He <qiurui@google.com>Fri Jul 14 14:41:06 2017 +0100
committerandroid-build-team Robot <android-build-team-robot@google.com>Tue Aug 22 23:20:12 2017 +0000
tree58065d5f3847794bc69adf5c0e329d4a2a7e21be
parentc574568aaede7f652432deb7707f20ae54bbdf9a [diff]
Fix security hole in GateKeeperResponse.

GateKeeperResponse has inconsistent writeToParcel() and
createFromParcel() methods, making it possible for a malicious app to
create a Bundle that changes contents after reserialization. Such
Bundles can be used to execute Intents with system privileges.

This CL changes writeToParcel() to make serialization and
deserialization consistent, thus fixing the issue.

Bug: 62998805
Test: use the debug app (see bug)
Change-Id: Ie1c64172c454c3a4b7a0919eb3454f0e38efcd09
(cherry picked from commit e74cae8f7c3e6b12f2bf2b75427ee8f5b53eca3c)
1 file changed
tree: 58065d5f3847794bc69adf5c0e329d4a2a7e21be
  1. apct-tests/
  2. api/
  3. cmds/
  4. core/
  5. data/
  6. docs/
  7. drm/
  8. graphics/
  9. keystore/
  10. legacy-test/
  11. libs/
  12. location/
  13. media/
  14. native/
  15. nfc-extras/
  16. obex/
  17. opengl/
  18. packages/
  19. proto/
  20. rs/
  21. samples/
  22. sax/
  23. services/
  24. telecomm/
  25. telephony/
  26. test-runner/
  27. tests/
  28. tools/
  29. vr/
  30. wifi/
  31. Android.bp
  32. Android.mk
  33. CleanSpec.mk
  34. compiled-classes-phone
  35. MODULE_LICENSE_APACHE2
  36. NOTICE
  37. pathmap.mk
  38. preloaded-classes
  39. PREUPLOAD.cfg