|
| 1 | +From 4d44ce217689f09160a93a1c37d63caaa2410d33 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Gowtham Anandha Babu <gowtham.anandha.babu@intel.com> |
| 3 | +Date: Thu, 6 Mar 2025 16:13:25 +0530 |
| 4 | +Subject: [PATCH] Fix apps being able to turn on bluetooth scanning |
| 5 | + |
| 6 | +Any apps can get Bluetooth device picker activity and enable |
| 7 | +always discoverable and connectable scanning, which is vulnerable |
| 8 | +as anyone can connect to it. |
| 9 | + |
| 10 | +Fixes CVE_2022_20429 vulnerability issue by allowing only settings and |
| 11 | +system UI packages to turn on always discoverable BT scanning. |
| 12 | + |
| 13 | +Cherry picked from |
| 14 | +https://cs.android.com/android/_/android/platform/packages/apps/Car/Settings/+/7adb8ff6d30a1ab8f83c7b1fbddf04d76cfd9642 |
| 15 | + |
| 16 | +Tests-done: |
| 17 | +1. Flash AAOS |
| 18 | +2. BT on success |
| 19 | +3. run android.security.cts.CVE_2022_20429.CVE_2022_20429#testPocCVE_2022_20429 |
| 20 | +4. Test pass |
| 21 | + |
| 22 | +Tracked-On: OAM-130677 |
| 23 | +Signed-off-by: Gowtham Anandha Babu <gowtham.anandha.babu@intel.com> |
| 24 | +--- |
| 25 | + ...nningDevicesGroupPreferenceController.java | 24 ++++++++++++- |
| 26 | + .../settings/bluetooth/BluetoothUtils.java | 34 +++++++++++++++++++ |
| 27 | + .../bluetooth/BluetoothUtilsTest.java | 26 ++++++++++++++ |
| 28 | + 3 files changed, 83 insertions(+), 1 deletion(-) |
| 29 | + |
| 30 | +diff --git a/src/com/android/car/settings/bluetooth/BluetoothScanningDevicesGroupPreferenceController.java b/src/com/android/car/settings/bluetooth/BluetoothScanningDevicesGroupPreferenceController.java |
| 31 | +index 42155781a..1fdda0ebf 100644 |
| 32 | +--- a/src/com/android/car/settings/bluetooth/BluetoothScanningDevicesGroupPreferenceController.java |
| 33 | ++++ b/src/com/android/car/settings/bluetooth/BluetoothScanningDevicesGroupPreferenceController.java |
| 34 | +@@ -18,6 +18,7 @@ package com.android.car.settings.bluetooth; |
| 35 | + |
| 36 | + import static android.os.UserManager.DISALLOW_CONFIG_BLUETOOTH; |
| 37 | + |
| 38 | ++import android.app.ActivityManager; |
| 39 | + import android.bluetooth.BluetoothAdapter; |
| 40 | + import android.bluetooth.BluetoothDevice; |
| 41 | + import android.bluetooth.BluetoothManager; |
| 42 | +@@ -26,6 +27,8 @@ import android.content.BroadcastReceiver; |
| 43 | + import android.content.Context; |
| 44 | + import android.content.Intent; |
| 45 | + import android.content.IntentFilter; |
| 46 | ++import android.os.IBinder; |
| 47 | ++import android.os.RemoteException; |
| 48 | + |
| 49 | + import androidx.preference.PreferenceGroup; |
| 50 | + |
| 51 | +@@ -48,6 +51,8 @@ public abstract class BluetoothScanningDevicesGroupPreferenceController extends |
| 52 | + |
| 53 | + protected final BluetoothAdapter mBluetoothAdapter; |
| 54 | + private final AlwaysDiscoverable mAlwaysDiscoverable; |
| 55 | ++ private final String mCallingAppPackageName; |
| 56 | ++ |
| 57 | + private boolean mIsScanningEnabled; |
| 58 | + |
| 59 | + public BluetoothScanningDevicesGroupPreferenceController(Context context, String preferenceKey, |
| 60 | +@@ -55,6 +60,7 @@ public abstract class BluetoothScanningDevicesGroupPreferenceController extends |
| 61 | + super(context, preferenceKey, fragmentController, uxRestrictions); |
| 62 | + mBluetoothAdapter = getContext().getSystemService(BluetoothManager.class).getAdapter(); |
| 63 | + mAlwaysDiscoverable = new AlwaysDiscoverable(context, mBluetoothAdapter); |
| 64 | ++ mCallingAppPackageName = getCallingAppPackageName(getContext().getActivityToken()); |
| 65 | + } |
| 66 | + |
| 67 | + @Override |
| 68 | +@@ -122,7 +128,13 @@ public abstract class BluetoothScanningDevicesGroupPreferenceController extends |
| 69 | + if (!mBluetoothAdapter.isDiscovering()) { |
| 70 | + mBluetoothAdapter.startDiscovery(); |
| 71 | + } |
| 72 | +- mAlwaysDiscoverable.start(); |
| 73 | ++ |
| 74 | ++ if (BluetoothUtils.shouldEnableBTScanning(getContext(), mCallingAppPackageName)) { |
| 75 | ++ mAlwaysDiscoverable.start(); |
| 76 | ++ } else { |
| 77 | ++ LOG.d("Not enabling bluetooth scanning. Calling application " + mCallingAppPackageName |
| 78 | ++ + " is not Settings or SystemUi"); |
| 79 | ++ } |
| 80 | + getPreference().setEnabled(true); |
| 81 | + } |
| 82 | + |
| 83 | +@@ -154,6 +166,16 @@ public abstract class BluetoothScanningDevicesGroupPreferenceController extends |
| 84 | + refreshUi(); |
| 85 | + } |
| 86 | + |
| 87 | ++ private String getCallingAppPackageName(IBinder activityToken) { |
| 88 | ++ String pkg = null; |
| 89 | ++ try { |
| 90 | ++ pkg = ActivityManager.getService().getLaunchedFromPackage(activityToken); |
| 91 | ++ } catch (RemoteException e) { |
| 92 | ++ LOG.e("Could not talk to activity manager.", e); |
| 93 | ++ } |
| 94 | ++ return pkg; |
| 95 | ++ } |
| 96 | ++ |
| 97 | + /** |
| 98 | + * Helper class to keep the {@link BluetoothAdapter} in discoverable mode indefinitely. By |
| 99 | + * default, setting the scan mode to BluetoothAdapter.SCAN_MODE_CONNECTABLE_DISCOVERABLE will |
| 100 | +diff --git a/src/com/android/car/settings/bluetooth/BluetoothUtils.java b/src/com/android/car/settings/bluetooth/BluetoothUtils.java |
| 101 | +index e2ac15103..e33fea6e8 100644 |
| 102 | +--- a/src/com/android/car/settings/bluetooth/BluetoothUtils.java |
| 103 | ++++ b/src/com/android/car/settings/bluetooth/BluetoothUtils.java |
| 104 | +@@ -25,6 +25,7 @@ import static com.android.car.settings.enterprise.ActionDisabledByAdminDialogFra |
| 105 | + import static com.android.car.settings.enterprise.EnterpriseUtils.hasUserRestrictionByDpm; |
| 106 | + import static com.android.car.settings.enterprise.EnterpriseUtils.hasUserRestrictionByUm; |
| 107 | + |
| 108 | ++import android.content.ComponentName; |
| 109 | + import android.content.Context; |
| 110 | + import android.content.SharedPreferences; |
| 111 | + import android.content.res.Configuration; |
| 112 | +@@ -221,4 +222,37 @@ final class BluetoothUtils { |
| 113 | + public static LocalBluetoothManager getLocalBtManager(Context context) { |
| 114 | + return LocalBluetoothManager.getInstance(context, mOnInitCallback); |
| 115 | + } |
| 116 | ++ |
| 117 | ++ /** |
| 118 | ++ * Determines whether to enable bluetooth scanning or not depending on the calling package. The |
| 119 | ++ * calling package should be Settings or SystemUi. |
| 120 | ++ * |
| 121 | ++ * @param context The context to call |
| 122 | ++ * @param callingPackageName The package name of the calling activity |
| 123 | ++ * @return Whether bluetooth scanning should be enabled |
| 124 | ++ */ |
| 125 | ++ public static boolean shouldEnableBTScanning(Context context, String callingPackageName) { |
| 126 | ++ // Find Settings package name |
| 127 | ++ String settingsPackageName = context.getPackageName(); |
| 128 | ++ |
| 129 | ++ // Find SystemUi package name |
| 130 | ++ String systemUiPackageName; |
| 131 | ++ String flattenName = context.getResources() |
| 132 | ++ .getString(com.android.internal.R.string.config_systemUIServiceComponent); |
| 133 | ++ if (TextUtils.isEmpty(flattenName)) { |
| 134 | ++ throw new IllegalStateException("No " |
| 135 | ++ + "com.android.internal.R.string.config_systemUIServiceComponent resource"); |
| 136 | ++ } |
| 137 | ++ try { |
| 138 | ++ ComponentName componentName = ComponentName.unflattenFromString(flattenName); |
| 139 | ++ systemUiPackageName = componentName.getPackageName(); |
| 140 | ++ } catch (RuntimeException e) { |
| 141 | ++ throw new IllegalStateException("Invalid component name defined by " |
| 142 | ++ + "com.android.internal.R.string.config_systemUIServiceComponent resource: " |
| 143 | ++ + flattenName); |
| 144 | ++ } |
| 145 | ++ |
| 146 | ++ return TextUtils.equals(callingPackageName, settingsPackageName) |
| 147 | ++ || TextUtils.equals(callingPackageName, systemUiPackageName); |
| 148 | ++ } |
| 149 | + } |
| 150 | +diff --git a/tests/unit/src/com/android/car/settings/bluetooth/BluetoothUtilsTest.java b/tests/unit/src/com/android/car/settings/bluetooth/BluetoothUtilsTest.java |
| 151 | +index acca314fe..f283936ce 100644 |
| 152 | +--- a/tests/unit/src/com/android/car/settings/bluetooth/BluetoothUtilsTest.java |
| 153 | ++++ b/tests/unit/src/com/android/car/settings/bluetooth/BluetoothUtilsTest.java |
| 154 | +@@ -22,10 +22,12 @@ import static com.android.car.settings.common.PreferenceController.DISABLED_FOR_ |
| 155 | + |
| 156 | + import static com.google.common.truth.Truth.assertThat; |
| 157 | + |
| 158 | ++import static org.mockito.ArgumentMatchers.anyInt; |
| 159 | + import static org.mockito.Mockito.spy; |
| 160 | + import static org.mockito.Mockito.when; |
| 161 | + |
| 162 | + import android.content.Context; |
| 163 | ++import android.content.res.Resources; |
| 164 | + import android.os.UserManager; |
| 165 | + |
| 166 | + import androidx.test.core.app.ApplicationProvider; |
| 167 | +@@ -44,15 +46,21 @@ public final class BluetoothUtilsTest { |
| 168 | + |
| 169 | + private static final String TEST_RESTRICTION = |
| 170 | + android.os.UserManager.DISALLOW_CONFIG_BLUETOOTH; |
| 171 | ++ private static final String SYSTEM_UI_PACKAGE_NAME = "com.package.systemui"; |
| 172 | ++ private static final String SYSTEM_UI_COMPONENT_NAME = "com.package.systemui/testclass"; |
| 173 | + private final Context mContext = spy(ApplicationProvider.getApplicationContext()); |
| 174 | + |
| 175 | + @Mock |
| 176 | + private UserManager mMockUserManager; |
| 177 | ++ @Mock |
| 178 | ++ private Resources mMockResources; |
| 179 | + |
| 180 | + @Before |
| 181 | + public void setUp() { |
| 182 | + MockitoAnnotations.initMocks(this); |
| 183 | + when(mContext.getSystemService(UserManager.class)).thenReturn(mMockUserManager); |
| 184 | ++ when(mContext.getResources()).thenReturn(mMockResources); |
| 185 | ++ when(mMockResources.getString(anyInt())).thenReturn(SYSTEM_UI_COMPONENT_NAME); |
| 186 | + } |
| 187 | + |
| 188 | + @Test |
| 189 | +@@ -87,4 +95,22 @@ public final class BluetoothUtilsTest { |
| 190 | + assertThat(BluetoothUtils.getAvailabilityStatusRestricted(mContext)) |
| 191 | + .isEqualTo(DISABLED_FOR_PROFILE); |
| 192 | + } |
| 193 | ++ |
| 194 | ++ @Test |
| 195 | ++ public void isSystemCallingPackage_shouldEnableBluetoothScanning() { |
| 196 | ++ String settingsPackage = mContext.getPackageName(); |
| 197 | ++ |
| 198 | ++ assertThat(BluetoothUtils.shouldEnableBTScanning(mContext, settingsPackage)) |
| 199 | ++ .isEqualTo(true); |
| 200 | ++ assertThat(BluetoothUtils.shouldEnableBTScanning(mContext, SYSTEM_UI_PACKAGE_NAME)) |
| 201 | ++ .isEqualTo(true); |
| 202 | ++ } |
| 203 | ++ |
| 204 | ++ @Test |
| 205 | ++ public void isNotSystemCallingPackage_shouldNotEnableBluetoothScanning() { |
| 206 | ++ String fakePackage = "not.real.package"; |
| 207 | ++ |
| 208 | ++ assertThat(BluetoothUtils.shouldEnableBTScanning(mContext, fakePackage)) |
| 209 | ++ .isEqualTo(false); |
| 210 | ++ } |
| 211 | + } |
| 212 | +-- |
| 213 | +2.17.1 |
| 214 | + |
0 commit comments