Commit Graph

880 Commits

Author SHA1 Message Date
Chia-I Wu
ea0521baee libgui: check for invalid slot in attachBuffer
Bug: 37478824
Test: manual
AOSP-Change-Id: I369337d53539bf7f7e3d925bccdae4045da1b404
(cherry picked from commit c79a29689c1046f1f0301c75df9b9a67cba8bf04)

CVE-2017-0667

Change-Id: I15290a700c2e0f0da9a44bb3131c4e38cadbaed3
2017-07-06 21:41:47 +02:00
Dan Stoza
c5fe5044f4 libgui: Check slot received from IGBP in Surface
Checks that the slot number received from mGraphicBufferProducer in
Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to
protect against a malicious BnGraphicBufferProducer.

Bug: 36991414
AOSP-Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa
(cherry picked from commit 90ce2a9c1d3af422c66b4061805831cb208263d8)

CVE-2017-0665

Change-Id: If0fd4864b9fc4ea5a1c83d10adef26cdabb0f7e8
2017-07-06 21:31:56 +02:00
Fabien Sanglard
c2983e9d3b Fix SF security vulnerability: 32706020
Because of lack of mutex lock when get mConsumerName, if one thread
getConsumerName, another thread setConsumerName frequently, an UAF will
be triggered.

Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65
Test: Marling with poc provided in bug report.
Bug: 32706020
(cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436)
(cherry picked from commit 2e16d5fac149dab3c3e8f1b2ca89f45cf55a7b34)
2017-03-13 04:56:11 +00:00
Fabien Sanglard
65166fe47d Fix SF security vulnerability: 32660278
Because of lack of mutex lock when get mSidebandStream, if one thread
getSidebandStream, another thread setSidebandStream frequently, an UAF
will be triggered.

Bug: 32660278
Test: Marlin device with poc
Change-Id: Idbcf0976ce2db682d0f13455105c45a5c7481a45
(cherry picked from commit 2d8a2432e04234d9edbb3b099f9bbbaa36ad4843)
(cherry picked from commit 675e212c8c6653825cc3352c603caf2e40b00f9f)
2017-01-13 11:47:31 +01:00
Jessica Wagantall
134fddb97d Android 6.0.1 release 43 (MOB30J)
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlcn+/0ACgkQ6K0/gZqxDnjM1wCfYbf5jx2b8bwmkDc5ohgikw8I
 6GsAnjfAWMPO6SNxvB9YuYmuIJW16R4B
 =4iNh
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r43' into HEAD

Ticket: CYNGNOS-2373
Android 6.0.1 release 43 (MOB30J)

Change-Id: I1d6a9cc67ded5dd7d0ee1f17773e326ac0ae87ce
2016-05-03 11:59:50 -07:00
Jessica Wagantall
31d9cccf23 Android 6.0.1 release 24
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlcDBbwACgkQ6K0/gZqxDnhMYQCfVROi/aOR0642Ja6QWTz0O9xP
 Ra4An1OMMl1qJIc66uRZ0V03qP0WIklv
 =AQQB
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r24' into HEAD

Ticket: CYNGNOS-2213
Android 6.0.1 release 24
2016-04-05 12:31:30 -07:00
Pablo Ceballos
a30d7d90c4 BQ: fix some uninitialized variables
Bug 27555981
Bug 27556038

Change-Id: I436b6fec589677d7e36c0e980f6e59808415dc0e
2016-03-25 17:47:54 -07:00
Jessica Wagantall
efd11d3c0b Android 6.0.1 release 17
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlbd3qwACgkQ6K0/gZqxDni3xACggqdaKPaP7STGjBxz7H752/Bc
 gHcAoID1Syc0XZO6+lUast7IK2lh3qAc
 =tByv
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r17' into HEAD

Android 6.0.1 release 17
Ticket: CYNGNOS-1854
2016-03-07 18:12:29 -08:00
Pablo Ceballos
a93a310187 Add SN logging
Bug 27046057

Change-Id: Iede7c92e59e60795df1ec7768ebafd6b090f1c27
2016-03-01 15:26:40 -08:00
Pablo Ceballos
28a83d4206 BQ: Add permission check to BufferQueueConsumer::dump
Bug 27046057

Change-Id: Id7bd8cf95045b497943ea39dde49e877aa6f5c4e
2016-03-01 15:26:40 -08:00
Pablo Ceballos
5243afa8fa Add SN logging
Bug 27046057

Change-Id: Iede7c92e59e60795df1ec7768ebafd6b090f1c27
2016-02-26 16:56:15 -08:00
Pablo Ceballos
b3a9e6d04d BQ: Add permission check to BufferQueueConsumer::dump
Bug 27046057

Change-Id: Id7bd8cf95045b497943ea39dde49e877aa6f5c4e
2016-02-26 16:56:14 -08:00
Robert Shih
daca8c3407 IGraphicBufferProducer: fix QUEUE_BUFFER info leak
Bug: 26338109
Change-Id: I8a979469bfe1e317ebdefa43685e19f9302baea8
2016-01-22 13:37:17 -08:00
Robert Shih
93312a3a38 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
Bug: 26338113
Change-Id: I019c4df2c6adbc944122df96968ddd11a02ebe33
2016-01-22 13:37:16 -08:00
Robert Shih
40ba03fc68 IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37 am: 413318311c am: dc9ec35294 am: 9d959e2755 am: edb7c81a1b
am: 2a7a1247cb

* commit '2a7a1247cb4829daaaa4e6a6ee3e670cd2f068bf':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:54:27 +00:00
Robert Shih
2a7a1247cb IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37 am: 413318311c am: dc9ec35294 am: 9d959e2755
am: edb7c81a1b

* commit 'edb7c81a1b99d2456910b03db9e4ac250eac2fab':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:52:25 +00:00
Robert Shih
edb7c81a1b IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37 am: 413318311c am: dc9ec35294
am: 9d959e2755

* commit '9d959e275561bcace3aab1f9df009c6c880003fa':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:50:22 +00:00
Robert Shih
ec87aa5218 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak am: dded8fdbb7 am: 7ee203b59d am: dc252255af
am: 202aaa8f97

* commit '202aaa8f97083b68c0a736f4cd432f61c9b0989d':
  IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
2016-01-15 01:48:17 +00:00
Robert Shih
202aaa8f97 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak am: dded8fdbb7 am: 7ee203b59d
am: dc252255af

* commit 'dc252255af835bb3a69bc9a0d01da12419c0fc05':
  IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
2016-01-15 01:45:18 +00:00
Robert Shih
9d959e2755 IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37 am: 413318311c
am: dc9ec35294

* commit 'dc9ec35294b8ec6b6c349b826edc9b44f4ddb96d':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:45:18 +00:00
Robert Shih
dc252255af IGraphicBufferConsumer: fix ATTACH_BUFFER info leak am: dded8fdbb7
am: 7ee203b59d

* commit '7ee203b59d9a74d485ce2fdfd07e96b2d10ff23b':
  IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
2016-01-15 01:43:05 +00:00
Robert Shih
dc9ec35294 IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37
am: 413318311c

* commit '413318311c8cc356dd7e0837ce26e937a9f4c56a':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:38:56 +00:00
Robert Shih
413318311c IGraphicBufferProducer: fix QUEUE_BUFFER info leak
am: d06421fd37

* commit 'd06421fd37fbb7fd07002e6738fac3a223cb1a62':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:27:23 +00:00
Robert Shih
7ee203b59d IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
am: dded8fdbb7

* commit 'dded8fdbb700d6cc498debc69a780915bc34d755':
  IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
2016-01-15 01:26:59 +00:00
Robert Shih
d06421fd37 IGraphicBufferProducer: fix QUEUE_BUFFER info leak
Bug: 26338109
Change-Id: I8a979469bfe1e317ebdefa43685e19f9302baea8
2016-01-11 16:33:17 -08:00
Robert Shih
dded8fdbb7 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
Bug: 26338113
Change-Id: I019c4df2c6adbc944122df96968ddd11a02ebe33
2016-01-11 11:47:42 -08:00
Matt Filetto
b17c928090 sensor: Skip additional permission request checks
* Some legacy Samsung HALs supporting BODY_SENSOR types are
  incompatible with the new permission checks added in M.
  Extend the NO_SENSOR_PERMISSION_CHECK flags to cover more
  of the actual checks.

Change-Id: Id2b9b57d8151b0998d9233e0a6541e8c88e06af7
2015-12-21 08:54:18 -08:00
Christopher N. Hesse
8befd14c4a sensor: Allow devices to skip the permission request
This is needed by Samsung devices with pre-M sensor
blobs which have support for SENSOR_TYPE_HEART_RATE
or body sensors in general.
These HALs somehow segfault on the flagged code.

Change-Id: I698f4129e71b683f6f063f00da79f32a5f521149
2015-12-18 15:21:53 -08:00
Christian Poetzsch
31ab17fb0c Fix the execution point of onFrameAvailable/onFrameReplaced callbacks
In a4650a5 the concept of a maximum frame number allowance for the consumer was
introduced. A call to acquireBuffers will only return buffers when their frame
number is less-than-or-equal-to this maximum frame number. When SurfaceFlinger
is the consumer, this maximum  frame number is calculated in the
onFrameAvailable/onFrameReplaced callbacks. These callbacks are called when a
new buffer is dequeued by the application. The problem is that these callbacks
are called _after_ the fence wait which is used to throttle the frame
production of client apps. When the previous frame needs a long time to draw,
those waits can potentially be a long time. As a result SurfaceFlinger won't do
any composition with the new frame until the wait is over.

Normally this isn't a big problem because there is a queue of buffers for
SurfaceFlinger to work with. However, this changes massively when a client app
is using a swap interval of zero. In this case, a new frame will instantly
replace the previous queued frame. However, SurfaceFlinger doesn't know this
until the onFrameReplaced callback gets called - which is delayed by the fence
wait. If the timing is bad, SurfaceFlinger never gets a chance to pick up a new
frame to do the composition with.

We see this behaviour on our TC development system (slow GPU) with legacy
on-screen benchmarks. Such apps are using a swap interval of zero and sometimes
frames don't get updated for several seconds. This behaviour can be also seen
on a Nexus5, although it isn't as obvious as on our TC.

The fix in this cl is to move the EGL throttling to the end of the queueBuffers
function. This ensures that if a frame gets replaced in the queue, all
consumers who installed the callbacks, get called in a timely fashion.

Change-Id: I36e9ecda162150f41e97d4fb7437963a3d86b371
Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>
2015-12-16 18:46:53 -08:00
Steve Kondik
4951bcc16e Android 6.0.1 release 3
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlZmBAkACgkQ6K0/gZqxDnhgbQCdFLtubCHWtlKUuIEKAVwzv2M3
 2jMAoI4UhN3nLb2Nf6BizcMSF3xo1pKO
 =NS5T
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r3' of https://android.googlesource.com/platform/frameworks/native into cm-13.0

Android 6.0.1 release 3

Change-Id: I437aaf148d440a8144afe1454948980fc3b40cca
2015-12-07 17:07:16 -08:00
Byunghun Jeon
987034b563 SurfaceFlinger: Native changes to add blur effect
Native changes to add blur-behind and blur mask effect

Change-Id: I54faf82d750e8299de6d261f6a893ab26d08df84

SurfaceFlinger: Adding template for LayerBlur files

Change-Id: I444009113b7bdd6c5284863fd1f56358e67d9fe6

SurfaceFlinger: Featurize libuiblur module for OSS build

Change-Id: Ifdc176e699434125d17b111c044b8ba954cf717c
2015-11-08 01:07:13 -08:00
Ricardo Cerqueira
1cdd1b5ad2 Android 6.0.0 release 26
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlYxAgIACgkQ6K0/gZqxDnjCqACfbBT6VOiUFQvRn7w1SAa+4rjF
 1IwAn2rBUqWo0dOKVwF1DDfFmGZXc8SB
 =1BqV
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.0_r26' into HEAD

Android 6.0.0 release 26

Conflicts:
	include/android/input.h

Change-Id: Ifa374c6d3055be3b8a5d60967f8b4c0043da739b
2015-11-05 01:41:42 +00:00
Ricardo Cerqueira
60c26d1f27 Android 6.0.0 release 5
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlYyZAgACgkQ6K0/gZqxDng/ZgCfUJK3qqr1BvYmWlGZsQ4+taVP
 6NEAnRLWjoF9kSyraCa/VG+w2tUrS80Y
 =xUfb
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.0_r5' into cm-13.0

Android 6.0.0 release 5
2015-11-03 23:27:50 +00:00
Ricardo Cerqueira
f4fac7e93f Support forcing all screenshots into a CPU consumer
Looks like a full GPU path is less efficient on some GPU
drivers that we're still using, and CPU is reliably faster...
(there's probably a locking condition going on somewhere, this
needs to be looked into)

Change-Id: I8878796a117d65bf2324507cf8755cadce49f6dc
2015-10-16 14:45:55 -07:00
Pawit Pornkitprasan
fd1fb639a1 Bring back support for glReadPixels screenshot path
Squashed commit of the following:

commit 012d3fe41d1d6cd38a0858b59145e9a4447641fa
Author: Hashcode <hashcode0f@gmail.com>
Date:   Sun Dec 8 19:36:50 2013 +0000

    sf: Always use opengles for screen capture

    Go back to the usage of GRALLOC_USAGE_HW_TEXTURE and GRALLOC_USAGE_HW_RENDERER
    in captureScreenImplLocked regardless of useReadPixels value

    This fixes the EGL_NO_IMAGE_KHR error returned from
    eglCreateImageKHR (blank images returned from screenshot path)

    Change-Id: I62fe90a081607b9e89c67f3dcfd34c84efc89d35

commit 4866ddf98ac98d8e22a1cd6a21894bb17f274588
Author: Ricardo Cerqueira <cyanogenmod@cerqueira.org>
Date:   Thu Oct 31 03:53:39 2013 +0000

    Revert "remove support for glReadPixels screenshot path"

    This reverts commit 3ca76f416b.

    Conflicts:
    	include/gui/ISurfaceComposer.h
    	libs/gui/ISurfaceComposer.cpp
    	libs/gui/SurfaceComposerClient.cpp
    	services/surfaceflinger/SurfaceFlinger.cpp
    	services/surfaceflinger/SurfaceFlinger.h

    Change-Id: I8c239e533757af770e418dbb198f5a86c736961f

Change-Id: I8c239e533757af770e418dbb198f5a86c736961f
2015-10-16 14:45:10 -07:00
Aravind Akella
2ac7405bda Merge "Set DATA_INJECTION mode flag for sensors." into mnc-dr-dev 2015-10-14 21:03:07 +00:00
Baldev Sahu
a1288c979d libgui: Copyback all region except dirty region for newly allocated buffer
Inside Surface::lock if new buffer is allocated
and DirtyRegion does not cover complete buffer
bounds then copyback may not cover all remaining area
as it copyback only area covered by dirty regions
from other buffers. This will lead to left out
black area which may cause flicker.

Change-Id: I4a3f7a56fc5fbaf4af926584919577d8d34bed57
2015-10-06 03:22:27 -06:00
Omprakash Dhyade
8760f1673e fix copy back dirty region
Copyback dirty region logic does copyback,
even when its not necessary causing 2ms delay.
Fix the logic to copy back only what is necessary

CRs-fixed: 562334
Change-Id: I52de68258ac9f87d704ee5401f93417805fa6773
2015-10-06 03:22:27 -06:00
Naveen Leekha
846d747274 Initialize local variables to avoid data leak
The uninitialized local variables pick up
whatever the memory content was there on stack.
This data gets sent to the remote process in
case of a failed transaction, which is a security
issue. Fixed.

(Partial manual merge of master change
 12ba0f57d028a9c8f4eb3afddc326b70677d1e0c. Rest
 to automerge from klp-dev)

For b/23696300

Change-Id: I704c9fab327b3545c58e8a9a96ac542eb7469c2a
2015-09-28 17:08:24 -07:00
Naveen Leekha
b0127aadaf am 69412a51: am c4bd7211: resolved conflicts for 7534e4e6 to lmp-mr1-ub-dev
* commit '69412a51f58fa9450f1cb077c8d4b6410128d993':
  resolved conflicts for 7534e4e6 to lmp-mr1-ub-dev
2015-09-24 23:35:41 +00:00
Naveen Leekha
69412a51f5 am c4bd7211: resolved conflicts for 7534e4e6 to lmp-mr1-ub-dev
* commit 'c4bd7211373cf5b745c7d4f849f43f7a2d2b1141':
  resolved conflicts for 7534e4e6 to lmp-mr1-ub-dev
2015-09-24 23:27:31 +00:00
Naveen Leekha
c4bd721137 resolved conflicts for 7534e4e6 to lmp-mr1-ub-dev
Change-Id: I543df164076b44578b14d41031800bb62b81586d
2015-09-24 15:55:21 -07:00
Naveen Leekha
83e60e4257 am 571e27e2: am e889592e: am 73887c08: am b414255f: Initialize local variables to avoid data leak
* commit '571e27e20e30560985d7c3a3ba8885693695b0fc':
  Initialize local variables to avoid data leak
2015-09-24 22:26:22 +00:00
Naveen Leekha
571e27e20e am e889592e: am 73887c08: am b414255f: Initialize local variables to avoid data leak
* commit 'e889592e33891c9b88ff6ba655426118f8ef12ee':
  Initialize local variables to avoid data leak
2015-09-24 22:20:59 +00:00
Naveen Leekha
7534e4e63a am 18165848: am e2c4f4fb: am c1e6fbb5: Initialize local variables to avoid data leak
* commit '18165848e86feab8656bfdac3173bccf45a9a6df':
  Initialize local variables to avoid data leak
2015-09-24 22:20:05 +00:00
Naveen Leekha
e889592e33 am 73887c08: am b414255f: Initialize local variables to avoid data leak
* commit '73887c0864c9a928db6f66bd48c5aea4d31d9a8b':
  Initialize local variables to avoid data leak
2015-09-24 22:13:06 +00:00
Naveen Leekha
18165848e8 am e2c4f4fb: am c1e6fbb5: Initialize local variables to avoid data leak
* commit 'e2c4f4fb8b34e36a4f2760f3812c942604cabfb6':
  Initialize local variables to avoid data leak
2015-09-24 22:04:48 +00:00
Naveen Leekha
73887c0864 am b414255f: Initialize local variables to avoid data leak
* commit 'b414255f53b560a06e642251535b019327ba0d7b':
  Initialize local variables to avoid data leak
2015-09-24 22:00:33 +00:00
Naveen Leekha
e2c4f4fb8b am c1e6fbb5: Initialize local variables to avoid data leak
* commit 'c1e6fbb52c3f85cc7610d1d07d12be38f70b4ed4':
  Initialize local variables to avoid data leak
2015-09-24 22:00:13 +00:00
Naveen Leekha
b414255f53 Initialize local variables to avoid data leak
The uninitialized local variables pick up
whatever the memory content was there on stack.
This data gets sent to the remote process in
case of a failed transaction, which is a security
issue. Fixed.

(Partial manual merge of master change
 12ba0f57d028a9c8f4eb3afddc326b70677d1e0c. Rest
 to automerge from klp-dev)

For b/23696300

Change-Id: I704c9fab327b3545c58e8a9a96ac542eb7469c2a
2015-09-22 18:04:44 -07:00