Android CTS 7.0 Release 30 (5353406)
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCXIk2PAAKCRDorT+BmrEO
eP8rAJ0S+K+q5k+lvrlKARnshK1QSeCdnACfR8M0GYbSwDLiYzTf5D/GdGpdKww=
=MmjD
-----END PGP SIGNATURE-----
30481342: Security Vulnerability - TOCTOU in MmsProvider allows access to files as phone (radio) uid

Problem: MmsProvider.openFile validated the current _data column
in the DB and then called ContentProvider.openFileHelper which was again
reading from the DB. A race condition could cause the second DB read to
read an updated, malicious value.

Fix: instead of doing the first DB check and calling
ContentProvider.openFileHelper, we're now just calling
MmsProvider.safeOpenFileHelper which does a single check.

Test: used the POC provided for this incident.

b/30481342

Change-Id: I653129359130b9fae59d4c355320b266c158a698
(cherry picked from commit 5bc7f9682d72c89ba252be6471b2db9b7e7815e3)
1 file changed