Fix permission bypasses to multiple methods
Researcher reports that some BT calls across Binder are validating only BT's own permissions and not the calling app's permissions. On investigation this seems to be due to a missing null check in several BT permissions checks, which allows a malicious app to pass in a null AttributionSource and therefore produce a stub AttributionSource chain which does not properly check for the caller's permissions. Add null checks, and correct tests which assumed a null was a valid input. Bug: 242996380 Test: atest UtilsTest Test: researcher POC Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8098771bca75166d06f9591d0d2110ed089ee6a7) Merged-In: I76f49fee440726a7c0714385564ddf0e3e8522b5 Change-Id: I76f49fee440726a7c0714385564ddf0e3e8522b5
Showing
- android/app/src/com/android/bluetooth/Utils.java 16 additions, 16 deletionsandroid/app/src/com/android/bluetooth/Utils.java
- android/app/tests/unit/src/com/android/bluetooth/UtilsTest.java 9 additions, 4 deletions...d/app/tests/unit/src/com/android/bluetooth/UtilsTest.java
- service/src/com/android/server/bluetooth/BtPermissionUtils.java 3 additions, 1 deletion...e/src/com/android/server/bluetooth/BtPermissionUtils.java
Loading
Please register or sign in to comment