From 74b7cbc0324ef4caac53dc46405f0e24a705e0cb Mon Sep 17 00:00:00 2001 From: Malcolm Chen Date: Tue, 16 Oct 2018 18:18:51 -0700 Subject: [PATCH] Clear calling identity in callback. In SubscriptionManager, when onSubscriptionsChanged is called when opportunistic subscriptions change, clear calling identity. Otherwise mExecutor is executed with phone process identity which can be a security issue. Test: build Bug: 117794788 Change-Id: I766cdc89f0421265cab00dc40d53f355deb7b92b --- .../java/android/telephony/SubscriptionManager.java | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/telephony/java/android/telephony/SubscriptionManager.java b/telephony/java/android/telephony/SubscriptionManager.java index 7f87c4df83133..b0682370d0a20 100644 --- a/telephony/java/android/telephony/SubscriptionManager.java +++ b/telephony/java/android/telephony/SubscriptionManager.java @@ -43,6 +43,7 @@ import android.database.ContentObserver; import android.net.INetworkPolicyManager; import android.net.NetworkCapabilities; import android.net.Uri; +import android.os.Binder; import android.os.Build; import android.os.Handler; import android.os.Looper; @@ -781,8 +782,13 @@ public class SubscriptionManager { IOnSubscriptionsChangedListener callback = new IOnSubscriptionsChangedListener.Stub() { @Override public void onSubscriptionsChanged() { - if (DBG) log("onOpportunisticSubscriptionsChanged callback received."); - mExecutor.execute(() -> onOpportunisticSubscriptionsChanged()); + final long identity = Binder.clearCallingIdentity(); + try { + if (DBG) log("onOpportunisticSubscriptionsChanged callback received."); + mExecutor.execute(() -> onOpportunisticSubscriptionsChanged()); + } finally { + Binder.restoreCallingIdentity(identity); + } } };