From b1da27f8416abdf1bc2efc0c196e33a34b719fa1 Mon Sep 17 00:00:00 2001 From: Gowtham Anandha Babu Date: Thu, 6 Mar 2025 16:57:06 +0530 Subject: [PATCH] Fix apps being able to turn on bluetooth scanning Any apps can get Bluetooth device picker activity and enable always discoverable and connectable scanning, which is vulnerable as anyone can connect to it. Fixes CVE_2022_20429 vulnerability issue by allowing only settings and system UI packages to turn on always discoverable BT scanning. Cherry picked from https://cs.android.com/android/_/android/platform/packages/apps/Car/Settings/+/7adb8ff6d30a1ab8f83c7b1fbddf04d76cfd9642 Tests-done: 1. Flash AAOS 2. BT on success 3. run android.security.cts.CVE_2022_20429.CVE_2022_20429#testPocCVE_2022_20429 4. Test pass Tracked-On: OAM-130036 Signed-off-by: Gowtham Anandha Babu --- ...g-able-to-turn-on-bluetooth-scanning.patch | 214 ++++++++++++++++++ 1 file changed, 214 insertions(+) create mode 100644 aosp_diff/preliminary/packages/apps/Car/Settings/0004-Fix-apps-being-able-to-turn-on-bluetooth-scanning.patch diff --git a/aosp_diff/preliminary/packages/apps/Car/Settings/0004-Fix-apps-being-able-to-turn-on-bluetooth-scanning.patch b/aosp_diff/preliminary/packages/apps/Car/Settings/0004-Fix-apps-being-able-to-turn-on-bluetooth-scanning.patch new file mode 100644 index 0000000000..8fb65e60d9 --- /dev/null +++ b/aosp_diff/preliminary/packages/apps/Car/Settings/0004-Fix-apps-being-able-to-turn-on-bluetooth-scanning.patch @@ -0,0 +1,214 @@ +From 736b46495970b2c60d744b582d28abd2325b7b61 Mon Sep 17 00:00:00 2001 +From: Gowtham Anandha Babu +Date: Thu, 6 Mar 2025 16:13:25 +0530 +Subject: [PATCH] Fix apps being able to turn on bluetooth scanning + +Any apps can get Bluetooth device picker activity and enable +always discoverable and connectable scanning, which is vulnerable +as anyone can connect to it. + +Fixes CVE_2022_20429 vulnerability issue by allowing only settings and +system UI packages to turn on always discoverable BT scanning. + +Cherry picked from +https://cs.android.com/android/_/android/platform/packages/apps/Car/Settings/+/7adb8ff6d30a1ab8f83c7b1fbddf04d76cfd9642 + +Tests-done: +1. Flash AAOS +2. BT on success +3. run android.security.cts.CVE_2022_20429.CVE_2022_20429#testPocCVE_2022_20429 +4. Test pass + +Tracked-On: OAM-130036 +Signed-off-by: Gowtham Anandha Babu +--- + ...nningDevicesGroupPreferenceController.java | 24 ++++++++++++- + .../settings/bluetooth/BluetoothUtils.java | 34 +++++++++++++++++++ + .../bluetooth/BluetoothUtilsTest.java | 26 ++++++++++++++ + 3 files changed, 83 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/car/settings/bluetooth/BluetoothScanningDevicesGroupPreferenceController.java b/src/com/android/car/settings/bluetooth/BluetoothScanningDevicesGroupPreferenceController.java +index 42155781a..1fdda0ebf 100644 +--- a/src/com/android/car/settings/bluetooth/BluetoothScanningDevicesGroupPreferenceController.java ++++ b/src/com/android/car/settings/bluetooth/BluetoothScanningDevicesGroupPreferenceController.java +@@ -18,6 +18,7 @@ package com.android.car.settings.bluetooth; + + import static android.os.UserManager.DISALLOW_CONFIG_BLUETOOTH; + ++import android.app.ActivityManager; + import android.bluetooth.BluetoothAdapter; + import android.bluetooth.BluetoothDevice; + import android.bluetooth.BluetoothManager; +@@ -26,6 +27,8 @@ import android.content.BroadcastReceiver; + import android.content.Context; + import android.content.Intent; + import android.content.IntentFilter; ++import android.os.IBinder; ++import android.os.RemoteException; + + import androidx.preference.PreferenceGroup; + +@@ -48,6 +51,8 @@ public abstract class BluetoothScanningDevicesGroupPreferenceController extends + + protected final BluetoothAdapter mBluetoothAdapter; + private final AlwaysDiscoverable mAlwaysDiscoverable; ++ private final String mCallingAppPackageName; ++ + private boolean mIsScanningEnabled; + + public BluetoothScanningDevicesGroupPreferenceController(Context context, String preferenceKey, +@@ -55,6 +60,7 @@ public abstract class BluetoothScanningDevicesGroupPreferenceController extends + super(context, preferenceKey, fragmentController, uxRestrictions); + mBluetoothAdapter = getContext().getSystemService(BluetoothManager.class).getAdapter(); + mAlwaysDiscoverable = new AlwaysDiscoverable(context, mBluetoothAdapter); ++ mCallingAppPackageName = getCallingAppPackageName(getContext().getActivityToken()); + } + + @Override +@@ -122,7 +128,13 @@ public abstract class BluetoothScanningDevicesGroupPreferenceController extends + if (!mBluetoothAdapter.isDiscovering()) { + mBluetoothAdapter.startDiscovery(); + } +- mAlwaysDiscoverable.start(); ++ ++ if (BluetoothUtils.shouldEnableBTScanning(getContext(), mCallingAppPackageName)) { ++ mAlwaysDiscoverable.start(); ++ } else { ++ LOG.d("Not enabling bluetooth scanning. Calling application " + mCallingAppPackageName ++ + " is not Settings or SystemUi"); ++ } + getPreference().setEnabled(true); + } + +@@ -154,6 +166,16 @@ public abstract class BluetoothScanningDevicesGroupPreferenceController extends + refreshUi(); + } + ++ private String getCallingAppPackageName(IBinder activityToken) { ++ String pkg = null; ++ try { ++ pkg = ActivityManager.getService().getLaunchedFromPackage(activityToken); ++ } catch (RemoteException e) { ++ LOG.e("Could not talk to activity manager.", e); ++ } ++ return pkg; ++ } ++ + /** + * Helper class to keep the {@link BluetoothAdapter} in discoverable mode indefinitely. By + * default, setting the scan mode to BluetoothAdapter.SCAN_MODE_CONNECTABLE_DISCOVERABLE will +diff --git a/src/com/android/car/settings/bluetooth/BluetoothUtils.java b/src/com/android/car/settings/bluetooth/BluetoothUtils.java +index e2ac15103..e33fea6e8 100644 +--- a/src/com/android/car/settings/bluetooth/BluetoothUtils.java ++++ b/src/com/android/car/settings/bluetooth/BluetoothUtils.java +@@ -25,6 +25,7 @@ import static com.android.car.settings.enterprise.ActionDisabledByAdminDialogFra + import static com.android.car.settings.enterprise.EnterpriseUtils.hasUserRestrictionByDpm; + import static com.android.car.settings.enterprise.EnterpriseUtils.hasUserRestrictionByUm; + ++import android.content.ComponentName; + import android.content.Context; + import android.content.SharedPreferences; + import android.content.res.Configuration; +@@ -221,4 +222,37 @@ final class BluetoothUtils { + public static LocalBluetoothManager getLocalBtManager(Context context) { + return LocalBluetoothManager.getInstance(context, mOnInitCallback); + } ++ ++ /** ++ * Determines whether to enable bluetooth scanning or not depending on the calling package. The ++ * calling package should be Settings or SystemUi. ++ * ++ * @param context The context to call ++ * @param callingPackageName The package name of the calling activity ++ * @return Whether bluetooth scanning should be enabled ++ */ ++ public static boolean shouldEnableBTScanning(Context context, String callingPackageName) { ++ // Find Settings package name ++ String settingsPackageName = context.getPackageName(); ++ ++ // Find SystemUi package name ++ String systemUiPackageName; ++ String flattenName = context.getResources() ++ .getString(com.android.internal.R.string.config_systemUIServiceComponent); ++ if (TextUtils.isEmpty(flattenName)) { ++ throw new IllegalStateException("No " ++ + "com.android.internal.R.string.config_systemUIServiceComponent resource"); ++ } ++ try { ++ ComponentName componentName = ComponentName.unflattenFromString(flattenName); ++ systemUiPackageName = componentName.getPackageName(); ++ } catch (RuntimeException e) { ++ throw new IllegalStateException("Invalid component name defined by " ++ + "com.android.internal.R.string.config_systemUIServiceComponent resource: " ++ + flattenName); ++ } ++ ++ return TextUtils.equals(callingPackageName, settingsPackageName) ++ || TextUtils.equals(callingPackageName, systemUiPackageName); ++ } + } +diff --git a/tests/unit/src/com/android/car/settings/bluetooth/BluetoothUtilsTest.java b/tests/unit/src/com/android/car/settings/bluetooth/BluetoothUtilsTest.java +index acca314fe..f283936ce 100644 +--- a/tests/unit/src/com/android/car/settings/bluetooth/BluetoothUtilsTest.java ++++ b/tests/unit/src/com/android/car/settings/bluetooth/BluetoothUtilsTest.java +@@ -22,10 +22,12 @@ import static com.android.car.settings.common.PreferenceController.DISABLED_FOR_ + + import static com.google.common.truth.Truth.assertThat; + ++import static org.mockito.ArgumentMatchers.anyInt; + import static org.mockito.Mockito.spy; + import static org.mockito.Mockito.when; + + import android.content.Context; ++import android.content.res.Resources; + import android.os.UserManager; + + import androidx.test.core.app.ApplicationProvider; +@@ -44,15 +46,21 @@ public final class BluetoothUtilsTest { + + private static final String TEST_RESTRICTION = + android.os.UserManager.DISALLOW_CONFIG_BLUETOOTH; ++ private static final String SYSTEM_UI_PACKAGE_NAME = "com.package.systemui"; ++ private static final String SYSTEM_UI_COMPONENT_NAME = "com.package.systemui/testclass"; + private final Context mContext = spy(ApplicationProvider.getApplicationContext()); + + @Mock + private UserManager mMockUserManager; ++ @Mock ++ private Resources mMockResources; + + @Before + public void setUp() { + MockitoAnnotations.initMocks(this); + when(mContext.getSystemService(UserManager.class)).thenReturn(mMockUserManager); ++ when(mContext.getResources()).thenReturn(mMockResources); ++ when(mMockResources.getString(anyInt())).thenReturn(SYSTEM_UI_COMPONENT_NAME); + } + + @Test +@@ -87,4 +95,22 @@ public final class BluetoothUtilsTest { + assertThat(BluetoothUtils.getAvailabilityStatusRestricted(mContext)) + .isEqualTo(DISABLED_FOR_PROFILE); + } ++ ++ @Test ++ public void isSystemCallingPackage_shouldEnableBluetoothScanning() { ++ String settingsPackage = mContext.getPackageName(); ++ ++ assertThat(BluetoothUtils.shouldEnableBTScanning(mContext, settingsPackage)) ++ .isEqualTo(true); ++ assertThat(BluetoothUtils.shouldEnableBTScanning(mContext, SYSTEM_UI_PACKAGE_NAME)) ++ .isEqualTo(true); ++ } ++ ++ @Test ++ public void isNotSystemCallingPackage_shouldNotEnableBluetoothScanning() { ++ String fakePackage = "not.real.package"; ++ ++ assertThat(BluetoothUtils.shouldEnableBTScanning(mContext, fakePackage)) ++ .isEqualTo(false); ++ } + } +-- +2.17.1 +