Use IntentFilter CREATOR directly for serializing ParsedIntentInfo

Winson · Android Build Coastguard Worker · commit f1c159e1f5b3 · 2021-06-30T23:59:09.000Z
ParsedIntentInfo's CRFEATOR was removed because it exposes a
reparcelling vulnerability. This adjusts a system API that relied on
the implicit parcelling read to instead use IntentFilter directly,
ignoring the fields contained in the subclass.

Bug: 192050390
Bug: 191055353

Test: manual, cannot repro crash after patch

Merged-In: Ib12e0a959eb5a5d73d5832ff2eee26a30eed5ded
Change-Id: Ib12e0a959eb5a5d73d5832ff2eee26a30eed5ded
(cherry picked from commit 7ac9b1da731bdf6ed2f34e22d5da7030bc0f7d21)
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -14252,9 +14252,15 @@ public boolean updateIntentVerificationStatus(String packageName, int status, in
             return new ParceledListSlice<IntentFilter>(result) {
                 @Override
                 protected void writeElement(IntentFilter parcelable, Parcel dest, int callFlags) {
-                    // IntentFilter has final Parcelable methods, so redirect to the subclass
-                    ((ParsedIntentInfo) parcelable).writeIntentInfoToParcel(dest,
-                            callFlags);
+                    parcelable.writeToParcel(dest, callFlags);
+                }
+
+                @Override
+                protected void writeParcelableCreator(IntentFilter parcelable, Parcel dest) {
+                    // All Parcel#writeParcelableCreator does is serialize the class name to
+                    // access via reflection to grab its CREATOR. This does that manually, pointing
+                    // to the parent IntentFilter so that all of the subclass fields are ignored.
+                    dest.writeString(IntentFilter.class.getName());
                 }
             };
         }
