Commit Graph

3083 Commits

Author SHA1 Message Date
Fabien Sanglard
65166fe47d Fix SF security vulnerability: 32660278
Because of lack of mutex lock when get mSidebandStream, if one thread
getSidebandStream, another thread setSidebandStream frequently, an UAF
will be triggered.

Bug: 32660278
Test: Marlin device with poc
Change-Id: Idbcf0976ce2db682d0f13455105c45a5c7481a45
(cherry picked from commit 2d8a2432e04234d9edbb3b099f9bbbaa36ad4843)
(cherry picked from commit 675e212c8c6653825cc3352c603caf2e40b00f9f)
2017-01-13 11:47:31 +01:00
Jessica Wagantall
1c6eb19ad5 Android 6.0.1 release 66
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlfO7kcACgkQ6K0/gZqxDniKDACfe+IKxeKXazFQSWgFI0CW9HUK
 nuQAoIomQRV9NOdD2SVHJR1zyTKXx82E
 =FStj
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r66' into HEAD

Android 6.0.1 release 66

# gpg: Signature made Tue 06 Sep 2016 09:26:47 AM PDT using DSA key ID 9AB10E78
# gpg: Can't check signature: public key not found
2016-09-07 12:40:28 -07:00
Pablo Ceballos
1ecb999624 Region: Detect malicious overflow in unflatten
Bug 29983260

Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
2016-07-21 17:34:57 -07:00
Mark Salyzyn
839f0dd964 system_server BINDER_TYPE_FD driver ashmem accessors
check if device matches the ashmem rdev, before calling
ashmem_get_size_region. This eliminates making this call
when associated with other driver file descriptors.

Bug: 26374183
Bug: 26918423
Bug: 26871259
Change-Id: I1f88c2c93ea35a73c8e14125f3d1a6c67fa4f15b
2016-07-15 13:04:30 -07:00
Mark Salyzyn
d70043eaf4 system_server BINDER_TYPE_FD sockets using ashmem accessors
check if device is a character device, before calling
ashmem_get_size_region. We do not check if the st_rdev
matches /dev/ashmem. So this at least eliminates making
this call when associated with a socket.

Bug: 26374183
Change-Id: I68ed9d1c2cd4c47228ed065e3e18eb4151f038f4
2016-07-15 13:04:30 -07:00
Mark Salyzyn
e481771aa3 Parcel: file descriptor leak
Resolve a file descriptor leak when a request for
ashmem size adjustment is not filed.

Change-Id: I4ebccfd096ec5313725fd99dc3e025f9561d061f
2016-07-15 13:04:30 -07:00
Jessica Wagantall
cf27ee8089 Merge remote-tracking branch 'remotes/android-6.0.1_r52' into HEAD
Ticket: CYNGNOS-3020

Change-Id: I13076de5caf1546b8eef44417ee83cd9b2cb9d62
2016-07-07 14:15:35 -07:00
Marco Nelissen
54cb02ad73 Correctly handle dup() failure in Parcel::readNativeHandle
bail out if dup() fails, instead of creating an invalid native_handle_t

Bug: 28395952

Change-Id: Ia1a6198c0f45165b9c6a55a803e5f64d8afa0572
2016-05-27 11:31:22 -07:00
Jessica Wagantall
134fddb97d Android 6.0.1 release 43 (MOB30J)
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlcn+/0ACgkQ6K0/gZqxDnjM1wCfYbf5jx2b8bwmkDc5ohgikw8I
 6GsAnjfAWMPO6SNxvB9YuYmuIJW16R4B
 =4iNh
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r43' into HEAD

Ticket: CYNGNOS-2373
Android 6.0.1 release 43 (MOB30J)

Change-Id: I1d6a9cc67ded5dd7d0ee1f17773e326ac0ae87ce
2016-05-03 11:59:50 -07:00
Jessica Wagantall
31d9cccf23 Android 6.0.1 release 24
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlcDBbwACgkQ6K0/gZqxDnhMYQCfVROi/aOR0642Ja6QWTz0O9xP
 Ra4An1OMMl1qJIc66uRZ0V03qP0WIklv
 =AQQB
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r24' into HEAD

Ticket: CYNGNOS-2213
Android 6.0.1 release 24
2016-04-05 12:31:30 -07:00
Dianne Hackborn
a59b827869 Fix issue #27252896: Security Vulnerability -- weak binder
Sending transaction to freed BBinder through weak handle
can cause use of a (mostly) freed object.  We need to try to
safely promote to a strong reference first.

Change-Id: Ic9c6940fa824980472e94ed2dfeca52a6b0fd342
(cherry picked from commit c11146106f94e07016e8e26e4f8628f9a0c73199)
2016-03-25 17:47:54 -07:00
Pablo Ceballos
a30d7d90c4 BQ: fix some uninitialized variables
Bug 27555981
Bug 27556038

Change-Id: I436b6fec589677d7e36c0e980f6e59808415dc0e
2016-03-25 17:47:54 -07:00
Jessica Wagantall
efd11d3c0b Android 6.0.1 release 17
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlbd3qwACgkQ6K0/gZqxDni3xACggqdaKPaP7STGjBxz7H752/Bc
 gHcAoID1Syc0XZO6+lUast7IK2lh3qAc
 =tByv
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r17' into HEAD

Android 6.0.1 release 17
Ticket: CYNGNOS-1854
2016-03-07 18:12:29 -08:00
Pablo Ceballos
a93a310187 Add SN logging
Bug 27046057

Change-Id: Iede7c92e59e60795df1ec7768ebafd6b090f1c27
2016-03-01 15:26:40 -08:00
Christopher Tate
a5d2913b07 Sanity check IMemory access versus underlying mmap
Bug 26877992

Change-Id: Ibbf4b1061e4675e4e96bc944a865b53eaf6984fe
2016-03-01 15:26:40 -08:00
Pablo Ceballos
28a83d4206 BQ: Add permission check to BufferQueueConsumer::dump
Bug 27046057

Change-Id: Id7bd8cf95045b497943ea39dde49e877aa6f5c4e
2016-03-01 15:26:40 -08:00
Pablo Ceballos
5243afa8fa Add SN logging
Bug 27046057

Change-Id: Iede7c92e59e60795df1ec7768ebafd6b090f1c27
2016-02-26 16:56:15 -08:00
Christopher Tate
25719f6e1f Sanity check IMemory access versus underlying mmap
Bug 26877992

Change-Id: Ibbf4b1061e4675e4e96bc944a865b53eaf6984fe
2016-02-26 16:56:14 -08:00
Pablo Ceballos
b3a9e6d04d BQ: Add permission check to BufferQueueConsumer::dump
Bug 27046057

Change-Id: Id7bd8cf95045b497943ea39dde49e877aa6f5c4e
2016-02-26 16:56:14 -08:00
Christopher N. Hesse
b0cda680c2 binder: MemoryHeapIon: Fix size_t vs integer formatting mismatch
Change-Id: I58e4ce885bce5fc11f3e36f50a1060b682b4a512
2016-02-20 03:10:19 +01:00
Robert Shih
daca8c3407 IGraphicBufferProducer: fix QUEUE_BUFFER info leak
Bug: 26338109
Change-Id: I8a979469bfe1e317ebdefa43685e19f9302baea8
2016-01-22 13:37:17 -08:00
Robert Shih
93312a3a38 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
Bug: 26338113
Change-Id: I019c4df2c6adbc944122df96968ddd11a02ebe33
2016-01-22 13:37:16 -08:00
Robert Shih
40ba03fc68 IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37 am: 413318311c am: dc9ec35294 am: 9d959e2755 am: edb7c81a1b
am: 2a7a1247cb

* commit '2a7a1247cb4829daaaa4e6a6ee3e670cd2f068bf':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:54:27 +00:00
Robert Shih
2a7a1247cb IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37 am: 413318311c am: dc9ec35294 am: 9d959e2755
am: edb7c81a1b

* commit 'edb7c81a1b99d2456910b03db9e4ac250eac2fab':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:52:25 +00:00
Robert Shih
edb7c81a1b IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37 am: 413318311c am: dc9ec35294
am: 9d959e2755

* commit '9d959e275561bcace3aab1f9df009c6c880003fa':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:50:22 +00:00
Robert Shih
ec87aa5218 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak am: dded8fdbb7 am: 7ee203b59d am: dc252255af
am: 202aaa8f97

* commit '202aaa8f97083b68c0a736f4cd432f61c9b0989d':
  IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
2016-01-15 01:48:17 +00:00
Robert Shih
202aaa8f97 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak am: dded8fdbb7 am: 7ee203b59d
am: dc252255af

* commit 'dc252255af835bb3a69bc9a0d01da12419c0fc05':
  IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
2016-01-15 01:45:18 +00:00
Robert Shih
9d959e2755 IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37 am: 413318311c
am: dc9ec35294

* commit 'dc9ec35294b8ec6b6c349b826edc9b44f4ddb96d':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:45:18 +00:00
Robert Shih
dc252255af IGraphicBufferConsumer: fix ATTACH_BUFFER info leak am: dded8fdbb7
am: 7ee203b59d

* commit '7ee203b59d9a74d485ce2fdfd07e96b2d10ff23b':
  IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
2016-01-15 01:43:05 +00:00
Robert Shih
dc9ec35294 IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37
am: 413318311c

* commit '413318311c8cc356dd7e0837ce26e937a9f4c56a':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:38:56 +00:00
Robert Shih
413318311c IGraphicBufferProducer: fix QUEUE_BUFFER info leak
am: d06421fd37

* commit 'd06421fd37fbb7fd07002e6738fac3a223cb1a62':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak
2016-01-15 01:27:23 +00:00
Robert Shih
7ee203b59d IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
am: dded8fdbb7

* commit 'dded8fdbb700d6cc498debc69a780915bc34d755':
  IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
2016-01-15 01:26:59 +00:00
Robert Shih
d06421fd37 IGraphicBufferProducer: fix QUEUE_BUFFER info leak
Bug: 26338109
Change-Id: I8a979469bfe1e317ebdefa43685e19f9302baea8
2016-01-11 16:33:17 -08:00
Robert Shih
dded8fdbb7 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
Bug: 26338113
Change-Id: I019c4df2c6adbc944122df96968ddd11a02ebe33
2016-01-11 11:47:42 -08:00
Matt Filetto
b17c928090 sensor: Skip additional permission request checks
* Some legacy Samsung HALs supporting BODY_SENSOR types are
  incompatible with the new permission checks added in M.
  Extend the NO_SENSOR_PERMISSION_CHECK flags to cover more
  of the actual checks.

Change-Id: Id2b9b57d8151b0998d9233e0a6541e8c88e06af7
2015-12-21 08:54:18 -08:00
Christopher N. Hesse
8befd14c4a sensor: Allow devices to skip the permission request
This is needed by Samsung devices with pre-M sensor
blobs which have support for SENSOR_TYPE_HEART_RATE
or body sensors in general.
These HALs somehow segfault on the flagged code.

Change-Id: I698f4129e71b683f6f063f00da79f32a5f521149
2015-12-18 15:21:53 -08:00
Christian Poetzsch
31ab17fb0c Fix the execution point of onFrameAvailable/onFrameReplaced callbacks
In a4650a5 the concept of a maximum frame number allowance for the consumer was
introduced. A call to acquireBuffers will only return buffers when their frame
number is less-than-or-equal-to this maximum frame number. When SurfaceFlinger
is the consumer, this maximum  frame number is calculated in the
onFrameAvailable/onFrameReplaced callbacks. These callbacks are called when a
new buffer is dequeued by the application. The problem is that these callbacks
are called _after_ the fence wait which is used to throttle the frame
production of client apps. When the previous frame needs a long time to draw,
those waits can potentially be a long time. As a result SurfaceFlinger won't do
any composition with the new frame until the wait is over.

Normally this isn't a big problem because there is a queue of buffers for
SurfaceFlinger to work with. However, this changes massively when a client app
is using a swap interval of zero. In this case, a new frame will instantly
replace the previous queued frame. However, SurfaceFlinger doesn't know this
until the onFrameReplaced callback gets called - which is delayed by the fence
wait. If the timing is bad, SurfaceFlinger never gets a chance to pick up a new
frame to do the composition with.

We see this behaviour on our TC development system (slow GPU) with legacy
on-screen benchmarks. Such apps are using a swap interval of zero and sometimes
frames don't get updated for several seconds. This behaviour can be also seen
on a Nexus5, although it isn't as obvious as on our TC.

The fix in this cl is to move the EGL throttling to the end of the queueBuffers
function. This ensures that if a frame gets replaced in the queue, all
consumers who installed the callbacks, get called in a timely fashion.

Change-Id: I36e9ecda162150f41e97d4fb7437963a3d86b371
Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>
2015-12-16 18:46:53 -08:00
forkbomb
7cacf26abb libbinder: allow devices to disable ashmem size tracking
The addition of ashmem size tracking can lead to parcel objects
overwriting other values on the stack in old binary blobs.

Change-Id: Ife8514be1ba639c4061de38b59794c46bcc2d7f8
2015-12-10 10:15:49 +11:00
Steve Kondik
4951bcc16e Android 6.0.1 release 3
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlZmBAkACgkQ6K0/gZqxDnhgbQCdFLtubCHWtlKUuIEKAVwzv2M3
 2jMAoI4UhN3nLb2Nf6BizcMSF3xo1pKO
 =NS5T
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r3' of https://android.googlesource.com/platform/frameworks/native into cm-13.0

Android 6.0.1 release 3

Change-Id: I437aaf148d440a8144afe1454948980fc3b40cca
2015-12-07 17:07:16 -08:00
forkbomb
53602ffde5 libbinder: allow devices to disable ashmem size tracking
The addition of ashmem size tracking can lead to parcel objects
overwriting other values on the stack in old binary blobs.

Change-Id: Ida52cec851a6f9d5a57c8f9130a5875c03dcb094
2015-12-04 15:42:51 +11:00
Caio Schnepper
8c39282e31 libgui: Don't assign handle to NULL after free is common
Reportedly Mali and PowerVR GPUs are crashing when setting handle to NULL
So we will set a flag for the devices that might need this aswell

Set BOARD_EGL_NEEDS_HANDLE_VALUE=true in BoardConfig.mk to use

Change-Id: I6c967f62dc6adced7583d7b2045d11cf5b25fc80
2015-11-25 17:51:30 -02:00
Caio Schnepper
eed845539a libgui: Don't assign handle to NULL after free
This reverts c784dfc39f for exynos4 devices
with Mali 400 GPUs, which causes a fatal signal (SIGSEGV) and death of
the graphics subsystem

Change-Id: I6dbf8f8664fca01baf63fece7c64016609fe3e1c
2015-11-23 18:39:58 -02:00
Byunghun Jeon
987034b563 SurfaceFlinger: Native changes to add blur effect
Native changes to add blur-behind and blur mask effect

Change-Id: I54faf82d750e8299de6d261f6a893ab26d08df84

SurfaceFlinger: Adding template for LayerBlur files

Change-Id: I444009113b7bdd6c5284863fd1f56358e67d9fe6

SurfaceFlinger: Featurize libuiblur module for OSS build

Change-Id: Ifdc176e699434125d17b111c044b8ba954cf717c
2015-11-08 01:07:13 -08:00
Ricardo Cerqueira
1cdd1b5ad2 Android 6.0.0 release 26
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlYxAgIACgkQ6K0/gZqxDnjCqACfbBT6VOiUFQvRn7w1SAa+4rjF
 1IwAn2rBUqWo0dOKVwF1DDfFmGZXc8SB
 =1BqV
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.0_r26' into HEAD

Android 6.0.0 release 26

Conflicts:
	include/android/input.h

Change-Id: Ifa374c6d3055be3b8a5d60967f8b4c0043da739b
2015-11-05 01:41:42 +00:00
Ricardo Cerqueira
60c26d1f27 Android 6.0.0 release 5
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlYyZAgACgkQ6K0/gZqxDng/ZgCfUJK3qqr1BvYmWlGZsQ4+taVP
 6NEAnRLWjoF9kSyraCa/VG+w2tUrS80Y
 =xUfb
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.0_r5' into cm-13.0

Android 6.0.0 release 5
2015-11-03 23:27:50 +00:00
Christopher N. Hesse
f3f3949b32 binder: MemoryHeapIon: fix unused parameters
Using the __attribute__((unused)) preprocessor directive

Change-Id: I29d27fd7eacb962ffa06ccd81ee48b48f3743243
(cherry picked from commit 047c69bb8e17eab6f3432fae200fe94f7e119755)
2015-11-02 17:30:14 +01:00
codeworkx
af2d946f2d binder: Squashed commit of MemoryHeapBaseIon
Source:
http://git.insignal.co.kr/samsung/exynos/android/platform/frameworks/native/commit/?h=exynos-jb&id=dc4cd25cc41e4358debd0c7d1a2706d208a58df6

Change-Id: Ib06cc37a2a25c78a061ee2bad48eec2d01b07833

binder: update MemoryHeapIon

* Update from ODROID-XU 09232013 BSP release

Change-Id: I5245c8a9f783e8902bf91a0ee23e60ebeb335b27

binder: update MemoryHeapIon

* Update from ODROID-XU 04212014 BSP

Change-Id: Ifc2664bcde37a71d855e05e7c9e50288a4508892

binder: Fixed new CM SLSI build variant

Change-Id: Icfff592cf705af660c7318b08fce75dbbf42103c
(cherry picked from commit 014ad5eee0a7de70c4a9f66e8f5ce7b32f4ecb16)
2015-11-02 17:29:40 +01:00
Praveen Chavan
c784dfc39f libgui: assign handle to NULL after free
to avoid use-after-free situations

Change-Id: If9c09f509bc55795856302e5ca34470df019c622
2015-10-31 03:19:42 -07:00
Adrian Roos
6bb3114246 Maintain Parcel ABI
Makes sure we don't change the memory layout of the Parcel class
to maintain binary compatibility with prebuilts linking against
libbinder.

Bug: 25004154
Change-Id: I656687497f08bb85cefda796aafa2341e601e30a
2015-10-22 17:48:16 -07:00
Adrian Roos
cbf3726357 Revert "Revert "Track ashmem memory usage in Parcel""
This reverts commit 6880307e8e.

Bug: 25004154
Change-Id: I9b432d1ebc39f3bbcd7afdefc403f0fb6ced8158
2015-10-22 17:47:27 -07:00