From 1e1c537b8fedb73b07fc1cdbeebe535291fc448f Mon Sep 17 00:00:00 2001
From: Ruchi Kandoi <kandoiruchi@google.com>
Date: Fri, 2 Jun 2017 15:01:27 -0700
Subject: Add READ_EXTERNAL_STORAGE for file based Uri while beaming.

Test: PoC application
Bug: 37287958
Change-Id: I7f5a2f32a053f0448726aec9f8b524f914c0d8df
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
(cherry picked from commit dc54140e12f441c9d7c1b5be5337d6b16bfa32e4)
CVE-2017-0784
---
 src/com/android/nfc/BeamShareActivity.java | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/com/android/nfc/BeamShareActivity.java b/src/com/android/nfc/BeamShareActivity.java
index cff601cf..6eb5d24b 100644
--- a/src/com/android/nfc/BeamShareActivity.java
+++ b/src/com/android/nfc/BeamShareActivity.java
@@ -19,6 +19,8 @@ package com.android.nfc;
 import java.util.ArrayList;
 
 import android.app.Activity;
+import android.app.ActivityManager;
+import android.app.ActivityManagerNative;
 import android.app.AlertDialog;
 import android.content.BroadcastReceiver;
 import android.content.Context;
@@ -26,6 +28,7 @@ import android.content.DialogInterface;
 import android.content.ClipData;
 import android.content.Intent;
 import android.content.IntentFilter;
+import android.content.pm.PackageManager;
 import android.net.Uri;
 import android.nfc.BeamShareData;
 import android.nfc.NdefMessage;
@@ -33,8 +36,11 @@ import android.nfc.NdefRecord;
 import android.nfc.NfcAdapter;
 import android.os.Bundle;
 import android.os.UserHandle;
+import android.os.RemoteException;
 import android.util.Log;
+import android.util.EventLog;
 import android.webkit.URLUtil;
+import android.Manifest.permission;
 
 import com.android.internal.R;
 
@@ -196,16 +202,26 @@ public class BeamShareActivity extends Activity {
             int numValidUris = 0;
             for (Uri uri : mUris) {
                 try {
+                    int uid = ActivityManagerNative.getDefault().getLaunchedFromUid(getActivityToken());
+                    if (uri.getScheme().equalsIgnoreCase("file") &&
+                            getApplicationContext().checkPermission(permission.READ_EXTERNAL_STORAGE, -1, uid) !=
+                            PackageManager.PERMISSION_GRANTED) {
+                        Log.e(TAG, "File based Uri doesn't have External Storage Permission.");
+                        EventLog.writeEvent(0x534e4554, "37287958", uid, uri.getPath());
+                        break;
+                    }
                     grantUriPermission("com.android.nfc", uri, Intent.FLAG_GRANT_READ_URI_PERMISSION);
                     uriArray[numValidUris++] = uri;
                     if (DBG) Log.d(TAG, "Found uri: " + uri);
                 } catch (SecurityException e) {
                     Log.e(TAG, "Security exception granting uri permission to NFC process.");
-                    numValidUris = 0;
+                    break;
+                } catch (RemoteException e) {
+                    Log.e(TAG, "Remote exception accessing uid of the calling process.");
                     break;
                 }
             }
-            if (numValidUris > 0) {
+            if (numValidUris != 0 && numValidUris == mUris.size()) {
                 shareData = new BeamShareData(null, uriArray, myUserHandle, 0);
             } else {
                 // No uris left
-- 
cgit v1.2.3