Skip to content
Commit e8492693 authored by Abodunrinwa Toki's avatar Abodunrinwa Toki
Browse files

TextClassifier cross-user vulnerability in direct-reply 

Sys UI runs on user 0. This can lead to the TextClassifier (TC)
running for the wrong user. Consequencies are user A can launch apps
in user B via the TC's predicted actions and selected text being
unintentionally shared from user A to an app running in user B.

This fix ensures that the correct user id is passed and verified for
every TC request going across process boundaries (i.e. via SystemTC).
- Sys UI sets the appropriate user id in the TextView
- TextClassificationManager (TCM) system service is constructed using
  a context generated from this user id
- SystemTC sets this user id before querying the TCMService
- TCMService validates the user id before forwarding the request to
  the TCService belonging to that user id.

Bug: 136483597
Test: atest android.view.textclassifier
      atest android.widget.TextViewActivityTest
      (manual) Verified according to steps in bug 123232892
Change-Id: I2fdffd8eb4221782cb1f34d2ddbe41dd3d36595c
parent d6f8273a
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment