From 1d1cef15c61d9b902cc26922212695afd233b718 Mon Sep 17 00:00:00 2001
From: Idriss Juhoor <idriss@google.com>
Date: Mon, 3 Jun 2024 08:05:30 +0000
Subject: [PATCH] Fix Talkback Shortcut Vulnerability

The way the talkback component was selected was vulnerable. Now the
system verifies that the talkback component is provided by the system.

Bug: 339609745
Change-Id: Iabadb129807b0ac02aa2e9ac1580ac0f212930ef
Test: manual - tested that the talkback service is still available
Flag: No Flags: Security High/Critical Severity CVEs
---
 .../com/android/server/policy/TalkbackShortcutController.java  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/services/core/java/com/android/server/policy/TalkbackShortcutController.java b/services/core/java/com/android/server/policy/TalkbackShortcutController.java
index b05a421e6e87..e544ae64521c 100644
--- a/services/core/java/com/android/server/policy/TalkbackShortcutController.java
+++ b/services/core/java/com/android/server/policy/TalkbackShortcutController.java
@@ -117,6 +117,7 @@ private void logStemTriplePressAccessibilityTelemetry(ComponentName componentNam
     }
 
     private boolean isTalkback(ServiceInfo info) {
-        return TALKBACK_LABEL.equals(info.loadLabel(mPackageManager).toString());
+        return TALKBACK_LABEL.equals(info.loadLabel(mPackageManager).toString())
+            && (info.applicationInfo.isSystemApp() || info.applicationInfo.isUpdatedSystemApp());
     }
 }