From 07cd4cdf216f5120a7c593991d54492f8ae29f6f Mon Sep 17 00:00:00 2001
From: Pablo Ceballos <pceballos@google.com>
Date: Wed, 13 Jul 2016 14:11:57 -0700
Subject: [PATCH 1/3] Region: Detect malicious overflow in unflatten

Bug 29983260

Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
---
 libs/ui/Region.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libs/ui/Region.cpp b/libs/ui/Region.cpp
index 3810da404..cfed7a984 100644
--- a/libs/ui/Region.cpp
+++ b/libs/ui/Region.cpp
@@ -795,6 +795,11 @@ status_t Region::unflatten(void const* buffer, size_t size) {
         return NO_MEMORY;
     }
 
+    if (numRects > (UINT32_MAX / sizeof(Rect))) {
+        android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0);
+        return NO_MEMORY;
+    }
+
     Region result;
     result.mStorage.clear();
     for (size_t r = 0; r < numRects; ++r) {

From dbee7f4650dfb419d12ebaf13e96bc54ae880b99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= <arve@android.com>
Date: Mon, 1 Aug 2016 16:05:17 -0700
Subject: [PATCH 2/3] DO NOT MERGE ServiceManager: Restore basic uid check

Prevent apps from registering services without relying on selinux checks.

Bug: 29431260

Change-Id: I38c6e8bc7f7cba1cbd3568e8fed1ae7ac2054a9b
(cherry picked from commit f03ba2c0d878071603d73b7f8e9a4a468364ac27)
---
 cmds/servicemanager/service_manager.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/cmds/servicemanager/service_manager.c b/cmds/servicemanager/service_manager.c
index 7fa9a39f7..4c993c236 100644
--- a/cmds/servicemanager/service_manager.c
+++ b/cmds/servicemanager/service_manager.c
@@ -107,9 +107,14 @@ static bool check_mac_perms_from_lookup(pid_t spid, const char *perm, const char
     return allowed;
 }
 
-static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid)
+static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid, uid_t uid)
 {
     const char *perm = "add";
+
+    if (uid >= AID_APP) {
+        return 0; /* Don't allow apps to register services */
+    }
+
     return check_mac_perms_from_lookup(spid, perm, str8(name, name_len)) ? 1 : 0;
 }
 
@@ -204,7 +209,7 @@ int do_add_service(struct binder_state *bs,
     if (!handle || (len == 0) || (len > 127))
         return -1;
 
-    if (!svc_can_register(s, len, spid)) {
+    if (!svc_can_register(s, len, spid, uid)) {
         ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n",
              str8(s, len), handle, uid);
         return -1;

From 390c2d3512fcbf0f4e1890baef12f3bd1d23dc56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= <arve@android.com>
Date: Thu, 18 Aug 2016 15:42:35 -0700
Subject: [PATCH 3/3] ServiceManager: Allow system services running as
 secondary users to add services

This should be reverted when all system services have been cleaned up to not
do this. A process looking up a service while running in the background will
see the service registered by the active user (assuming the service is
registered on every user switch), not the service registered by the user that
the process itself belongs to.

BUG: 30795333
Change-Id: I1b74d58be38ed358f43c163692f9e704f8f31dbe
(cherry picked from commit e6bbe69ba739c8a08837134437aaccfea5f1d943)
---
 cmds/servicemanager/Android.mk        | 2 +-
 cmds/servicemanager/service_manager.c | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/cmds/servicemanager/Android.mk b/cmds/servicemanager/Android.mk
index 155cfc503..5bafd5343 100644
--- a/cmds/servicemanager/Android.mk
+++ b/cmds/servicemanager/Android.mk
@@ -18,7 +18,7 @@ LOCAL_MODULE_TAGS := optional
 include $(BUILD_EXECUTABLE)
 
 include $(CLEAR_VARS)
-LOCAL_SHARED_LIBRARIES := liblog libselinux
+LOCAL_SHARED_LIBRARIES := liblog libcutils libselinux
 LOCAL_SRC_FILES := service_manager.c binder.c
 LOCAL_CFLAGS += $(svc_c_flags)
 LOCAL_MODULE := servicemanager
diff --git a/cmds/servicemanager/service_manager.c b/cmds/servicemanager/service_manager.c
index 4c993c236..031f84897 100644
--- a/cmds/servicemanager/service_manager.c
+++ b/cmds/servicemanager/service_manager.c
@@ -8,6 +8,8 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include <cutils/multiuser.h>
+
 #include <private/android_filesystem_config.h>
 
 #include <selinux/android.h>
@@ -111,7 +113,7 @@ static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid, u
 {
     const char *perm = "add";
 
-    if (uid >= AID_APP) {
+    if (multiuser_get_app_id(uid) >= AID_APP) {
         return 0; /* Don't allow apps to register services */
     }