Revert "Revert "Fix vulnerability in AttributionSource due to in..."

Revert submission 21893028-revert-21778925-tm-dev-2-attribution-source-GNWUUYEQSX Reason for revert: Re-submitting after test devices have been updated with the new Wifi mainline module. Reverted changes: /q/submissionid:21893028-revert-21778925-tm-dev-2-attribution-source-GNWUUYEQSX Change-Id: Ie108fa208af1c2e35d2c0137e45fa146e260c93d Merged-In: Ic301a8518b8e57e1c9a2c9f2f845e51dca145257 Bug: 267231571

Revert "Revert "Fix vulnerability in AttributionSource due to in..."
3de05f8d · Austin Borger · 5f3a3f2a · 3de05f8d
Commit 3de05f8d authored 2 years ago by Austin Borger
--- a/core/java/android/content/AttributionSource.java
+++ b/core/java/android/content/AttributionSource.java
@@ -31,6 +31,7 @@ import android.os.Parcelable;
 import android.os.Process;
 import android.permission.PermissionManager;
 import android.util.ArraySet;
+import android.util.Log;

 import com.android.internal.annotations.Immutable;

@@ -87,6 +88,8 @@ import java.util.Set;
 */
 @Immutable
 public final class AttributionSource implements Parcelable {
+    private static final String TAG = "AttributionSource";
+
    private static final String DESCRIPTOR = "android.content.AttributionSource";

    private static final Binder sDefaultToken = new Binder(DESCRIPTOR);
@@ -154,9 +157,20 @@ public final class AttributionSource implements Parcelable {
    AttributionSource(@NonNull Parcel in) {
        this(AttributionSourceState.CREATOR.createFromParcel(in));

-        // Since we just unpacked this object as part of it transiting a Binder
-        // call, this is the perfect time to enforce that its UID and PID can be trusted
-        enforceCallingUidAndPid();
+        if (!Binder.isDirectlyHandlingTransaction()) {
+            Log.e(TAG, "Unable to verify calling UID #" + mAttributionSourceState.uid + " PID #"
+                    + mAttributionSourceState.pid + " when not handling Binder transaction; "
+                    + "clearing.");
+            mAttributionSourceState.pid = -1;
+            mAttributionSourceState.uid = -1;
+            mAttributionSourceState.packageName = null;
+            mAttributionSourceState.attributionTag = null;
+            mAttributionSourceState.next = null;
+        } else {
+            // Since we just unpacked this object as part of it transiting a Binder
+            // call, this is the perfect time to enforce that its UID and PID can be trusted
+            enforceCallingUidAndPid();
+        }
    }

    /** @hide */