From 78f9ca0f1fe32f2d25017ca35d3b2d5f20bba177 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?D=2E=20Andrei=20M=C4=83ce=C8=99?= <dmaces@nd.edu>
Date: Tue, 17 Jan 2017 18:09:43 -0500
Subject: [PATCH 1/4] libEGL: Only enable WORKAROUND_BUG_10194508 with board
 flag

Change-Id: Id0d000dc5397479a0cd73799f93861693179a663
---
 opengl/libs/Android.mk | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/opengl/libs/Android.mk b/opengl/libs/Android.mk
index 870c2bd01..3d2b8cfab 100644
--- a/opengl/libs/Android.mk
+++ b/opengl/libs/Android.mk
@@ -47,9 +47,6 @@ LOCAL_CFLAGS += -DEGL_TRACE=1
 ifeq ($(BOARD_ALLOW_EGL_HIBERNATION),true)
   LOCAL_CFLAGS += -DBOARD_ALLOW_EGL_HIBERNATION
 endif
-ifeq ($(TARGET_BOARD_PLATFORM), omap4)
-  LOCAL_CFLAGS += -DWORKAROUND_BUG_10194508=1
-endif
 ifeq ($(BOARD_EGL_WORKAROUND_BUG_10194508),true)
   LOCAL_CFLAGS += -DWORKAROUND_BUG_10194508=1
 endif

From 0ff545d4a7ab8ceb76a0e90c11cf83adebe8b140 Mon Sep 17 00:00:00 2001
From: Christopher Tate <ctate@google.com>
Date: Thu, 3 Nov 2016 13:32:41 -0700
Subject: [PATCH 2/4] Correct overflow check in Parcel resize code

Fix merge conflict into nyc-mr1-release
Bug 31929765

Change-Id: Ie27b9945f1de056624668869bdf9a5578abff467
(cherry picked from commit 65dd433f0db2fe402dc725f7012c6e26769b3224)
(cherry picked from commit b4d6b292bce7d82c93fd454078dedf5a1302b9fa)
---
 libs/binder/Parcel.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 65e67d6a7..4690a8233 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -553,7 +553,7 @@ status_t Parcel::appendFrom(const Parcel *parcel, size_t offset, size_t len)
         // grow objects
         if (mObjectsCapacity < mObjectsSize + numObjects) {
             size_t newSize = ((mObjectsSize + numObjects)*3)/2;
-            if (newSize < mObjectsSize) return NO_MEMORY;   // overflow
+            if (newSize*sizeof(binder_size_t) < mObjectsSize) return NO_MEMORY;   // overflow
             binder_size_t *objects =
                 (binder_size_t*)realloc(mObjects, newSize*sizeof(binder_size_t));
             if (objects == (binder_size_t*)0) {
@@ -1113,7 +1113,7 @@ restart_write:
     }
     if (!enoughObjects) {
         size_t newSize = ((mObjectsSize+2)*3)/2;
-        if (newSize < mObjectsSize) return NO_MEMORY;   // overflow
+        if (newSize*sizeof(binder_size_t) < mObjectsSize) return NO_MEMORY;   // overflow
         binder_size_t* objects = (binder_size_t*)realloc(mObjects, newSize*sizeof(binder_size_t));
         if (objects == NULL) return NO_MEMORY;
         mObjects = objects;

From c2983e9d3bc3905d06a8b7dfa58548687c50634a Mon Sep 17 00:00:00 2001
From: Fabien Sanglard <sanglardf@google.com>
Date: Tue, 8 Nov 2016 15:35:02 -0800
Subject: [PATCH 3/4] Fix SF security vulnerability: 32706020

Because of lack of mutex lock when get mConsumerName, if one thread
getConsumerName, another thread setConsumerName frequently, an UAF will
be triggered.

Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65
Test: Marling with poc provided in bug report.
Bug: 32706020
(cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436)
(cherry picked from commit 2e16d5fac149dab3c3e8f1b2ca89f45cf55a7b34)
---
 libs/gui/BufferQueueProducer.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp
index a941e2d29..5db0b3754 100644
--- a/libs/gui/BufferQueueProducer.cpp
+++ b/libs/gui/BufferQueueProducer.cpp
@@ -1091,6 +1091,7 @@ status_t BufferQueueProducer::setGenerationNumber(uint32_t generationNumber) {
 
 String8 BufferQueueProducer::getConsumerName() const {
     ATRACE_CALL();
+    Mutex::Autolock lock(mCore->mMutex);
     BQ_LOGV("getConsumerName: %s", mConsumerName.string());
     return mConsumerName;
 }

From e34afe0a4bd8092cca89a607c994124a9ddb28b9 Mon Sep 17 00:00:00 2001
From: Fabien Sanglard <sanglardf@google.com>
Date: Wed, 18 Jan 2017 16:43:18 -0800
Subject: [PATCH 4/4] Fix security vulnerability

AOSP-Change-Id: I4c9ea3a3177131fa29d2561da71ef18bec3af108
Test: angler, marlin
Bug: 32628763

CVE-2017-0546

Change-Id: I3e87518163540a9fce1d4fc3751ed558d4854140
(cherry picked from commit 45b202513ba7440beaefbf9928f73fb6683dcfbd)
---
 services/surfaceflinger/SurfaceFlinger.cpp | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp
index 441bad892..941257c25 100644
--- a/services/surfaceflinger/SurfaceFlinger.cpp
+++ b/services/surfaceflinger/SurfaceFlinger.cpp
@@ -2249,8 +2249,7 @@ void SurfaceFlinger::setTransactionState(
         if (s.client != NULL) {
             sp<IBinder> binder = IInterface::asBinder(s.client);
             if (binder != NULL) {
-                String16 desc(binder->getInterfaceDescriptor());
-                if (desc == ISurfaceComposerClient::descriptor) {
+                if (binder->queryLocalInterface(ISurfaceComposerClient::descriptor) != NULL) {
                     sp<Client> client( static_cast<Client *>(s.client.get()) );
                     transactionFlags |= setClientStateLocked(client, s.state);
                 }