30481342: Security Vulnerability - TOCTOU in MmsProvider allows access to files as phone (radio) uid

Problem: MmsProvider.openFile validated the current _data column
in the DB and then called ContentProvider.openFileHelper which was again
reading from the DB. A race condition could cause the second DB read to
read an updated, malicious value.

Fix: instead of doing the first DB check and calling
ContentProvider.openFileHelper, we're now just calling
MmsProvider.safeOpenFileHelper which does a single check.

Test: used the POC provided for this incident.


Change-Id: I653129359130b9fae59d4c355320b266c158a698
(cherry picked from commit 5bc7f9682d72c89ba252be6471b2db9b7e7815e3)
1 file changed