Commit Graph

3091 Commits

Author SHA1 Message Date
Michael Wachenschwanz 7bb08cbd0c Increment when attempting to read protected Parcel Data
Make sure to increment the parcel data position even when trying to
improperly read from protected data

Bug: 29833520

Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtection
Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtectionIncrements
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtection
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtectionIncrements

Change-Id: Ie4aae6277fc5f5c924f603d9828c3a608998b986
Merged-In: Ie4aae6277fc5f5c924f603d9828c3a608998b986
(cherry picked from commit 6a825e8ad1a3928dd872bb7c3fbcd94784d77267)
2018-07-16 20:31:32 +02:00
Michael Wachenschwanz d53a5c4aa9 Disallow reading object data from Parcels with non-object reads
The check added to each non-object reads adds an overhead. If the
objects (binders and file descriptors) were written to the Parcel in
sequential order then check adds a small O(1) overhead to each read,
plus an O(N) overhead to the first read (to verify the N objects were
added in order).
If the objects were written out of order (as in by jumping around the
Parcel
with setDataPosition and writing Binder, DON'T DO THIS!!) (writing non
objects out of order is fine), the first read is forced to sort the
objects
in the internal bookkeeping. Based on the assumption non sequential
writes
are infrequent and overall Parcels are probably mostly sorted, insertion
sort was used. Worst case sorts will add an O(N^2) overhead to the first
non object read from the Parcel.

Test: run cts -m CtsOsTestCases -t android.os.cts.ParcelTest

Bug: 29833520
Change-Id: I82de8eb5f5eb56f869542d5358e96884c24301b2
(cherry picked from commit c517681c66a1a387be657e0cf06da8d19659dd14)
2018-07-16 20:31:22 +02:00
Martijn Coenen 057269956b Don't pad before calling writeInPlace().
writeInplace() itself already pads securely, by masking off
the padded bytes. If the padding is done before calling
writeInplace(), no mask is applied, and heap data can leak.

Bug: 77237570
Test: builds
Change-Id: Ide27a0002d4ed4196530430760245b971f6a3f44
Merged-In: Ide27a0002d4ed4196530430760245b971f6a3f44

(cherry picked from commit f8542381b72a7bb2452a5278a00ca8c34edbf8a0)
(cherry picked from commit 732132b765cd7b667f16cf32f0fe4c852d7d44dd)

Change-Id: Id65e4573e18ab68b804f1cf63a6977a71da01e5d
2018-07-16 20:24:36 +02:00
Chia-I Wu ea0521baee libgui: check for invalid slot in attachBuffer
Bug: 37478824
Test: manual
AOSP-Change-Id: I369337d53539bf7f7e3d925bccdae4045da1b404
(cherry picked from commit c79a29689c1046f1f0301c75df9b9a67cba8bf04)

CVE-2017-0667

Change-Id: I15290a700c2e0f0da9a44bb3131c4e38cadbaed3
2017-07-06 21:41:47 +02:00
Chris Forbes a3a09ef6b4 ui: Fix bad size check in Fence::unflatten
Differs slightly from mnc+ patch: GetFlattenedSize was fixed in mnc.

Test: Boot device, run poc from bug, observe no longer crashes
Bug: 37285689
AOSP-Change-Id: Id8b851733b088cce0d07493fbf76e7e24f9299ad
(cherry picked from commit 9809602ac32dcb7bceaa5bc34df5b7fb68aacd38)

CVE-2017-0666

Change-Id: I778c82b363ca0409d534f255cc5d17b39e751986
2017-07-06 21:37:51 +02:00
Dan Stoza c5fe5044f4 libgui: Check slot received from IGBP in Surface
Checks that the slot number received from mGraphicBufferProducer in
Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to
protect against a malicious BnGraphicBufferProducer.

Bug: 36991414
AOSP-Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa
(cherry picked from commit 90ce2a9c1d3af422c66b4061805831cb208263d8)

CVE-2017-0665

Change-Id: If0fd4864b9fc4ea5a1c83d10adef26cdabb0f7e8
2017-07-06 21:31:56 +02:00
Fabien Sanglard c2983e9d3b Fix SF security vulnerability: 32706020
Because of lack of mutex lock when get mConsumerName, if one thread
getConsumerName, another thread setConsumerName frequently, an UAF will
be triggered.

Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65
Test: Marling with poc provided in bug report.
Bug: 32706020
(cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436)
(cherry picked from commit 2e16d5fac149dab3c3e8f1b2ca89f45cf55a7b34)
2017-03-13 04:56:11 +00:00
Christopher Tate 0ff545d4a7 Correct overflow check in Parcel resize code
Fix merge conflict into nyc-mr1-release
Bug 31929765

Change-Id: Ie27b9945f1de056624668869bdf9a5578abff467
(cherry picked from commit 65dd433f0db2fe402dc725f7012c6e26769b3224)
(cherry picked from commit b4d6b292bce7d82c93fd454078dedf5a1302b9fa)
2017-03-13 04:55:32 +00:00
Fabien Sanglard 65166fe47d Fix SF security vulnerability: 32660278
Because of lack of mutex lock when get mSidebandStream, if one thread
getSidebandStream, another thread setSidebandStream frequently, an UAF
will be triggered.

Bug: 32660278
Test: Marlin device with poc
Change-Id: Idbcf0976ce2db682d0f13455105c45a5c7481a45
(cherry picked from commit 2d8a2432e04234d9edbb3b099f9bbbaa36ad4843)
(cherry picked from commit 675e212c8c6653825cc3352c603caf2e40b00f9f)
2017-01-13 11:47:31 +01:00
Jessica Wagantall 1c6eb19ad5 Android 6.0.1 release 66
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlfO7kcACgkQ6K0/gZqxDniKDACfe+IKxeKXazFQSWgFI0CW9HUK
 nuQAoIomQRV9NOdD2SVHJR1zyTKXx82E
 =FStj
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r66' into HEAD

Android 6.0.1 release 66

# gpg: Signature made Tue 06 Sep 2016 09:26:47 AM PDT using DSA key ID 9AB10E78
# gpg: Can't check signature: public key not found
2016-09-07 12:40:28 -07:00
Pablo Ceballos 1ecb999624 Region: Detect malicious overflow in unflatten
Bug 29983260

Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
2016-07-21 17:34:57 -07:00
Mark Salyzyn 839f0dd964 system_server BINDER_TYPE_FD driver ashmem accessors
check if device matches the ashmem rdev, before calling
ashmem_get_size_region. This eliminates making this call
when associated with other driver file descriptors.

Bug: 26374183
Bug: 26918423
Bug: 26871259
Change-Id: I1f88c2c93ea35a73c8e14125f3d1a6c67fa4f15b
2016-07-15 13:04:30 -07:00
Mark Salyzyn d70043eaf4 system_server BINDER_TYPE_FD sockets using ashmem accessors
check if device is a character device, before calling
ashmem_get_size_region. We do not check if the st_rdev
matches /dev/ashmem. So this at least eliminates making
this call when associated with a socket.

Bug: 26374183
Change-Id: I68ed9d1c2cd4c47228ed065e3e18eb4151f038f4
2016-07-15 13:04:30 -07:00
Mark Salyzyn e481771aa3 Parcel: file descriptor leak
Resolve a file descriptor leak when a request for
ashmem size adjustment is not filed.

Change-Id: I4ebccfd096ec5313725fd99dc3e025f9561d061f
2016-07-15 13:04:30 -07:00
Jessica Wagantall cf27ee8089 Merge remote-tracking branch 'remotes/android-6.0.1_r52' into HEAD
Ticket: CYNGNOS-3020

Change-Id: I13076de5caf1546b8eef44417ee83cd9b2cb9d62
2016-07-07 14:15:35 -07:00
Marco Nelissen 54cb02ad73 Correctly handle dup() failure in Parcel::readNativeHandle
bail out if dup() fails, instead of creating an invalid native_handle_t

Bug: 28395952

Change-Id: Ia1a6198c0f45165b9c6a55a803e5f64d8afa0572
2016-05-27 11:31:22 -07:00
Jessica Wagantall 134fddb97d Android 6.0.1 release 43 (MOB30J)
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlcn+/0ACgkQ6K0/gZqxDnjM1wCfYbf5jx2b8bwmkDc5ohgikw8I
 6GsAnjfAWMPO6SNxvB9YuYmuIJW16R4B
 =4iNh
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r43' into HEAD

Ticket: CYNGNOS-2373
Android 6.0.1 release 43 (MOB30J)

Change-Id: I1d6a9cc67ded5dd7d0ee1f17773e326ac0ae87ce
2016-05-03 11:59:50 -07:00
Jessica Wagantall 31d9cccf23 Android 6.0.1 release 24
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlcDBbwACgkQ6K0/gZqxDnhMYQCfVROi/aOR0642Ja6QWTz0O9xP
 Ra4An1OMMl1qJIc66uRZ0V03qP0WIklv
 =AQQB
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r24' into HEAD

Ticket: CYNGNOS-2213
Android 6.0.1 release 24
2016-04-05 12:31:30 -07:00
Dianne Hackborn a59b827869 Fix issue #27252896: Security Vulnerability -- weak binder
Sending transaction to freed BBinder through weak handle
can cause use of a (mostly) freed object.  We need to try to
safely promote to a strong reference first.

Change-Id: Ic9c6940fa824980472e94ed2dfeca52a6b0fd342
(cherry picked from commit c11146106f94e07016e8e26e4f8628f9a0c73199)
2016-03-25 17:47:54 -07:00
Pablo Ceballos a30d7d90c4 BQ: fix some uninitialized variables
Bug 27555981
Bug 27556038

Change-Id: I436b6fec589677d7e36c0e980f6e59808415dc0e
2016-03-25 17:47:54 -07:00
Jessica Wagantall efd11d3c0b Android 6.0.1 release 17
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlbd3qwACgkQ6K0/gZqxDni3xACggqdaKPaP7STGjBxz7H752/Bc
 gHcAoID1Syc0XZO6+lUast7IK2lh3qAc
 =tByv
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r17' into HEAD

Android 6.0.1 release 17
Ticket: CYNGNOS-1854
2016-03-07 18:12:29 -08:00
Pablo Ceballos a93a310187 Add SN logging
Bug 27046057

Change-Id: Iede7c92e59e60795df1ec7768ebafd6b090f1c27
2016-03-01 15:26:40 -08:00
Christopher Tate a5d2913b07 Sanity check IMemory access versus underlying mmap
Bug 26877992

Change-Id: Ibbf4b1061e4675e4e96bc944a865b53eaf6984fe
2016-03-01 15:26:40 -08:00
Pablo Ceballos 28a83d4206 BQ: Add permission check to BufferQueueConsumer::dump
Bug 27046057

Change-Id: Id7bd8cf95045b497943ea39dde49e877aa6f5c4e
2016-03-01 15:26:40 -08:00
Pablo Ceballos 5243afa8fa Add SN logging
Bug 27046057

Change-Id: Iede7c92e59e60795df1ec7768ebafd6b090f1c27
2016-02-26 16:56:15 -08:00
Christopher Tate 25719f6e1f Sanity check IMemory access versus underlying mmap
Bug 26877992

Change-Id: Ibbf4b1061e4675e4e96bc944a865b53eaf6984fe
2016-02-26 16:56:14 -08:00
Pablo Ceballos b3a9e6d04d BQ: Add permission check to BufferQueueConsumer::dump
Bug 27046057

Change-Id: Id7bd8cf95045b497943ea39dde49e877aa6f5c4e
2016-02-26 16:56:14 -08:00
Christopher N. Hesse b0cda680c2 binder: MemoryHeapIon: Fix size_t vs integer formatting mismatch
Change-Id: I58e4ce885bce5fc11f3e36f50a1060b682b4a512
2016-02-20 03:10:19 +01:00
Robert Shih daca8c3407 IGraphicBufferProducer: fix QUEUE_BUFFER info leak
Bug: 26338109
Change-Id: I8a979469bfe1e317ebdefa43685e19f9302baea8
2016-01-22 13:37:17 -08:00
Robert Shih 93312a3a38 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
Bug: 26338113
Change-Id: I019c4df2c6adbc944122df96968ddd11a02ebe33
2016-01-22 13:37:16 -08:00
Robert Shih 40ba03fc68 IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37 am: 413318311c am: dc9ec35294 am: 9d959e2755 am: edb7c81a1b
am: 2a7a1247cb

* commit '2a7a1247cb4829daaaa4e6a6ee3e670cd2f068bf':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:54:27 +00:00
Robert Shih 2a7a1247cb IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37 am: 413318311c am: dc9ec35294 am: 9d959e2755
am: edb7c81a1b

* commit 'edb7c81a1b99d2456910b03db9e4ac250eac2fab':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:52:25 +00:00
Robert Shih edb7c81a1b IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37 am: 413318311c am: dc9ec35294
am: 9d959e2755

* commit '9d959e275561bcace3aab1f9df009c6c880003fa':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:50:22 +00:00
Robert Shih ec87aa5218 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak am: dded8fdbb7 am: 7ee203b59d am: dc252255af
am: 202aaa8f97

* commit '202aaa8f97083b68c0a736f4cd432f61c9b0989d':
  IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
2016-01-15 01:48:17 +00:00
Robert Shih 202aaa8f97 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak am: dded8fdbb7 am: 7ee203b59d
am: dc252255af

* commit 'dc252255af835bb3a69bc9a0d01da12419c0fc05':
  IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
2016-01-15 01:45:18 +00:00
Robert Shih 9d959e2755 IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37 am: 413318311c
am: dc9ec35294

* commit 'dc9ec35294b8ec6b6c349b826edc9b44f4ddb96d':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:45:18 +00:00
Robert Shih dc252255af IGraphicBufferConsumer: fix ATTACH_BUFFER info leak am: dded8fdbb7
am: 7ee203b59d

* commit '7ee203b59d9a74d485ce2fdfd07e96b2d10ff23b':
  IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
2016-01-15 01:43:05 +00:00
Robert Shih dc9ec35294 IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37
am: 413318311c

* commit '413318311c8cc356dd7e0837ce26e937a9f4c56a':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:38:56 +00:00
Robert Shih 413318311c IGraphicBufferProducer: fix QUEUE_BUFFER info leak
am: d06421fd37

* commit 'd06421fd37fbb7fd07002e6738fac3a223cb1a62':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:27:23 +00:00
Robert Shih 7ee203b59d IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
am: dded8fdbb7

* commit 'dded8fdbb700d6cc498debc69a780915bc34d755':
  IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
2016-01-15 01:26:59 +00:00
Robert Shih d06421fd37 IGraphicBufferProducer: fix QUEUE_BUFFER info leak
Bug: 26338109
Change-Id: I8a979469bfe1e317ebdefa43685e19f9302baea8
2016-01-11 16:33:17 -08:00
Robert Shih dded8fdbb7 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
Bug: 26338113
Change-Id: I019c4df2c6adbc944122df96968ddd11a02ebe33
2016-01-11 11:47:42 -08:00
Matt Filetto b17c928090 sensor: Skip additional permission request checks
* Some legacy Samsung HALs supporting BODY_SENSOR types are
  incompatible with the new permission checks added in M.
  Extend the NO_SENSOR_PERMISSION_CHECK flags to cover more
  of the actual checks.

Change-Id: Id2b9b57d8151b0998d9233e0a6541e8c88e06af7
2015-12-21 08:54:18 -08:00
Christopher N. Hesse 8befd14c4a sensor: Allow devices to skip the permission request
This is needed by Samsung devices with pre-M sensor
blobs which have support for SENSOR_TYPE_HEART_RATE
or body sensors in general.
These HALs somehow segfault on the flagged code.

Change-Id: I698f4129e71b683f6f063f00da79f32a5f521149
2015-12-18 15:21:53 -08:00
Christian Poetzsch 31ab17fb0c Fix the execution point of onFrameAvailable/onFrameReplaced callbacks
In a4650a5 the concept of a maximum frame number allowance for the consumer was
introduced. A call to acquireBuffers will only return buffers when their frame
number is less-than-or-equal-to this maximum frame number. When SurfaceFlinger
is the consumer, this maximum  frame number is calculated in the
onFrameAvailable/onFrameReplaced callbacks. These callbacks are called when a
new buffer is dequeued by the application. The problem is that these callbacks
are called _after_ the fence wait which is used to throttle the frame
production of client apps. When the previous frame needs a long time to draw,
those waits can potentially be a long time. As a result SurfaceFlinger won't do
any composition with the new frame until the wait is over.

Normally this isn't a big problem because there is a queue of buffers for
SurfaceFlinger to work with. However, this changes massively when a client app
is using a swap interval of zero. In this case, a new frame will instantly
replace the previous queued frame. However, SurfaceFlinger doesn't know this
until the onFrameReplaced callback gets called - which is delayed by the fence
wait. If the timing is bad, SurfaceFlinger never gets a chance to pick up a new
frame to do the composition with.

We see this behaviour on our TC development system (slow GPU) with legacy
on-screen benchmarks. Such apps are using a swap interval of zero and sometimes
frames don't get updated for several seconds. This behaviour can be also seen
on a Nexus5, although it isn't as obvious as on our TC.

The fix in this cl is to move the EGL throttling to the end of the queueBuffers
function. This ensures that if a frame gets replaced in the queue, all
consumers who installed the callbacks, get called in a timely fashion.

Change-Id: I36e9ecda162150f41e97d4fb7437963a3d86b371
Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>
2015-12-16 18:46:53 -08:00
forkbomb 7cacf26abb libbinder: allow devices to disable ashmem size tracking
The addition of ashmem size tracking can lead to parcel objects
overwriting other values on the stack in old binary blobs.

Change-Id: Ife8514be1ba639c4061de38b59794c46bcc2d7f8
2015-12-10 10:15:49 +11:00
Steve Kondik 4951bcc16e Android 6.0.1 release 3
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlZmBAkACgkQ6K0/gZqxDnhgbQCdFLtubCHWtlKUuIEKAVwzv2M3
 2jMAoI4UhN3nLb2Nf6BizcMSF3xo1pKO
 =NS5T
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r3' of https://android.googlesource.com/platform/frameworks/native into cm-13.0

Android 6.0.1 release 3

Change-Id: I437aaf148d440a8144afe1454948980fc3b40cca
2015-12-07 17:07:16 -08:00
forkbomb 53602ffde5 libbinder: allow devices to disable ashmem size tracking
The addition of ashmem size tracking can lead to parcel objects
overwriting other values on the stack in old binary blobs.

Change-Id: Ida52cec851a6f9d5a57c8f9130a5875c03dcb094
2015-12-04 15:42:51 +11:00
Caio Schnepper 8c39282e31 libgui: Don't assign handle to NULL after free is common
Reportedly Mali and PowerVR GPUs are crashing when setting handle to NULL
So we will set a flag for the devices that might need this aswell

Set BOARD_EGL_NEEDS_HANDLE_VALUE=true in BoardConfig.mk to use

Change-Id: I6c967f62dc6adced7583d7b2045d11cf5b25fc80
2015-11-25 17:51:30 -02:00
Caio Schnepper eed845539a libgui: Don't assign handle to NULL after free
This reverts c784dfc39f for exynos4 devices
with Mali 400 GPUs, which causes a fatal signal (SIGSEGV) and death of
the graphics subsystem

Change-Id: I6dbf8f8664fca01baf63fece7c64016609fe3e1c
2015-11-23 18:39:58 -02:00