Closed Bug 1031569 Opened 6 years ago Closed 5 years ago

Permission Denial: starting Intent… java.lang.SecurityException: at android.os.Parcel.readException(Parcel.java)

Categories

(Firefox for Android :: General, defect, critical)

All
Android
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Firefox 41
Tracking Status
firefox38 --- wontfix
firefox38.0.5 --- wontfix
firefox39 --- verified
firefox40 --- fixed
firefox41 --- fixed
fennec + ---

People

(Reporter: rnewman, Assigned: rnewman)

Details

(Keywords: crash, reproducible, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

Similar to Bug 782566, but different enough that I'm filing a separate bug.

https://crash-stats.mozilla.com/report/index/98c66d75-8578-4b21-b594-172c72140623
https://crash-stats.mozilla.com/report/index/0898570b-2802-4818-9d1c-770132140622

Shows up as:

java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.VIEW dat=https://plus.google.com/109987227147705019735/posts flg=0x4000000 cmp=com.google.android.apps.plus/com.google.android.libraries.social.gateway.GatewayActivity } from ProcessRecord{42622fc0 10765:org.mozilla.fennec/u0a10223} (pid=10765, uid=10223) not exported from uid 10107


java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.GET_CONTENT cat=[android.intent.category.OPENABLE] typ=*/* flg=0x3000000 cmp=com.evernote/.note.composer.FilePickerActivity } from ProcessRecord{415c3d00 13173:org.mozilla.fennec_aurora/10033} (pid=13173, uid=10033) not exported from uid 10039
	at android.os.Parcel.readException(Parcel.java:1327)
	at android.os.Parcel.readException(Parcel.java:1281)
	at android.app.ActivityManagerProxy.startActivity(ActivityManagerNative.java:1658)
	at android.app.Instrumentation.execStartActivity(Instrumentation.java:1379)
	at android.app.Activity.startActivityForResult(Activity.java:3309)
	at android.app.Activity.startActivity(Activity.java:3416)
	at com.android.internal.app.ResolverActivity.onIntentSelected(ResolverActivity.java:207)
	at com.android.internal.app.ResolverActivity.onClick(ResolverActivity.java:121)
	at com.android.internal.app.AlertController$AlertParams$3.onItemClick(AlertController.java:924)
	at android.widget.AdapterView.performItemClick(AdapterView.java:292)
	at android.widget.AbsListView.performItemClick(AbsListView.java:1068)
	at android.widget.AbsListView$PerformClick.run(AbsListView.java:2524)
	at android.widget.AbsListView$1.run(AbsListView.java:3197)
	at android.os.Handler.handleCallback(Handler.java:605)
	at android.os.Handler.dispatchMessage(Handler.java:92)
	at android.os.Looper.loop(Looper.java:137)
	at android.app.ActivityThread.main(ActivityThread.java:4558)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:511)
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:784)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:551)
	at dalvik.system.NativeStart.main(Native Method)


More at <https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=java.lang.SecurityException%3A+at+android.os.Parcel.readException%28Parcel.java%29>
Layers of problems here:

* You'll get a SecurityException whenever you try to launch an Activity that isn't either exported or running in your own process. So we should handle that if we can.

* Other apps shouldn't have non-exported activities coming up in the picker. That's kinda puzzling. The crash in Comment 0, for example, looks like Evernote's file picker isn't exported when it should be. I wonder if we can filter that out?

* If we're trying to launch an activity in another package, PackageManager has getLaunchIntentForPackage(). I doubt that applies here, though.

If I were to guess at call sites, I'd suggest:

* File upload
* The native app URL bar button (e.g., for Google Plus?)
I hit this on my Nexus 6 using Firefox beta when I downloaded a PDF file and then clicked on the notification bar to open it - on my device it is consistently reproducible.

https://crash-stats.mozilla.com/report/index/bb01db2d-82e8-4d2f-9e59-cfb242150430
Hardware: ARM → All
Summary: java.lang.SecurityException: at android.os.Parcel.readException(Parcel.java) → Permission Denial: starting Intent… java.lang.SecurityException: at android.os.Parcel.readException(Parcel.java)
Marcia: your issue seems to be that Boingo Wi-Finder is somehow associated as the handler for that file, but the intent handler isn't public!

java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.VIEW dat=file:///storage/emulated/0/Download/0fa6464c-c2d3-434e-b3f3-6e466cdcf3da flg=0x4000000 cmp=com.boingo.boingowifi/.WebGetPostActivity } from ProcessRecord{16a65209 30877:org.mozilla.firefox_beta/u0a88} (pid=30877, uid=10088) not exported from uid 10124

This is a lot like 

https://commonsware.com/blog/2012/07/09/dont-advertise-intent-filters-that-are-not-yours.html

Marcia, could you open Android Settings, Apps, find Boingo Wi-Finder, tap it, scroll to the bottom, and:

1. Tell me if it says "NO DEFAULTS SET"
2. Tap "Clear defaults"
3. See if you can still repro?
Flags: needinfo?(mozillamarcia.knous)
Here's my theory.

The Android intent chooser lets us pick activities that we're not allowed to launch.

Our URI handlers can also end up finding activities that we're not allowed to launch, because they're included in the candidate list when we query PM.

This patch does two things:

* It stops us crashing in the former case by catching the exception.
* It stops us hitting the latter case by excluding non-exported activites from the candidate list.

This is speculative, because I can't repro this.
Attachment #8622021 - Flags: review?(mark.finkle)
Assignee: nobody → rnewman
Status: NEW → ASSIGNED
Here's a great example:

https://crash-stats.mozilla.com/report/index/fe8d1241-3190-413e-9c9f-510bc2150613

java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.VIEW dat=file:///storage/emulated/0/Download/[kat.cr]kurt.cobain.montage.of.heck.2015.1080p.brrip.x264.yify.torrent flg=0x4000000 cmp=org.wikipedia/.settings.LicenseActivity } from ProcessRecord{1d62fff 11189:org.mozilla.firefox/u0a350} (pid=11189, uid=10350) not exported from uid 10243

Here's the Wikipedia app's manifest:

https://github.com/wikimedia/apps-android-wikipedia/blob/50208e1c91c4b83b2b2d5447949a021f366f413f/wikipedia/AndroidManifest.xml#L126

        <activity android:name=".settings.LicenseActivity"
                  android:exported="false">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
                <category android:name="android.intent.category.DEFAULT" />
                <data android:pathPrefix="/android_asset/licenses/" android:scheme="file" />
            </intent-filter>
        </activity>

That activity used to be exported!

https://github.com/wikimedia/apps-android-wikipedia/commit/8ca9fbeefb758164eac4b044ee173d73b61add82

but even so it could conceivably match for some strange reason, in which case we'd launch it and it'd fail.
The vast majority of crashes I sampled seem to be this Wikipedia license activity.
No longer depends on: 782566
(In reply to Richard Newman [:rnewman] from comment #3)
> Marcia: your issue seems to be that Boingo Wi-Finder is somehow associated
> as the handler for that file, but the intent handler isn't public!
> 
> java.lang.SecurityException: Permission Denial: starting Intent {
> act=android.intent.action.VIEW
> dat=file:///storage/emulated/0/Download/0fa6464c-c2d3-434e-b3f3-6e466cdcf3da
> flg=0x4000000 cmp=com.boingo.boingowifi/.WebGetPostActivity } from
> ProcessRecord{16a65209 30877:org.mozilla.firefox_beta/u0a88} (pid=30877,
> uid=10088) not exported from uid 10124
> 
> This is a lot like 
> 
> https://commonsware.com/blog/2012/07/09/dont-advertise-intent-filters-that-
> are-not-yours.html
> 
> Marcia, could you open Android Settings, Apps, find Boingo Wi-Finder, tap
> it, scroll to the bottom, and:
> 
> 1. Tell me if it says "NO DEFAULTS SET"
> 2. Tap "Clear defaults"
> 3. See if you can still repro?


Confirming it says "NO DEFAULT SET"
I cleared the defaults for that app
Haven't yet been able to repro
Flags: needinfo?(mozillamarcia.knous)
Comment on attachment 8622021 [details] [diff] [review]
Don't query for non-exported activities, don't crash if we fail to launch one. v1

Looks safe enough to try
Attachment #8622021 - Flags: review?(mark.finkle) → review+
Requesting tracking, 'cos this seems to be a topcrash.
tracking-fennec: --- → ?
https://hg.mozilla.org/mozilla-central/rev/7d94ea57d5a0
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 41
ni me to request uplift. Nightly isn't being updated right now, so we need to wait for broader testing.
Flags: needinfo?(rnewman)
tracking+ because this doesn't look like a regression, but we can track for a specific release if we decide to uplift.
tracking-fennec: ? → +
Comment on attachment 8622021 [details] [diff] [review]
Don't query for non-exported activities, don't crash if we fail to launch one. v1

Approval Request Comment
[Feature/regressing bug #]:
  Long-standing.

  This should definitely go up to Aurora. Release owner can make the call whether the potential reduction is worth taking on Beta; Nightly volume isn't enough to be sure of the fix, particularly with the delay in updates this week, but there have been no crashes on fixed Nightly versions.

[User impact if declined]:
  4000+ crashes per week.

[Describe test coverage new/current, TreeHerder]:
  Manual testing, touches a chunk of code that gets exercised a lot.

[Risks and why]: 
  Possibility of screwing up offering external app links or share destinations.
  Why? Lots of crashes.
  This is a sane and small fix, involving an extra catch block and then a filter to exclude activities that we definitely should not be trying to launch.

[String/UUID change made/needed]:
  None.
Flags: needinfo?(rnewman)
Attachment #8622021 - Flags: approval-mozilla-beta?
Attachment #8622021 - Flags: approval-mozilla-aurora?
Comment on attachment 8622021 [details] [diff] [review]
Don't query for non-exported activities, don't crash if we fail to launch one. v1

Top crash, taking the fix in aurora.
Attachment #8622021 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Needs minor rebasing for Aurora, so I'll land this.
Whiteboard: [native-crash] → [native-crash][needs branch patch]
Whiteboard: [native-crash][needs branch patch] → [native-crash]
Comment on attachment 8622021 [details] [diff] [review]
Don't query for non-exported activities, don't crash if we fail to launch one. v1

Let's take this for beta in hopes it will decrease the crash rate.
Attachment #8622021 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
I've reproduced this crash on Firefox 38.0.5 when I downloaded a .srt file, then clicked on the notification bar to open it. Previously I have installed the Wikipedia app.
https://crash-stats.mozilla.com/report/index/5c21a926-371f-4b60-9fbb-165152150624

Using the same steps I'm not able to reproduce on Firefox 39.0b8 build6.

Tested on Nexus 4 (5.1.1).

Verifying as fixed on Firefox 39.
You need to log in before you can comment on or make changes to this bug.