From 06329e5fb214ce6c2179b7fc7740c0fba41f084a Mon Sep 17 00:00:00 2001
From: Carlos Valdivia <carlosvaldivia@google.com>
Date: Sat, 7 May 2016 21:46:15 -0700
Subject: [PATCH] [Security] Prevent malicious notifications from AMS.

There was a hole in the getAuthToken logic that allowed notifications
resulting from getAuthToken requests using notifyOnAuthFailure=true to
launch arbitrary activites on the device. This is because the
getAuthToken session overrode onResult (unlike addAccount, updateCreds,
or confirmCreds).

Bug: 13787929
Change-Id: Ife1d48835f48416c2f0690f1413a076b69215190
---
 .../android/server/accounts/AccountManagerService.java | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 98b3b088399a..a9a53a2ccee1 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -2237,8 +2237,13 @@ public class AccountManagerService
                 }
             }
 
-            new Session(accounts, response, account.type, expectActivityLaunch,
-                    false /* stripAuthTokenFromResult */, account.name,
+            new Session(
+                    accounts,
+                    response,
+                    account.type,
+                    expectActivityLaunch,
+                    false /* stripAuthTokenFromResult */,
+                    account.name,
                     false /* authDetailsRequired */) {
                 @Override
                 protected String toDebugString(long now) {
@@ -2310,6 +2315,15 @@ public class AccountManagerService
 
                         Intent intent = result.getParcelable(AccountManager.KEY_INTENT);
                         if (intent != null && notifyOnAuthFailure && !customTokens) {
+                            /*
+                             * Make sure that the supplied intent is owned by the authenticator
+                             * giving it to the system. Otherwise a malicious authenticator could
+                             * have users launching arbitrary activities by tricking users to
+                             * interact with malicious notifications.
+                             */
+                            checkKeyIntent(
+                                    Binder.getCallingUid(),
+                                    intent);
                             doNotification(mAccounts,
                                     account, result.getString(AccountManager.KEY_AUTH_FAILED_MESSAGE),
                                     intent, accounts.userId);
-- 
2.11.0