Android CTS 7.0 Release 30 (5353406)
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
30481342: Security Vulnerability - TOCTOU in MmsProvider allows access to files as phone (radio) uid
Problem: MmsProvider.openFile validated the current _data column
in the DB and then called ContentProvider.openFileHelper which was again
reading from the DB. A race condition could cause the second DB read to
read an updated, malicious value.
Fix: instead of doing the first DB check and calling
ContentProvider.openFileHelper, we're now just calling
MmsProvider.safeOpenFileHelper which does a single check.
Test: used the POC provided for this incident.
(cherry picked from commit 5bc7f9682d72c89ba252be6471b2db9b7e7815e3)
1 file changed