Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / android_frameworks_base / eccd83cf147fbd22d731477448b071fa17cf8a6a^! / .
commiteccd83cf147fbd22d731477448b071fa17cf8a6a[log] [tgz]
authorkumarashishg <kumarashishg@google.com>Mon Jul 17 12:01:18 2023 +0000
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Thu Jan 11 04:45:45 2024 +0000
tree21cff3017198b4dd80e0ab0af1c7684a48a993ef
parent09383fb3944bec246f710ffa357668b48325b0c6 [diff]
Resolve custom printer icon boundary exploit.

Because Settings grants the INTERACT_ACROSS_USERS_FULL permission, an exploit is possible where the third party print plugin service can pass other's User Icon URI. This CL provides a lightweight solution for parsing the image URI to detect profile exploitation.

Bug: 281525042
Test: Build and flash the code. Try to reproduce the issue with
mentioned steps in the bug
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:39f5737626ca644f41fda890c12518ce51875835)
Merged-In: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce
Change-Id: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce

diff --git a/services/print/java/com/android/server/print/PrintManagerService.java b/services/print/java/com/android/server/print/PrintManagerService.java
index 66524edf..1386bbf 100644
--- a/services/print/java/com/android/server/print/PrintManagerService.java
+++ b/services/print/java/com/android/server/print/PrintManagerService.java

@@ -254,12 +254,45 @@
             }
             final long identity = Binder.clearCallingIdentity();
             try {
-                return userState.getCustomPrinterIcon(printerId);
+                Icon icon = userState.getCustomPrinterIcon(printerId);
+                return validateIconUserBoundary(icon);
             } finally {
                 Binder.restoreCallingIdentity(identity);
             }
         }
 
+        /**
+         * Validates the custom printer icon to see if it's not in the calling user space.
+         * If the condition is not met, return null. Otherwise, return the original icon.
+         *
+         * @param icon
+         * @return icon (validated)
+         */
+        private Icon validateIconUserBoundary(Icon icon) {
+            // Refer to Icon#getUriString for context. The URI string is invalid for icons of
+            // incompatible types.
+            if (icon != null && (icon.getType() == Icon.TYPE_URI
+                    || icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP)) {
+                String encodedUser = icon.getUri().getEncodedUserInfo();
+
+                // If there is no encoded user, the URI is calling into the calling user space
+                if (encodedUser != null) {
+                    int userId = Integer.parseInt(encodedUser);
+                    // resolve encoded user
+                    final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId);
+
+                    synchronized (mLock) {
+                        // Only the current group members can get the printer icons.
+                        if (resolveCallingProfileParentLocked(resolvedUserId)
+                                != getCurrentUserId()) {
+                            return null;
+                        }
+                    }
+                }
+            }
+            return icon;
+        }
+
         @Override
         public void cancelPrintJob(PrintJobId printJobId, int appId, int userId) {
             if (printJobId == null) {