Security Patches :D #2
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Change-Id: I3232716d15ab94f1bc25ecbecd54c4acfb5a01ae
Change-Id: Ic59a14ef13813df0cf887ddd74347fb2b6fb6ad9
Change-Id: Id3978b82dc0e09b8f06a771871cc1b8592f0a5d2
Change-Id: I2d0fd379399f342ffe10e785665441f9123df8a9
Change-Id: I8b31b8baa8a407c7911af7d2d959d724ec41f5dc
Change-Id: I84fec6a5802d6cf106b4417174b733d9466efe50
Change-Id: Ib5817a37e6ba61703e0ec9226d14fd0320ea8e01
Change-Id: Ia1869b583d249a49c1a679d134bdc6ea90b2b5d0
This fixes an extremely rare crash, where stale buffer handles were parceled over to HWC. The cause was that HWC's command queue is not flushed while the display is powered off, so buffers handles may become stale while they are sitting in the command queue. If a layer's buffer goes out of scope in SurfaceFlinger, e.g. an app continues renderng while the display is powered down, SurfaceFlinger latches the new buffers, and consequently releases old buffers, then those buffers will be deallocated while still sending the handles over to HWC the next time a frame needs to be presented. The fix prevents buffers from being queued while the display power mode is OFF, so that buffer handles should never become stale while in the command queue. Bug: 141290044 Test: Enabling HWSAN: covering the phone during Hangouts video calling with speaker-phone disabled to trigger display power down. Test: libcompositionengine_test Change-Id: I2592fecbbc17cf1ed70c348df8e53e9c59afb073 (cherry picked from commit 444c254ca0c920df3ad4ff19c262b2cd155caa7c)
…34339, 9734401, 9734402, 9734403, 9734404, 9734405, 9734023, 9734456, 9734340, 9733750, 9733999, 9733853, 9734000, 9734117, 9734341, 9734342, 9734049, 9734343, 9734458, 9734001] into rvc-release Change-Id: Ie612ab344b756049fff7d647ac9b4ce6de84ca20
Change-Id: I598ffb8009ee78ef0fc7d9f1df16171d3fa405db
Change-Id: If23d645055fd38123a21f6259509e9f36de9cc2c
Change-Id: I23c0ec4b93c6a511b2d0caac291d87e994e56739
Change-Id: Id80acc47e386a30fe4ea106a92becbd160cb2283
Change-Id: I48df6023e7f01e466587a79b5a06ab23635c8b32
Change-Id: I73ade977ab5c9abd9522a812e1120654e2083d81
Change-Id: Ie5b1b4fb2274c39aaf5cf20d8214123c7ee2b141
Change-Id: I1ed63d04f9584bc4fb6fcf833041b3dfb4da4e37
Change-Id: Icf536a2a16e6d8104b4fc3ba171d0b73dbff3b36
Change-Id: I41cc37054d70ae66071beba9454f15febc02c9cb
Change-Id: Ia077e7b27304cdd6c2d282e8def2c504a1650940
Change-Id: Ic474600f81a6e414e730ae1804a2f113e23647fb
Change-Id: I5b857b1f80447b8ee9bd9a772296201f0dd88a5a
Change-Id: I3bf10376880923e5830c791e368689ea2ecaabe3
Change-Id: Id021ea712aae1ed27d365a93bf39c2fb2d2b5fca
Change-Id: I0c809a1fc0c3e45bef0146460709e1fff352057c
Change-Id: I97f495d195d3ca9e8d9c25f8efe33a5a0c490c1c
Change-Id: I48e5086debd8fcd09b08db31b7ae4a646ba88a87
Change-Id: I5c15ddbe863124c028dc2d8de9da64705a4d0333
Change-Id: I956ecac7120910bd87b9176e01c70f60e2839a14
There is some specific code I reversed from the EGL library that sets the openGL bit in a data struct when getProcAddr is called with eglSentinelNvFrameworks. Change-Id: I9c1eaba65c65dfc9b3e500ad627a492ec6ce2f36
The nvidia egl implementation exposes desktop opengl, which has far too many extentions for the map to handle. Change-Id: Id925c66fdf98108af126e9e02a38c696157576f2
Change-Id: Icd1e8e0c46c72bd87adb35faa2952d56b9ff2541
Nvidia shield devices support using egl to switch to a full desktop opengl context. In opengl 3.0+, GL_EXTENSIONS have to be retrieved with glGetStringi and is invalid for glGetString. Thus, eglMakecurrent can crash with a NPE if this case is not handled. The logic here is building a wrapper for glGetStringi, thus the error can be ignored. This patch allows GL_EXT_debug_marker to still pushed into the tokenized extension string used by the glGetStringi wrapper. Change-Id: I9c599e10c62aabf684bde4e81719aa248327ac80
…stealReceiveChannel Add a mutex to prevent a potential race condition. Bug: 232541124 Test: See bug for details Change-Id: Ia338f124c786bf12d6adba10a67b9048fe9c34a5 (cherry picked from commit a820057) Merged-In: Ia338f124c786bf12d6adba10a67b9048fe9c34a5
Change-Id: Icbb7109b9bd4e07283bc29ffe546501824524ac2
…ce.com/platform/frameworks/native into staging/lineage-18.1_merge_android-security-11.0.0_r58 Android Security 11.0.0 Release 58 (8712617) * tag 'android-security-11.0.0_r58' of https://android.googlesource.com/platform/frameworks/native: RESTRICT AUTOMERGE SurfaceFlinger: fix a potential race condition in stealReceiveChannel Change-Id: I8bc8da4a164a8b94109426913f383b099bfaaaaa
…based. Add private flag to WindowManager.LayoutParams. If the flag is set, check if caller has INTERNAL_SYSTEM_WINDOW permission. Bug: 155781676 Bug: 196389741 Test: atest WindowManagerServiceTests Change-Id: I58cf9f38c496e0ae8b2193dca45c0805e831bc9e Merged-In: I58cf9f38c496e0ae8b2193dca45c0805e831bc9e (cherry picked from commit 39bc611) Merged-In: I58cf9f38c496e0ae8b2193dca45c0805e831bc9e
- Add a layer state to indicate that this layer and its children in the hierarchy are trusted. This can only be set by callers holding ACCESS_SURFACE_FLINGER, and will be used for the PIP task layer to indicate that activities in PIP are trusted (as they are controlled only by the user and SystemUI) Bug: 191529039 Bug: 196389741 Test: TBD Change-Id: Id92ccb087bd0d8dbaeeef3ba50b67fe015e53db8 Merged-In: Id92ccb087bd0d8dbaeeef3ba50b67fe015e53db8 (cherry picked from commit 7605fb4) Merged-In: Id92ccb087bd0d8dbaeeef3ba50b67fe015e53db8
…tructor To avoid it being initialised to true randomly. Bug: 199483370 Bug: 196389741 Change-Id: I75be2b1d305e22f8a71532b9f5b8ea6c469baaaa Merged-In: I75be2b1d305e22f8a71532b9f5b8ea6c469baaaa (cherry picked from commit 41f48c7) Merged-In: I75be2b1d305e22f8a71532b9f5b8ea6c469baaaa
Introduces an API to drop input events on this SurfaceControl. This policy will be inherited by its children. The caller must hold the ACCESS_SURFACE_FLINGER permission. Options include: ALL: SurfaceControl and its children will not receive any input regardless of whether it has a valid input channel. These policies are used to enable features that allow for a less trusted interaction model between apps. See the bug for more details. Note: this backport does not include the OBSCURED option since its not needed for the security fix. Test: atest libgui_test InputDispatcherDropInputFeatureTest Bug: 197296414 Merged-In: I443741d5ab51a45d37fb865f11c433c436d96c1e Change-Id: I443741d5ab51a45d37fb865f11c433c436d96c1e (cherry picked from commit 122c4d2) Merged-In: I443741d5ab51a45d37fb865f11c433c436d96c1e
If a window has the feature DROP_INPUT set, then all touch and key events directed to the window will be dropped. For touch events, the events will not go to the window behind it. The flags are used to enable features that allow for a less trusted interaction model between apps. See the bug for more details. Test: atest libgui_test InputDispatcherDropInputFeatureTest Bug: 197296414 Merged-In: I71d7cf5064c8ce4626cff09b92e15ca38b39cbbe Change-Id: I71d7cf5064c8ce4626cff09b92e15ca38b39cbbe (cherry picked from commit 0f13fe5) Merged-In: I71d7cf5064c8ce4626cff09b92e15ca38b39cbbe
ALL: If this mode is set on a layer, set the DROP_INPUT feature flag on the layer and its children if it has a valid input channel. This will ensure these layers will not be able to receive any input. Note: this backport does not include the OBSCURED option since its not needed for the security fix. Test: atest libgui_test InputDispatcherDropInputFeatureTest Bug: 197296414 Merged-In: Ibce11ee7df5b5c8c226ebfab29574a99cd656f6d Change-Id: Ibce11ee7df5b5c8c226ebfab29574a99cd656f6d (cherry picked from commit cbe9c10) Merged-In: Ibce11ee7df5b5c8c226ebfab29574a99cd656f6d
…3, 16508594, 18029504] into security-aosp-rvc-release. Change-Id: I0cb1853f4cdea9338f7d58b6344ec8dfbf6f5bdf
…ce.com/platform/frameworks/native into staging/lineage-18.1_merge_android-security-11.0.0_r62 Android Security 11.0.0 Release 62 (9269287) * tag 'android-security-11.0.0_r62' of https://android.googlesource.com/platform/frameworks/native: SurfaceFlinger: Implement drop input modes InputFlinger: Add DROP_INPUT feature flags SurfaceControl: Add setDropInputMode api DO NOT MERGE Initialize DrawingState::trustedOverlay to false in constructor Add mechanism for a task's windows to be trusted overlays (SF) Change InputWindowInfo::isTrustedOverlay() to be permission and flag based. Conflicts: libs/gui/Android.bp Change-Id: I519aa975c298a972b3857ba52e9ff9417c1c52fb
This allows container surfaces to be considered visible in InputDispatcher and prevent touches from passing through them. In particular this is used by ActivityRecordInputSink to block touches that would otherwise pass through the area available to the activity. Bug: 194480991 Bug: 222292477 Test: Manually tested that blocking still works Test: atest InputSurfacesTest Change-Id: Iacfc952139311363b914b1d6bffc2b4190133d02 (cherry picked from commit a185882) (cherry picked from commit c7df484) Merged-In: Iacfc952139311363b914b1d6bffc2b4190133d02
Change-Id: I3dbc8ac092844e209fe3ab8d1c49ec5a9cab6818
…ce.com/platform/frameworks/native into staging/lineage-18.1_merge_android-security-11.0.0_r64 Android Security 11.0.0 Release 64 (9383110) * tag 'android-security-11.0.0_r64' of https://android.googlesource.com/platform/frameworks/native: Allow windowhandles with NO_INPUT_CHANNEL - DO NOT MERGE Change-Id: I7b1818b3533649df2048aee055ca2d3e550e4f7f
- This is part of fix of commit Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df for backporting. - Part of commit Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df which sanitizes the transaction flags from DisplayState instead. - In rvc, we only have ACCESS_SURFACE_FLINGER permission check passed as `privileged` argument in SF::applyTransactionState. We can directly utilize it for sanitization in DiaplyState. - In rvc code base, SF::setTransactionState pass a const array of displayState objects and then call SF::applyTransactionState. To successfully sanitize the flags for each displayState object, we convert this const array into non-const one before calling SF::applyTransactionState. Bug: 248031255 Test: test using displaytoken app manually on the phone, test shell screenrecord during using displaytoken; atest android.hardware.camera2.cts.FastBasicsTest Change-Id: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df Merged-In: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df (cherry picked from commit 03d4458) Merged-In: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df
…92111'] into security-aosp-rvc-release. Change-Id: Iaaa563f48347c21dfb87dbc886294e6951122f12
Test: libsensorserviceaidl_fuzzer with testcase from bug Bug: 269014004 Merged-In: I0e255c64243c38876fb657cbf942fc1613363216 Change-Id: I0e255c64243c38876fb657cbf942fc1613363216 (cherry picked from commit aeec180) Merged-In: I0e255c64243c38876fb657cbf942fc1613363216 (cherry picked from commit on googleplex-android-review.googlesource.com host: f1aa5fb) Merged-In: I0e255c64243c38876fb657cbf942fc1613363216
After catching an error in Sensor::unflatten, there are memory leaks caught by the fuzzer in the same test case. Test: libsensorserviceaidl_fuzzer with testcase from bug Bug: 269014004 Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582 Change-Id: I509cceb41f56ca117d9475f6f6674244560fe582 (cherry picked from commit c95fa0f) Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582 (cherry picked from commit on googleplex-android-review.googlesource.com host: ceb0d52) Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582
In order to ensure that clients don't leak their sensor manager instance that we currently store in a static map, they need to be able to remove their instance. Otherwise, this instance is never removed from the list and will hang around until our SensorManage instance is destroyed. Bug: 269014004 Test: Run ./libsensorserviceaidl_fuzzer Change-Id: I52185f74ae8d28b379440235ca6f03c5089081f5 (cherry picked from commit 9532f7c) Merged-In: I52185f74ae8d28b379440235ca6f03c5089081f5 (cherry picked from commit on googleplex-android-review.googlesource.com host: 4521fbf) Merged-In: I52185f74ae8d28b379440235ca6f03c5089081f5
…48677', 'googleplex-android-review.googlesource.com/21548678', 'googleplex-android-review.googlesource.com/21548959'] into security-aosp-rvc-release. Change-Id: I1e1337f99b2114d34f51e4f98ba2a4b6b3294bc5
On some devices an external Daemon consumes input events and these shouldn't be reported to apps Change-Id: Iffedb3061361ee120563c1f5e39a14faf5a2f83c
…ce.com/platform/frameworks/native into staging/lineage-18.1_merge_android-security-11.0.0_r66 Android Security 11.0.0 Release 66 (9682389) * tag 'android-security-11.0.0_r66' of https://android.googlesource.com/platform/frameworks/native: Mitigate the security vulnerability by sanitizing the transaction flags. Change-Id: I6cd2b5ef32ac384241ede19f76574786a5dbe4d2
…ce.com/platform/frameworks/native into staging/lineage-18.1_merge_android-security-11.0.0_r67 Android security 11.0.0 release 67 * tag 'android-security-11.0.0_r67' of https://android.googlesource.com/platform/frameworks/native: Add removeInstanceForPackageMethod to SensorManager Remove some new memory leaks from SensorManager Check for malformed Sensor Flattenable Change-Id: I1951d84b5d5ef8e062f9fbcd8db213607e6a11b1
Test: atest VtsHalSensorManagerV1_0TargetTest Bug: 278013275 Bug: 269014004 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:49600b10aa5675d4e7e985203d69f252ead13e45) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7057a9f08d98bfec8ffbabcf00f2885d3909c6c9) Merged-In: I091f57de9570b0ace3a8da76f16fe0e83f0aa624 Change-Id: I091f57de9570b0ace3a8da76f16fe0e83f0aa624
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.