30481342: Security Vulnerability - TOCTOU in MmsProvider allows access to files as phone (radio) uid am: 5bc7f9682d am: d076dc3024 am: a5612a4a46 am: 30316a95f3 am: 7f17d51459 am: 54d1f71323 am: abe54f6d27
am: 45954fcf44
Change-Id: Ibaf46796fa63bd0f8f8879c60a9b1084445b9c1b
diff --git a/res/values-be-rBY/config.xml b/res/values-be-rBY/config.xml
deleted file mode 100644
index 99877a6..0000000
--- a/res/values-be-rBY/config.xml
+++ /dev/null
@@ -1,10 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<resources xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
- <string-array name="persist_apns_for_plmn">
- <item msgid="6413072509259000954">"20404"</item>
- <item msgid="5639159280778239123">"310004"</item>
- <item msgid="3860605521380788028">"310120"</item>
- <item msgid="537693705785480198">"311480"</item>
- </string-array>
-</resources>
diff --git a/res/values-be-rBY/strings.xml b/res/values-be-rBY/strings.xml
deleted file mode 100644
index 3c86bf4..0000000
--- a/res/values-be-rBY/strings.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Copyright (C) 2008 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
-
-<resources xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
- <string name="app_label" product="tablet" msgid="9194799012395299737">"Налады мабiльнай сеткi"</string>
- <string name="app_label" product="default" msgid="8338087656149558019">"Сховішча для тэлефаніі і паведамленняў"</string>
-</resources>
diff --git a/res/values-bs-rBA/config.xml b/res/values-bs-rBA/config.xml
deleted file mode 100644
index 99877a6..0000000
--- a/res/values-bs-rBA/config.xml
+++ /dev/null
@@ -1,10 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<resources xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
- <string-array name="persist_apns_for_plmn">
- <item msgid="6413072509259000954">"20404"</item>
- <item msgid="5639159280778239123">"310004"</item>
- <item msgid="3860605521380788028">"310120"</item>
- <item msgid="537693705785480198">"311480"</item>
- </string-array>
-</resources>
diff --git a/res/values-bs-rBA/strings.xml b/res/values-bs-rBA/strings.xml
deleted file mode 100644
index 9d19176..0000000
--- a/res/values-bs-rBA/strings.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Copyright (C) 2008 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
-
-<resources xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
- <string name="app_label" product="tablet" msgid="9194799012395299737">"Konfiguracija mobilne mreže"</string>
- <string name="app_label" product="default" msgid="8338087656149558019">"Pohrana za telefon i poruke"</string>
-</resources>
diff --git a/res/values-es/strings.xml b/res/values-es/strings.xml
index cb697b4..865f254 100644
--- a/res/values-es/strings.xml
+++ b/res/values-es/strings.xml
@@ -17,5 +17,5 @@
<resources xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
<string name="app_label" product="tablet" msgid="9194799012395299737">"Configuración de red móvil"</string>
- <string name="app_label" product="default" msgid="8338087656149558019">"Almacenamiento de mensajes y teléfono"</string>
+ <string name="app_label" product="default" msgid="8338087656149558019">"Almac. Mensajes/Teléfono"</string>
</resources>
diff --git a/res/values-ro/strings.xml b/res/values-ro/strings.xml
index 39fa7b9..a2c590c 100644
--- a/res/values-ro/strings.xml
+++ b/res/values-ro/strings.xml
@@ -16,6 +16,6 @@
<resources xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
- <string name="app_label" product="tablet" msgid="9194799012395299737">"Configurația rețelei de telefonie mobilă"</string>
+ <string name="app_label" product="tablet" msgid="9194799012395299737">"Configurația reţelei de telefonie mobilă"</string>
<string name="app_label" product="default" msgid="8338087656149558019">"Stocare Telefon/Mesagerie"</string>
</resources>
diff --git a/src/com/android/providers/telephony/MmsProvider.java b/src/com/android/providers/telephony/MmsProvider.java
index 71e84c6..f588b23 100644
--- a/src/com/android/providers/telephony/MmsProvider.java
+++ b/src/com/android/providers/telephony/MmsProvider.java
@@ -510,7 +510,7 @@
// we're using the row id of the part table row but we're also using ids
// from the sms table so this divides the space into two large chunks.
// The row ids from the part table start at 2 << 32.
- cv.put(Telephony.MmsSms.WordsTable.ID, (2 << 32) + rowId);
+ cv.put(Telephony.MmsSms.WordsTable.ID, (2L << 32) + rowId);
cv.put(Telephony.MmsSms.WordsTable.INDEXED_TEXT, values.getAsString("text"));
cv.put(Telephony.MmsSms.WordsTable.SOURCE_ROW_ID, rowId);
cv.put(Telephony.MmsSms.WordsTable.TABLE_ID, 2);
@@ -1016,4 +1016,3 @@
}
}
}
-
diff --git a/src/com/android/providers/telephony/MmsSmsDatabaseHelper.java b/src/com/android/providers/telephony/MmsSmsDatabaseHelper.java
index 610418e..118eaeb 100644
--- a/src/com/android/providers/telephony/MmsSmsDatabaseHelper.java
+++ b/src/com/android/providers/telephony/MmsSmsDatabaseHelper.java
@@ -231,11 +231,14 @@
private static MmsSmsDatabaseHelper sDeInstance = null;
private static MmsSmsDatabaseHelper sCeInstance = null;
+
+ private static final String[] BIND_ARGS_NONE = new String[0];
+
private static boolean sTriedAutoIncrement = false;
private static boolean sFakeLowStorageTest = false; // for testing only
static final String DATABASE_NAME = "mmssms.db";
- static final int DATABASE_VERSION = 64;
+ static final int DATABASE_VERSION = 65;
private final Context mContext;
private LowStorageMonitor mLowStorageMonitor;
@@ -319,133 +322,110 @@
public static void updateThread(SQLiteDatabase db, long thread_id) {
if (thread_id < 0) {
- updateAllThreads(db, null, null);
+ updateThreads(db, null, null);
return;
}
-
- db.beginTransaction();
- try {
- // Delete the row for this thread in the threads table if
- // there are no more messages attached to it in either
- // the sms or pdu tables.
- int rows = db.delete(MmsSmsProvider.TABLE_THREADS,
- "_id = ? AND _id NOT IN" +
- " (SELECT thread_id FROM sms " +
- " UNION SELECT thread_id FROM pdu)",
- new String[] { String.valueOf(thread_id) });
- if (rows > 0) {
- // If this deleted a row, let's remove orphaned canonical_addresses and get outta here
- removeUnferencedCanonicalAddresses(db);
- } else {
- // Update the message count in the threads table as the sum
- // of all messages in both the sms and pdu tables.
- db.execSQL(
- " UPDATE threads SET message_count = " +
- " (SELECT COUNT(sms._id) FROM sms LEFT JOIN threads " +
- " ON threads._id = " + Sms.THREAD_ID +
- " WHERE " + Sms.THREAD_ID + " = " + thread_id +
- " AND sms." + Sms.TYPE + " != 3) + " +
- " (SELECT COUNT(pdu._id) FROM pdu LEFT JOIN threads " +
- " ON threads._id = " + Mms.THREAD_ID +
- " WHERE " + Mms.THREAD_ID + " = " + thread_id +
- " AND (m_type=132 OR m_type=130 OR m_type=128)" +
- " AND " + Mms.MESSAGE_BOX + " != 3) " +
- " WHERE threads._id = " + thread_id + ";");
-
- // Update the date and the snippet (and its character set) in
- // the threads table to be that of the most recent message in
- // the thread.
- db.execSQL(
- " UPDATE threads" +
- " SET" +
- " date =" +
- " (SELECT date FROM" +
- " (SELECT date * 1000 AS date, thread_id FROM pdu" +
- " UNION SELECT date, thread_id FROM sms)" +
- " WHERE thread_id = " + thread_id + " ORDER BY date DESC LIMIT 1)," +
- " snippet =" +
- " (SELECT snippet FROM" +
- " (SELECT date * 1000 AS date, sub AS snippet, thread_id FROM pdu" +
- " UNION SELECT date, body AS snippet, thread_id FROM sms)" +
- " WHERE thread_id = " + thread_id + " ORDER BY date DESC LIMIT 1)," +
- " snippet_cs =" +
- " (SELECT snippet_cs FROM" +
- " (SELECT date * 1000 AS date, sub_cs AS snippet_cs, thread_id FROM pdu" +
- " UNION SELECT date, 0 AS snippet_cs, thread_id FROM sms)" +
- " WHERE thread_id = " + thread_id + " ORDER BY date DESC LIMIT 1)" +
- " WHERE threads._id = " + thread_id + ";");
-
- // Update the error column of the thread to indicate if there
- // are any messages in it that have failed to send.
- // First check to see if there are any messages with errors in this thread.
- String query = "SELECT thread_id FROM sms WHERE type=" +
- Telephony.TextBasedSmsColumns.MESSAGE_TYPE_FAILED +
- " AND thread_id = " + thread_id +
- " LIMIT 1";
- int setError = 0;
- Cursor c = db.rawQuery(query, null);
- if (c != null) {
- try {
- setError = c.getCount(); // Because of the LIMIT 1, count will be 1 or 0.
- } finally {
- c.close();
- }
- }
- // What's the current state of the error flag in the threads table?
- String errorQuery = "SELECT error FROM threads WHERE _id = " + thread_id;
- c = db.rawQuery(errorQuery, null);
- if (c != null) {
- try {
- if (c.moveToNext()) {
- int curError = c.getInt(0);
- if (curError != setError) {
- // The current thread error column differs, update it.
- db.execSQL("UPDATE threads SET error=" + setError +
- " WHERE _id = " + thread_id);
- }
- }
- } finally {
- c.close();
- }
- }
- }
- db.setTransactionSuccessful();
- } catch (Throwable ex) {
- Log.e(TAG, ex.getMessage(), ex);
- } finally {
- db.endTransaction();
- }
+ updateThreads(db, "(thread_id = ?)", new String[]{ String.valueOf(thread_id) });
}
- public static void updateAllThreads(SQLiteDatabase db, String where, String[] whereArgs) {
+ /**
+ * Update all threads containing SMS matching the 'where' condition. Note that the condition
+ * is applied to individual messages in the sms table, NOT the threads table.
+ */
+ public static void updateThreads(SQLiteDatabase db, String where, String[] whereArgs) {
+ if (where == null) {
+ where = "1";
+ }
+ if (whereArgs == null) {
+ whereArgs = BIND_ARGS_NONE;
+ }
db.beginTransaction();
try {
- if (where == null) {
- where = "";
- } else {
- where = "WHERE (" + where + ")";
+ // Delete rows in the threads table if
+ // there are no more messages attached to it in either
+ // the sms or pdu tables.
+ // Note that we do this regardless of whether they match 'where'.
+ int rows = db.delete(MmsSmsProvider.TABLE_THREADS,
+ "_id NOT IN (" +
+ " SELECT DISTINCT thread_id FROM sms WHERE thread_id IS NOT NULL" +
+ " UNION" +
+ " SELECT DISTINCT thread_id FROM pdu WHERE thread_id IS NOT NULL)",
+ null);
+ if (rows > 0) {
+ // If this deleted a row, let's remove orphaned canonical_addresses
+ removeUnferencedCanonicalAddresses(db);
}
- String query = "SELECT _id FROM threads WHERE _id IN " +
- "(SELECT DISTINCT thread_id FROM sms " + where + ")";
- Cursor c = db.rawQuery(query, whereArgs);
- if (c != null) {
- try {
- while (c.moveToNext()) {
- updateThread(db, c.getInt(0));
- }
- } finally {
- c.close();
- }
- }
- // TODO: there are several db operations in this function. Lets wrap them in a
- // transaction to make it faster.
- // remove orphaned threads
- db.delete(MmsSmsProvider.TABLE_THREADS,
- "_id NOT IN (SELECT DISTINCT thread_id FROM sms where thread_id NOT NULL " +
- "UNION SELECT DISTINCT thread_id FROM pdu where thread_id NOT NULL)", null);
- // remove orphaned canonical_addresses
- removeUnferencedCanonicalAddresses(db);
+ // Update the message count in the threads table as the sum
+ // of all messages in both the sms and pdu tables.
+ db.execSQL(
+ " UPDATE threads" +
+ " SET message_count = (" +
+ " SELECT COUNT(sms._id) FROM sms" +
+ " WHERE " + Sms.THREAD_ID + " = threads._id" +
+ " AND sms." + Sms.TYPE + " != 3" +
+ " ) + (" +
+ " SELECT COUNT(pdu._id) FROM pdu" +
+ " WHERE " + Mms.THREAD_ID + " = threads._id" +
+ " AND (m_type=132 OR m_type=130 OR m_type=128)" +
+ " AND " + Mms.MESSAGE_BOX + " != 3" +
+ " )" +
+ " WHERE EXISTS (" +
+ " SELECT _id" +
+ " FROM sms" +
+ " WHERE thread_id = threads._id" +
+ " AND (" + where + ")" +
+ " LIMIT 1" +
+ " );",
+ whereArgs);
+
+ // Update the date and the snippet (and its character set) in
+ // the threads table to be that of the most recent message in
+ // the thread.
+ db.execSQL(
+ " WITH matches AS (" +
+ " SELECT date * 1000 AS date, sub AS snippet, sub_cs AS snippet_cs, thread_id" +
+ " FROM pdu" +
+ " WHERE thread_id = threads._id" +
+ " UNION" +
+ " SELECT date, body AS snippet, 0 AS snippet_cs, thread_id" +
+ " FROM sms" +
+ " WHERE thread_id = threads._id" +
+ " ORDER BY date DESC" +
+ " LIMIT 1" +
+ " )" +
+ " UPDATE threads" +
+ " SET date = (SELECT date FROM matches)," +
+ " snippet = (SELECT snippet FROM matches)," +
+ " snippet_cs = (SELECT snippet_cs FROM matches)" +
+ " WHERE EXISTS (" +
+ " SELECT _id" +
+ " FROM sms" +
+ " WHERE thread_id = threads._id" +
+ " AND (" + where + ")" +
+ " LIMIT 1" +
+ " );",
+ whereArgs);
+
+ // Update the error column of the thread to indicate if there
+ // are any messages in it that have failed to send.
+ // First check to see if there are any messages with errors in this thread.
+ db.execSQL(
+ " UPDATE threads" +
+ " SET error = EXISTS (" +
+ " SELECT type" +
+ " FROM sms" +
+ " WHERE type=" + Telephony.TextBasedSmsColumns.MESSAGE_TYPE_FAILED +
+ " AND thread_id = threads._id" +
+ " )" +
+ " WHERE EXISTS (" +
+ " SELECT _id" +
+ " FROM sms" +
+ " WHERE thread_id = threads._id" +
+ " AND (" + where + ")" +
+ " LIMIT 1" +
+ " );",
+ whereArgs);
db.setTransactionSuccessful();
} catch (Throwable ex) {
@@ -581,6 +561,7 @@
private void createIndices(SQLiteDatabase db) {
createThreadIdIndex(db);
+ createThreadIdDateIndex(db);
}
private void createThreadIdIndex(SQLiteDatabase db) {
@@ -592,6 +573,15 @@
}
}
+ private void createThreadIdDateIndex(SQLiteDatabase db) {
+ try {
+ db.execSQL("CREATE INDEX IF NOT EXISTS threadIdDateIndex ON sms" +
+ " (thread_id, date);");
+ } catch (Exception ex) {
+ Log.e(TAG, "got exception creating indices: " + ex.toString());
+ }
+ }
+
private void createMmsTables(SQLiteDatabase db) {
// N.B.: Whenever the columns here are changed, the columns in
// {@ref MmsSmsProvider} must be changed to match.
@@ -1423,7 +1413,8 @@
db.beginTransaction();
try {
- upgradeDatabaseToVersion63(db);
+ // upgrade to 63: just add a happy little index.
+ createThreadIdDateIndex(db);
db.setTransactionSuccessful();
} catch (Throwable ex) {
Log.e(TAG, ex.getMessage(), ex);
@@ -1447,6 +1438,22 @@
} finally {
db.endTransaction();
}
+ // fall through
+ case 64:
+ if (currentVersion <= 64) {
+ return;
+ }
+
+ db.beginTransaction();
+ try {
+ upgradeDatabaseToVersion65(db);
+ db.setTransactionSuccessful();
+ } catch (Throwable ex) {
+ Log.e(TAG, ex.getMessage(), ex);
+ break;
+ } finally {
+ db.endTransaction();
+ }
return;
}
@@ -1722,11 +1729,11 @@
" WHERE INSTR(" + Part._DATA + ", '" + partsDirName + "') > 0");
}
- private void upgradeDatabaseToVersion63(SQLiteDatabase db) {
+ private void upgradeDatabaseToVersion64(SQLiteDatabase db) {
db.execSQL("ALTER TABLE " + SmsProvider.TABLE_RAW +" ADD COLUMN deleted INTEGER DEFAULT 0");
}
- private void upgradeDatabaseToVersion64(SQLiteDatabase db) {
+ private void upgradeDatabaseToVersion65(SQLiteDatabase db) {
db.execSQL("ALTER TABLE " + SmsProvider.TABLE_RAW +" ADD COLUMN message_body TEXT");
}
diff --git a/src/com/android/providers/telephony/MmsSmsProvider.java b/src/com/android/providers/telephony/MmsSmsProvider.java
index d5e0ef9..1ea4d5c 100644
--- a/src/com/android/providers/telephony/MmsSmsProvider.java
+++ b/src/com/android/providers/telephony/MmsSmsProvider.java
@@ -1232,10 +1232,10 @@
affectedRows = MmsProvider.deleteMessages(context, db,
selection, selectionArgs, uri)
+ db.delete("sms", selection, selectionArgs);
- // Intentionally don't pass the selection variable to updateAllThreads.
+ // Intentionally don't pass the selection variable to updateThreads.
// When we pass in "locked=0" there, the thread will get excluded from
// the selection and not get updated.
- MmsSmsDatabaseHelper.updateAllThreads(db, null, null);
+ MmsSmsDatabaseHelper.updateThreads(db, null, null);
break;
case URI_OBSOLETE_THREADS:
affectedRows = db.delete(TABLE_THREADS,
diff --git a/src/com/android/providers/telephony/SmsProvider.java b/src/com/android/providers/telephony/SmsProvider.java
index f50f804..da8ad50 100644
--- a/src/com/android/providers/telephony/SmsProvider.java
+++ b/src/com/android/providers/telephony/SmsProvider.java
@@ -656,7 +656,7 @@
count = db.delete(TABLE_SMS, where, whereArgs);
if (count != 0) {
// Don't update threads unless something changed.
- MmsSmsDatabaseHelper.updateAllThreads(db, where, whereArgs);
+ MmsSmsDatabaseHelper.updateThreads(db, where, whereArgs);
}
break;