diff options
| author | Jessica Wagantall <jwagantall@cyngn.com> | 2016-09-15 14:03:52 -0700 |
|---|---|---|
| committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-10-13 12:13:16 -0700 |
| commit | 7a979b3d89a29d8d28ab8860d083f87c6eb869b8 (patch) | |
| tree | e1c6db8d077c619c9ce8d0898befa19d42e96956 /CleanSpec.mk | |
| parent | 738bd044cafd5991461b354a4030dd78b2fc0c90 (diff) | |
| download | android_packages_providers_TelephonyProvider-stable/cm-12.1-YOG4P.tar.gz android_packages_providers_TelephonyProvider-stable/cm-12.1-YOG4P.tar.bz2 android_packages_providers_TelephonyProvider-stable/cm-12.1-YOG4P.zip | |
30481342: Security Vulnerability - TOCTOU in MmsProviderstable/cm-12.1-YOG4P
allows access to files as phone (radio) uid - DO NOT MERGE
Problem: MmsProvider.openFile validated the current _data column
in the DB and then called ContentProvider.openFileHelper which was again
reading from the DB. A race condition could cause the second DB read to
read an updated, malicious value.
Fix: instead of doing the first DB check and calling
ContentProvider.openFileHelper, we're now just calling
MmsProvider.safeOpenFileHelper which does a single check.
Test: used the POC provided for this incident.
CYNGNOS-3286
b/30481342
Change-Id: I653129359130b9fae59d4c355320b266c158a698
(cherry picked from commit 53ff7691e0163f730ac9410da76e5ea61fe67343)
Diffstat (limited to 'CleanSpec.mk')
0 files changed, 0 insertions, 0 deletions