From 0bf3b00898526f04fc1a07f676ce247cde360ba6 Mon Sep 17 00:00:00 2001
From: Grace Jia <xiaotonj@google.com>
Date: Thu, 18 Jun 2020 14:12:56 -0700
Subject: Fix security vulnerability of
 TelecomManager#getPhoneAccountsForPackage

Check calling package and READ_PRIVILEGED_PHONE_STATE to avoid potential
PII expotion.

Bug: 153995334
Test: atest TelecomUnitTests:TelecomServiceImpl
Change-Id: Ie834633dc4031d19af90e922ef0f111c3c8d7cb2
(cherry picked from commit 9d8d0cf3dcf741afe7ed50e60da513a47b0e8d59)
(cherry picked from commit f3f2d7c2dcb558081f02e282078c0c42c5c3e1b1)
---
 src/com/android/server/telecom/TelecomServiceImpl.java | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java
index ded42db9e..0db17643b 100644
--- a/src/com/android/server/telecom/TelecomServiceImpl.java
+++ b/src/com/android/server/telecom/TelecomServiceImpl.java
@@ -234,6 +234,23 @@ public class TelecomServiceImpl {
 
         @Override
         public List<PhoneAccountHandle> getPhoneAccountsForPackage(String packageName) {
+            //TODO: Deprecate this in S
+            try {
+                enforceCallingPackage(packageName);
+            } catch (SecurityException se1) {
+                EventLog.writeEvent(0x534e4554, "153995334", Binder.getCallingUid(),
+                        "getPhoneAccountsForPackage: invalid calling package");
+                throw se1;
+            }
+
+            try {
+                enforcePermission(READ_PRIVILEGED_PHONE_STATE);
+            } catch (SecurityException se2) {
+                EventLog.writeEvent(0x534e4554, "153995334", Binder.getCallingUid(),
+                        "getPhoneAccountsForPackage: no permission");
+                throw se2;
+            }
+
             synchronized (mLock) {
                 final UserHandle callingUserHandle = Binder.getCallingUserHandle();
                 long token = Binder.clearCallingIdentity();
-- 
cgit v1.2.3