From 4f58233004f2068c3f23863715a1355b88875851 Mon Sep 17 00:00:00 2001
From: Soonil Nagarkar <sooniln@google.com>
Date: Tue, 1 Jun 2021 23:18:03 -0700
Subject: [PATCH] Fix two location bugs

-Telephony service accessed before it's ready.
-Checking binder UID after clearing calling identity.

Bug: 189305487
Bug: 189820484
Test: manual
Change-Id: I0b36418656df202f1ad48b78cb6012248b423c22
---
 .../injector/SystemEmergencyHelper.java       | 30 ++++++++++++-------
 .../provider/LocationProviderManager.java     | 16 +++++-----
 2 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/services/core/java/com/android/server/location/injector/SystemEmergencyHelper.java b/services/core/java/com/android/server/location/injector/SystemEmergencyHelper.java
index a34d7226136a7..70a222fb09c55 100644
--- a/services/core/java/com/android/server/location/injector/SystemEmergencyHelper.java
+++ b/services/core/java/com/android/server/location/injector/SystemEmergencyHelper.java
@@ -35,17 +35,17 @@ public class SystemEmergencyHelper extends EmergencyHelper {
 
     private final Context mContext;
 
-    private TelephonyManager mTelephonyManager;
+    TelephonyManager mTelephonyManager;
 
-    private boolean mIsInEmergencyCall;
-    private long mEmergencyCallEndRealtimeMs = Long.MIN_VALUE;
+    boolean mIsInEmergencyCall;
+    long mEmergencyCallEndRealtimeMs = Long.MIN_VALUE;
 
     public SystemEmergencyHelper(Context context) {
         mContext = context;
     }
 
     /** Called when system is ready. */
-    public void onSystemReady() {
+    public synchronized void onSystemReady() {
         if (mTelephonyManager != null) {
             return;
         }
@@ -64,14 +64,20 @@ public class SystemEmergencyHelper extends EmergencyHelper {
                     return;
                 }
 
-                mIsInEmergencyCall = mTelephonyManager.isEmergencyNumber(
-                        intent.getStringExtra(Intent.EXTRA_PHONE_NUMBER));
+                synchronized (SystemEmergencyHelper.this) {
+                    mIsInEmergencyCall = mTelephonyManager.isEmergencyNumber(
+                            intent.getStringExtra(Intent.EXTRA_PHONE_NUMBER));
+                }
             }
         }, new IntentFilter(Intent.ACTION_NEW_OUTGOING_CALL));
     }
 
     @Override
-    public boolean isInEmergency(long extensionTimeMs) {
+    public synchronized boolean isInEmergency(long extensionTimeMs) {
+        if (mTelephonyManager == null) {
+            return false;
+        }
+
         boolean isInExtensionTime = mEmergencyCallEndRealtimeMs != Long.MIN_VALUE
                 && (SystemClock.elapsedRealtime() - mEmergencyCallEndRealtimeMs) < extensionTimeMs;
 
@@ -84,12 +90,16 @@ public class SystemEmergencyHelper extends EmergencyHelper {
     private class EmergencyCallTelephonyCallback extends TelephonyCallback implements
             TelephonyCallback.CallStateListener{
 
+        EmergencyCallTelephonyCallback() {}
+
         @Override
         public void onCallStateChanged(int state) {
             if (state == TelephonyManager.CALL_STATE_IDLE) {
-                if (mIsInEmergencyCall) {
-                    mEmergencyCallEndRealtimeMs = SystemClock.elapsedRealtime();
-                    mIsInEmergencyCall = false;
+                synchronized (SystemEmergencyHelper.this) {
+                    if (mIsInEmergencyCall) {
+                        mEmergencyCallEndRealtimeMs = SystemClock.elapsedRealtime();
+                        mIsInEmergencyCall = false;
+                    }
                 }
             }
         }
diff --git a/services/core/java/com/android/server/location/provider/LocationProviderManager.java b/services/core/java/com/android/server/location/provider/LocationProviderManager.java
index 6d7f792507150..4f8b87b512944 100644
--- a/services/core/java/com/android/server/location/provider/LocationProviderManager.java
+++ b/services/core/java/com/android/server/location/provider/LocationProviderManager.java
@@ -1527,16 +1527,16 @@ public class LocationProviderManager extends
                 throw new IllegalArgumentException(mName + " provider is not a test provider");
             }
 
+            String locationProvider = location.getProvider();
+            if (!TextUtils.isEmpty(locationProvider) && !mName.equals(locationProvider)) {
+                // The location has an explicit provider that is different from the mock
+                // provider name. The caller may be trying to fool us via b/33091107.
+                EventLog.writeEvent(0x534e4554, "33091107", Binder.getCallingUid(),
+                        mName + "!=" + locationProvider);
+            }
+
             final long identity = Binder.clearCallingIdentity();
             try {
-                String locationProvider = location.getProvider();
-                if (!TextUtils.isEmpty(locationProvider) && !mName.equals(locationProvider)) {
-                    // The location has an explicit provider that is different from the mock
-                    // provider name. The caller may be trying to fool us via b/33091107.
-                    EventLog.writeEvent(0x534e4554, "33091107", Binder.getCallingUid(),
-                            mName + "!=" + locationProvider);
-                }
-
                 mProvider.setMockProviderLocation(location);
             } finally {
                 Binder.restoreCallingIdentity(identity);