From 07cd4cdf216f5120a7c593991d54492f8ae29f6f Mon Sep 17 00:00:00 2001 From: Pablo Ceballos Date: Wed, 13 Jul 2016 14:11:57 -0700 Subject: [PATCH 1/3] Region: Detect malicious overflow in unflatten Bug 29983260 Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b --- libs/ui/Region.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libs/ui/Region.cpp b/libs/ui/Region.cpp index 3810da404..cfed7a984 100644 --- a/libs/ui/Region.cpp +++ b/libs/ui/Region.cpp @@ -795,6 +795,11 @@ status_t Region::unflatten(void const* buffer, size_t size) { return NO_MEMORY; } + if (numRects > (UINT32_MAX / sizeof(Rect))) { + android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0); + return NO_MEMORY; + } + Region result; result.mStorage.clear(); for (size_t r = 0; r < numRects; ++r) { From dbee7f4650dfb419d12ebaf13e96bc54ae880b99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= Date: Mon, 1 Aug 2016 16:05:17 -0700 Subject: [PATCH 2/3] DO NOT MERGE ServiceManager: Restore basic uid check Prevent apps from registering services without relying on selinux checks. Bug: 29431260 Change-Id: I38c6e8bc7f7cba1cbd3568e8fed1ae7ac2054a9b (cherry picked from commit f03ba2c0d878071603d73b7f8e9a4a468364ac27) --- cmds/servicemanager/service_manager.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/cmds/servicemanager/service_manager.c b/cmds/servicemanager/service_manager.c index 7fa9a39f7..4c993c236 100644 --- a/cmds/servicemanager/service_manager.c +++ b/cmds/servicemanager/service_manager.c @@ -107,9 +107,14 @@ static bool check_mac_perms_from_lookup(pid_t spid, const char *perm, const char return allowed; } -static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid) +static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid, uid_t uid) { const char *perm = "add"; + + if (uid >= AID_APP) { + return 0; /* Don't allow apps to register services */ + } + return check_mac_perms_from_lookup(spid, perm, str8(name, name_len)) ? 1 : 0; } @@ -204,7 +209,7 @@ int do_add_service(struct binder_state *bs, if (!handle || (len == 0) || (len > 127)) return -1; - if (!svc_can_register(s, len, spid)) { + if (!svc_can_register(s, len, spid, uid)) { ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n", str8(s, len), handle, uid); return -1; From 390c2d3512fcbf0f4e1890baef12f3bd1d23dc56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= Date: Thu, 18 Aug 2016 15:42:35 -0700 Subject: [PATCH 3/3] ServiceManager: Allow system services running as secondary users to add services This should be reverted when all system services have been cleaned up to not do this. A process looking up a service while running in the background will see the service registered by the active user (assuming the service is registered on every user switch), not the service registered by the user that the process itself belongs to. BUG: 30795333 Change-Id: I1b74d58be38ed358f43c163692f9e704f8f31dbe (cherry picked from commit e6bbe69ba739c8a08837134437aaccfea5f1d943) --- cmds/servicemanager/Android.mk | 2 +- cmds/servicemanager/service_manager.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/cmds/servicemanager/Android.mk b/cmds/servicemanager/Android.mk index 155cfc503..5bafd5343 100644 --- a/cmds/servicemanager/Android.mk +++ b/cmds/servicemanager/Android.mk @@ -18,7 +18,7 @@ LOCAL_MODULE_TAGS := optional include $(BUILD_EXECUTABLE) include $(CLEAR_VARS) -LOCAL_SHARED_LIBRARIES := liblog libselinux +LOCAL_SHARED_LIBRARIES := liblog libcutils libselinux LOCAL_SRC_FILES := service_manager.c binder.c LOCAL_CFLAGS += $(svc_c_flags) LOCAL_MODULE := servicemanager diff --git a/cmds/servicemanager/service_manager.c b/cmds/servicemanager/service_manager.c index 4c993c236..031f84897 100644 --- a/cmds/servicemanager/service_manager.c +++ b/cmds/servicemanager/service_manager.c @@ -8,6 +8,8 @@ #include #include +#include + #include #include @@ -111,7 +113,7 @@ static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid, u { const char *perm = "add"; - if (uid >= AID_APP) { + if (multiuser_get_app_id(uid) >= AID_APP) { return 0; /* Don't allow apps to register services */ }