Permission Denial: starting Intent… java.lang.SecurityException: at android.os.Parcel.readException(Parcel.java)

RESOLVED FIXED in Firefox 39

Status

()

Firefox for Android
General
--
critical
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: rnewman, Assigned: rnewman)

Tracking

({crash, reproducible})

unspecified
Firefox 41
All
Android
crash, reproducible
Points:
---

Firefox Tracking Flags

(firefox38 wontfix, firefox38.0.5 wontfix, firefox39 verified, firefox40 fixed, firefox41 fixed, fennec+)

Details

(Whiteboard: [native-crash], crash signature)

Attachments

(1 attachment)

(Assignee)

Description

4 years ago
Similar to Bug 782566, but different enough that I'm filing a separate bug.

https://crash-stats.mozilla.com/report/index/98c66d75-8578-4b21-b594-172c72140623
https://crash-stats.mozilla.com/report/index/0898570b-2802-4818-9d1c-770132140622

Shows up as:

java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.VIEW dat=https://plus.google.com/109987227147705019735/posts flg=0x4000000 cmp=com.google.android.apps.plus/com.google.android.libraries.social.gateway.GatewayActivity } from ProcessRecord{42622fc0 10765:org.mozilla.fennec/u0a10223} (pid=10765, uid=10223) not exported from uid 10107


java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.GET_CONTENT cat=[android.intent.category.OPENABLE] typ=*/* flg=0x3000000 cmp=com.evernote/.note.composer.FilePickerActivity } from ProcessRecord{415c3d00 13173:org.mozilla.fennec_aurora/10033} (pid=13173, uid=10033) not exported from uid 10039
	at android.os.Parcel.readException(Parcel.java:1327)
	at android.os.Parcel.readException(Parcel.java:1281)
	at android.app.ActivityManagerProxy.startActivity(ActivityManagerNative.java:1658)
	at android.app.Instrumentation.execStartActivity(Instrumentation.java:1379)
	at android.app.Activity.startActivityForResult(Activity.java:3309)
	at android.app.Activity.startActivity(Activity.java:3416)
	at com.android.internal.app.ResolverActivity.onIntentSelected(ResolverActivity.java:207)
	at com.android.internal.app.ResolverActivity.onClick(ResolverActivity.java:121)
	at com.android.internal.app.AlertController$AlertParams$3.onItemClick(AlertController.java:924)
	at android.widget.AdapterView.performItemClick(AdapterView.java:292)
	at android.widget.AbsListView.performItemClick(AbsListView.java:1068)
	at android.widget.AbsListView$PerformClick.run(AbsListView.java:2524)
	at android.widget.AbsListView$1.run(AbsListView.java:3197)
	at android.os.Handler.handleCallback(Handler.java:605)
	at android.os.Handler.dispatchMessage(Handler.java:92)
	at android.os.Looper.loop(Looper.java:137)
	at android.app.ActivityThread.main(ActivityThread.java:4558)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:511)
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:784)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:551)
	at dalvik.system.NativeStart.main(Native Method)


More at <https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=java.lang.SecurityException%3A+at+android.os.Parcel.readException%28Parcel.java%29>
(Assignee)

Comment 1

4 years ago
Layers of problems here:

* You'll get a SecurityException whenever you try to launch an Activity that isn't either exported or running in your own process. So we should handle that if we can.

* Other apps shouldn't have non-exported activities coming up in the picker. That's kinda puzzling. The crash in Comment 0, for example, looks like Evernote's file picker isn't exported when it should be. I wonder if we can filter that out?

* If we're trying to launch an activity in another package, PackageManager has getLaunchIntentForPackage(). I doubt that applies here, though.

If I were to guess at call sites, I'd suggest:

* File upload
* The native app URL bar button (e.g., for Google Plus?)
I hit this on my Nexus 6 using Firefox beta when I downloaded a PDF file and then clicked on the notification bar to open it - on my device it is consistently reproducible.

https://crash-stats.mozilla.com/report/index/bb01db2d-82e8-4d2f-9e59-cfb242150430
(Assignee)

Updated

3 years ago
Hardware: ARM → All
Summary: java.lang.SecurityException: at android.os.Parcel.readException(Parcel.java) → Permission Denial: starting Intent… java.lang.SecurityException: at android.os.Parcel.readException(Parcel.java)
(Assignee)

Comment 3

3 years ago
Marcia: your issue seems to be that Boingo Wi-Finder is somehow associated as the handler for that file, but the intent handler isn't public!

java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.VIEW dat=file:///storage/emulated/0/Download/0fa6464c-c2d3-434e-b3f3-6e466cdcf3da flg=0x4000000 cmp=com.boingo.boingowifi/.WebGetPostActivity } from ProcessRecord{16a65209 30877:org.mozilla.firefox_beta/u0a88} (pid=30877, uid=10088) not exported from uid 10124

This is a lot like 

https://commonsware.com/blog/2012/07/09/dont-advertise-intent-filters-that-are-not-yours.html

Marcia, could you open Android Settings, Apps, find Boingo Wi-Finder, tap it, scroll to the bottom, and:

1. Tell me if it says "NO DEFAULTS SET"
2. Tap "Clear defaults"
3. See if you can still repro?
(Assignee)

Updated

3 years ago
Flags: needinfo?(mozillamarcia.knous)
(Assignee)

Comment 4

3 years ago
Created attachment 8622021 [details] [diff] [review]
Don't query for non-exported activities, don't crash if we fail to launch one. v1

Here's my theory.

The Android intent chooser lets us pick activities that we're not allowed to launch.

Our URI handlers can also end up finding activities that we're not allowed to launch, because they're included in the candidate list when we query PM.

This patch does two things:

* It stops us crashing in the former case by catching the exception.
* It stops us hitting the latter case by excluding non-exported activites from the candidate list.

This is speculative, because I can't repro this.
Attachment #8622021 - Flags: review?(mark.finkle)
(Assignee)

Updated

3 years ago
Assignee: nobody → rnewman
Status: NEW → ASSIGNED
(Assignee)

Comment 5

3 years ago
Here's a great example:

https://crash-stats.mozilla.com/report/index/fe8d1241-3190-413e-9c9f-510bc2150613

java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.VIEW dat=file:///storage/emulated/0/Download/[kat.cr]kurt.cobain.montage.of.heck.2015.1080p.brrip.x264.yify.torrent flg=0x4000000 cmp=org.wikipedia/.settings.LicenseActivity } from ProcessRecord{1d62fff 11189:org.mozilla.firefox/u0a350} (pid=11189, uid=10350) not exported from uid 10243

Here's the Wikipedia app's manifest:

https://github.com/wikimedia/apps-android-wikipedia/blob/50208e1c91c4b83b2b2d5447949a021f366f413f/wikipedia/AndroidManifest.xml#L126

        <activity android:name=".settings.LicenseActivity"
                  android:exported="false">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
                <category android:name="android.intent.category.DEFAULT" />
                <data android:pathPrefix="/android_asset/licenses/" android:scheme="file" />
            </intent-filter>
        </activity>

That activity used to be exported!

https://github.com/wikimedia/apps-android-wikipedia/commit/8ca9fbeefb758164eac4b044ee173d73b61add82

but even so it could conceivably match for some strange reason, in which case we'd launch it and it'd fail.
(Assignee)

Comment 6

3 years ago
The vast majority of crashes I sampled seem to be this Wikipedia license activity.
(Assignee)

Updated

3 years ago
No longer depends on: 782566
(In reply to Richard Newman [:rnewman] from comment #3)
> Marcia: your issue seems to be that Boingo Wi-Finder is somehow associated
> as the handler for that file, but the intent handler isn't public!
> 
> java.lang.SecurityException: Permission Denial: starting Intent {
> act=android.intent.action.VIEW
> dat=file:///storage/emulated/0/Download/0fa6464c-c2d3-434e-b3f3-6e466cdcf3da
> flg=0x4000000 cmp=com.boingo.boingowifi/.WebGetPostActivity } from
> ProcessRecord{16a65209 30877:org.mozilla.firefox_beta/u0a88} (pid=30877,
> uid=10088) not exported from uid 10124
> 
> This is a lot like 
> 
> https://commonsware.com/blog/2012/07/09/dont-advertise-intent-filters-that-
> are-not-yours.html
> 
> Marcia, could you open Android Settings, Apps, find Boingo Wi-Finder, tap
> it, scroll to the bottom, and:
> 
> 1. Tell me if it says "NO DEFAULTS SET"
> 2. Tap "Clear defaults"
> 3. See if you can still repro?


Confirming it says "NO DEFAULT SET"
I cleared the defaults for that app
Haven't yet been able to repro
Flags: needinfo?(mozillamarcia.knous)
Comment on attachment 8622021 [details] [diff] [review]
Don't query for non-exported activities, don't crash if we fail to launch one. v1

Looks safe enough to try
Attachment #8622021 - Flags: review?(mark.finkle) → review+
(Assignee)

Comment 10

3 years ago
Requesting tracking, 'cos this seems to be a topcrash.
tracking-fennec: --- → ?
https://hg.mozilla.org/mozilla-central/rev/7d94ea57d5a0
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox41: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 41
(Assignee)

Comment 12

3 years ago
ni me to request uplift. Nightly isn't being updated right now, so we need to wait for broader testing.
Flags: needinfo?(rnewman)

Comment 13

3 years ago
tracking+ because this doesn't look like a regression, but we can track for a specific release if we decide to uplift.
tracking-fennec: ? → +
(Assignee)

Comment 14

3 years ago
Comment on attachment 8622021 [details] [diff] [review]
Don't query for non-exported activities, don't crash if we fail to launch one. v1

Approval Request Comment
[Feature/regressing bug #]:
  Long-standing.

  This should definitely go up to Aurora. Release owner can make the call whether the potential reduction is worth taking on Beta; Nightly volume isn't enough to be sure of the fix, particularly with the delay in updates this week, but there have been no crashes on fixed Nightly versions.

[User impact if declined]:
  4000+ crashes per week.

[Describe test coverage new/current, TreeHerder]:
  Manual testing, touches a chunk of code that gets exercised a lot.

[Risks and why]: 
  Possibility of screwing up offering external app links or share destinations.
  Why? Lots of crashes.
  This is a sane and small fix, involving an extra catch block and then a filter to exclude activities that we definitely should not be trying to launch.

[String/UUID change made/needed]:
  None.
Flags: needinfo?(rnewman)
Attachment #8622021 - Flags: approval-mozilla-beta?
Attachment #8622021 - Flags: approval-mozilla-aurora?
Comment on attachment 8622021 [details] [diff] [review]
Don't query for non-exported activities, don't crash if we fail to launch one. v1

Top crash, taking the fix in aurora.
Attachment #8622021 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 16

3 years ago
Needs minor rebasing for Aurora, so I'll land this.
Whiteboard: [native-crash] → [native-crash][needs branch patch]
(Assignee)

Updated

3 years ago
status-firefox38: --- → wontfix
status-firefox38.0.5: --- → wontfix
status-firefox39: --- → affected
status-firefox40: --- → fixed
Whiteboard: [native-crash][needs branch patch] → [native-crash]
Comment on attachment 8622021 [details] [diff] [review]
Don't query for non-exported activities, don't crash if we fail to launch one. v1

Let's take this for beta in hopes it will decrease the crash rate.
Attachment #8622021 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
status-firefox39: affected → fixed
I've reproduced this crash on Firefox 38.0.5 when I downloaded a .srt file, then clicked on the notification bar to open it. Previously I have installed the Wikipedia app.
https://crash-stats.mozilla.com/report/index/5c21a926-371f-4b60-9fbb-165152150624

Using the same steps I'm not able to reproduce on Firefox 39.0b8 build6.

Tested on Nexus 4 (5.1.1).

Verifying as fixed on Firefox 39.
status-firefox39: fixed → verified
You need to log in before you can comment on or make changes to this bug.