Merge "RESTRICT AUTOMERGE Use consistent calling uid and package in navigateUpTo" into oc-mr1-dev

2020-03-10 17:09:54 +00:00
parent 834e880978 0d7e27af30
commit 4f486e9f0b
3 changed files with 26 additions and 5 deletions
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -6917,7 +6917,7 @@ public class ActivityManagerService extends IActivityManager.Stub
        }
    }

-    private final boolean attachApplicationLocked(IApplicationThread thread,
+    private boolean attachApplicationLocked(@NonNull IApplicationThread thread,
            int pid) {

        // Find the application record that is being attached...  either via
@@ -7222,6 +7222,9 @@ public class ActivityManagerService extends IActivityManager.Stub

    @Override
    public final void attachApplication(IApplicationThread thread) {
+        if (thread == null) {
+            throw new SecurityException("Invalid application interface");
+        }
        synchronized (this) {
            int callingPid = Binder.getCallingPid();
            final long origId = Binder.clearCallingIdentity();
--- a/services/core/java/com/android/server/am/ActivityStack.java
+++ b/services/core/java/com/android/server/am/ActivityStack.java
@@ -3961,6 +3961,11 @@ class ActivityStack<T extends StackWindowController> extends ConfigurationContai

    final boolean navigateUpToLocked(ActivityRecord srec, Intent destIntent, int resultCode,
            Intent resultData) {
+        if (srec.app == null || srec.app.thread == null) {
+            // Nothing to do if the caller is not attached, because this method should be called
+            // from an alive activity.
+            return false;
+        }
        final TaskRecord task = srec.getTask();
        final ArrayList<ActivityRecord> activities = task.mActivities;
        final int start = activities.indexOf(srec);
@@ -4012,22 +4017,22 @@ class ActivityStack<T extends StackWindowController> extends ConfigurationContai
        }

        if (parent != null && foundParentInTask) {
+            final int callingUid = srec.info.applicationInfo.uid;
            final int parentLaunchMode = parent.info.launchMode;
            final int destIntentFlags = destIntent.getFlags();
            if (parentLaunchMode == ActivityInfo.LAUNCH_SINGLE_INSTANCE ||
                    parentLaunchMode == ActivityInfo.LAUNCH_SINGLE_TASK ||
                    parentLaunchMode == ActivityInfo.LAUNCH_SINGLE_TOP ||
                    (destIntentFlags & Intent.FLAG_ACTIVITY_CLEAR_TOP) != 0) {
-                parent.deliverNewIntentLocked(srec.info.applicationInfo.uid, destIntent,
-                        srec.packageName);
+                parent.deliverNewIntentLocked(callingUid, destIntent, srec.packageName);
            } else {
                try {
                    ActivityInfo aInfo = AppGlobals.getPackageManager().getActivityInfo(
                            destIntent.getComponent(), 0, srec.userId);
                    int res = mService.mActivityStarter.startActivityLocked(srec.app.thread,
                            destIntent, null /*ephemeralIntent*/, null, aInfo, null /*rInfo*/, null,
-                            null, parent.appToken, null, 0, -1, parent.launchedFromUid,
-                            parent.launchedFromPackage, -1, parent.launchedFromUid, 0, null,
+                            null, parent.appToken, null, 0, -1, callingUid,
+                            srec.packageName, -1, callingUid, 0, null,
                            false, true, null, null, "navigateUpTo");
                    foundParentInTask = res == ActivityManager.START_SUCCESS;
                } catch (RemoteException e) {
--- a/services/tests/servicestests/src/com/android/server/am/ActivityStackTests.java
+++ b/services/tests/servicestests/src/com/android/server/am/ActivityStackTests.java
@@ -122,4 +122,17 @@ public class ActivityStackTests extends ActivityTestsBase {
        assertEquals(task.getTopActivity(true /* includeOverlays */), taskOverlay);
        assertNotNull(result.r);
    }
+
+    @Test
+    public void testNavigateUpTo() {
+        final ActivityManagerService service = createActivityManagerService();
+        final TaskRecord task = createTask(service, testActivityComponent, TEST_STACK_ID);
+        final ActivityRecord activityRecord = createActivity(service, testActivityComponent, task);
+        activityRecord.app = new ProcessRecord(null, activityRecord.appInfo,
+                activityRecord.processName, activityRecord.getUid());
+        final ActivityStack testStack = service.mStackSupervisor.getStack(TEST_STACK_ID);
+        // No-op if the source activity record doesn't have attached process (app.thread == null).
+        assertFalse(testStack.navigateUpToLocked(activityRecord, activityRecord.intent,
+                0 /* resultCode */, null /* resultData */));
+    }
 }