Android 7.0.0 Release 36 (NBD92Y)
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCXJFeowAKCRDorT+BmrEO
eHZZAJ9kVqTJNCVxlrMksWGWpwNvm8chzQCeJML3hxOCea9xWmNnCtAWlrIkOLg=
=8IkM
-----END PGP SIGNATURE-----
30481342: Security Vulnerability - TOCTOU in MmsProvider allows access to files as phone (radio) uid

Problem: MmsProvider.openFile validated the current _data column
in the DB and then called ContentProvider.openFileHelper which was again
reading from the DB. A race condition could cause the second DB read to
read an updated, malicious value.

Fix: instead of doing the first DB check and calling
ContentProvider.openFileHelper, we're now just calling
MmsProvider.safeOpenFileHelper which does a single check.

Test: used the POC provided for this incident.

b/30481342

Change-Id: I653129359130b9fae59d4c355320b266c158a698
(cherry picked from commit 5bc7f9682d72c89ba252be6471b2db9b7e7815e3)
1 file changed