Fix vulnerability in AttributionSource due to incorrect Binder call

AttributionSource uses Binder.getCallingUid to verify the UID of the caller from another process. However, getCallingUid does not always behave as expected. If the AttributionSource is unparceled outside a transaction thread, which is quite possible, getCallingUid will return the UID of the current process instead. If this is a system process, the UID check gets bypassed entirely, meaning any uid can be provided. This patch fixes the vulnerability by enforcing that the AttributionSource be unparceled in a transaction only. If it is not, a SecurityException will be thrown. Bug: 267231571 Test: Smoke test on cuttlefish. Test: v2/android-virtual-infra/test_mapping/presubmit-avd Change-Id: Iee28c3901ee1041e00dca444c37c90d619e19b26 Merged-In: I3f228064fbd62e1c907f1ebe870cb61102f788f0 Merged-In: Ic301a8518b8e57e1c9a2c9f2f845e51dca145257

Fix vulnerability in AttributionSource due to incorrect Binder call
694ba528 · Austin Borger · e86f8e00 · 694ba528
Commit 694ba528 authored 1 year ago by Austin Borger
--- a/core/java/android/content/AttributionSource.java
+++ b/core/java/android/content/AttributionSource.java
@@ -30,6 +30,7 @@ import android.os.Parcelable;
 import android.os.Process;
 import android.permission.PermissionManager;
 import android.util.ArraySet;
+import android.util.Log;

 import com.android.internal.annotations.Immutable;

@@ -86,6 +87,8 @@ import java.util.Set;
 */
 @Immutable
 public final class AttributionSource implements Parcelable {
+    private static final String TAG = "AttributionSource";
+
    private static final String DESCRIPTOR = "android.content.AttributionSource";

    private static final Binder sDefaultToken = new Binder(DESCRIPTOR);
@@ -153,9 +156,20 @@ public final class AttributionSource implements Parcelable {
    AttributionSource(@NonNull Parcel in) {
        this(AttributionSourceState.CREATOR.createFromParcel(in));

-        // Since we just unpacked this object as part of it transiting a Binder
-        // call, this is the perfect time to enforce that its UID and PID can be trusted
-        enforceCallingUidAndPid();
+        if (!Binder.isHandlingTransaction()) {
+            Log.e(TAG, "Unable to verify calling UID #" + mAttributionSourceState.uid + " PID #"
+                    + mAttributionSourceState.pid + " when not handling Binder transaction; "
+                    + "clearing.");
+            mAttributionSourceState.pid = -1;
+            mAttributionSourceState.uid = -1;
+            mAttributionSourceState.packageName = null;
+            mAttributionSourceState.attributionTag = null;
+            mAttributionSourceState.next = null;
+        } else {
+            // Since we just unpacked this object as part of it transiting a Binder
+            // call, this is the perfect time to enforce that its UID and PID can be trusted
+            enforceCallingUidAndPid();
+        }
    }

    /** @hide */