Commit Graph

53481 Commits

Author SHA1 Message Date
Siarhei Vishniakou
b2cc7deac7 DO NOT MERGE Remove window obscurement information.
If ACTION_OUTSIDE_EVENTS contain information about whether the touch is
obscured, then a pattern of invisible, untouchable, unfocusable
SYSTEM_ALERT_WINDOWS can be placed across the screen to determine
approximate locations of touch events without the user knowing.

Bug: 31097064
Test: cts-tradefed run cts --class android.security.cts.MotionEventTest
Change-Id: Iebbb68231cbb76f87241201e7640a1fe3e188625
CVE-2017-0860
2017-11-10 18:08:28 +03:00
Chia-I Wu
ea0521baee libgui: check for invalid slot in attachBuffer
Bug: 37478824
Test: manual
AOSP-Change-Id: I369337d53539bf7f7e3d925bccdae4045da1b404
(cherry picked from commit c79a29689c1046f1f0301c75df9b9a67cba8bf04)

CVE-2017-0667

Change-Id: I15290a700c2e0f0da9a44bb3131c4e38cadbaed3
2017-07-06 21:41:47 +02:00
Chris Forbes
a3a09ef6b4 ui: Fix bad size check in Fence::unflatten
Differs slightly from mnc+ patch: GetFlattenedSize was fixed in mnc.

Test: Boot device, run poc from bug, observe no longer crashes
Bug: 37285689
AOSP-Change-Id: Id8b851733b088cce0d07493fbf76e7e24f9299ad
(cherry picked from commit 9809602ac32dcb7bceaa5bc34df5b7fb68aacd38)

CVE-2017-0666

Change-Id: I778c82b363ca0409d534f255cc5d17b39e751986
2017-07-06 21:37:51 +02:00
Dan Stoza
c5fe5044f4 libgui: Check slot received from IGBP in Surface
Checks that the slot number received from mGraphicBufferProducer in
Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to
protect against a malicious BnGraphicBufferProducer.

Bug: 36991414
AOSP-Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa
(cherry picked from commit 90ce2a9c1d3af422c66b4061805831cb208263d8)

CVE-2017-0665

Change-Id: If0fd4864b9fc4ea5a1c83d10adef26cdabb0f7e8
2017-07-06 21:31:56 +02:00
Fabien Sanglard
e34afe0a4b Fix security vulnerability
AOSP-Change-Id: I4c9ea3a3177131fa29d2561da71ef18bec3af108
Test: angler, marlin
Bug: 32628763

CVE-2017-0546

Change-Id: I3e87518163540a9fce1d4fc3751ed558d4854140
(cherry picked from commit 45b202513ba7440beaefbf9928f73fb6683dcfbd)
2017-04-05 18:44:52 -06:00
Fabien Sanglard
c2983e9d3b Fix SF security vulnerability: 32706020
Because of lack of mutex lock when get mConsumerName, if one thread
getConsumerName, another thread setConsumerName frequently, an UAF will
be triggered.

Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65
Test: Marling with poc provided in bug report.
Bug: 32706020
(cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436)
(cherry picked from commit 2e16d5fac149dab3c3e8f1b2ca89f45cf55a7b34)
2017-03-13 04:56:11 +00:00
Christopher Tate
0ff545d4a7 Correct overflow check in Parcel resize code
Fix merge conflict into nyc-mr1-release
Bug 31929765

Change-Id: Ie27b9945f1de056624668869bdf9a5578abff467
(cherry picked from commit 65dd433f0db2fe402dc725f7012c6e26769b3224)
(cherry picked from commit b4d6b292bce7d82c93fd454078dedf5a1302b9fa)
2017-03-13 04:55:32 +00:00
D. Andrei Măceș
78f9ca0f1f libEGL: Only enable WORKAROUND_BUG_10194508 with board flag
Change-Id: Id0d000dc5397479a0cd73799f93861693179a663
2017-02-19 14:50:34 -05:00
Fabien Sanglard
65166fe47d Fix SF security vulnerability: 32660278
Because of lack of mutex lock when get mSidebandStream, if one thread
getSidebandStream, another thread setSidebandStream frequently, an UAF
will be triggered.

Bug: 32660278
Test: Marlin device with poc
Change-Id: Idbcf0976ce2db682d0f13455105c45a5c7481a45
(cherry picked from commit 2d8a2432e04234d9edbb3b099f9bbbaa36ad4843)
(cherry picked from commit 675e212c8c6653825cc3352c603caf2e40b00f9f)
2017-01-13 11:47:31 +01:00
Jessica Wagantall
b22bca465e Android 6.0.1 Release 72 (M4B30X)
-----BEGIN PGP SIGNATURE-----
 
 iEYEABECAAYFAlfz3S0ACgkQ6K0/gZqxDnhJWgCfRoySrnvsFMmshmNaBf/EqTzK
 aLcAmQFWLnkHlnHBkOZDYh8SQlmRpqr1
 =qsLC
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r72' into HEAD

Android 6.0.1 Release 72 (M4B30X)

# gpg: Signature made Tue 04 Oct 2016 09:47:41 AM PDT using DSA key ID 9AB10E78
# gpg: Can't check signature: public key not found
2016-10-06 11:50:30 -07:00
Jessica Wagantall
1c6eb19ad5 Android 6.0.1 release 66
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlfO7kcACgkQ6K0/gZqxDniKDACfe+IKxeKXazFQSWgFI0CW9HUK
 nuQAoIomQRV9NOdD2SVHJR1zyTKXx82E
 =FStj
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r66' into HEAD

Android 6.0.1 release 66

# gpg: Signature made Tue 06 Sep 2016 09:26:47 AM PDT using DSA key ID 9AB10E78
# gpg: Can't check signature: public key not found
2016-09-07 12:40:28 -07:00
Arve Hjønnevåg
390c2d3512 ServiceManager: Allow system services running as secondary users to add services
This should be reverted when all system services have been cleaned up to not
do this. A process looking up a service while running in the background will
see the service registered by the active user (assuming the service is
registered on every user switch), not the service registered by the user that
the process itself belongs to.

BUG: 30795333
Change-Id: I1b74d58be38ed358f43c163692f9e704f8f31dbe
(cherry picked from commit e6bbe69ba739c8a08837134437aaccfea5f1d943)
2016-08-26 16:21:59 -07:00
Arve Hjønnevåg
dbee7f4650 DO NOT MERGE ServiceManager: Restore basic uid check
Prevent apps from registering services without relying on selinux checks.

Bug: 29431260

Change-Id: I38c6e8bc7f7cba1cbd3568e8fed1ae7ac2054a9b
(cherry picked from commit f03ba2c0d878071603d73b7f8e9a4a468364ac27)
2016-08-26 16:21:59 -07:00
Christopher N. Hesse
60f8bdfb45 surfaceflinger: Add support for Exynos HWC services
Change-Id: I600e946a22064d64549e266c5a3cf452d0cf6299
2016-08-18 10:41:58 -07:00
Abhisek Devkota
b7021eff8d
Fix xxhdpi 3072 heap sizes
Bootloops on r7 with current values

Fix for 94774ac01d

Change-Id: I248a9375735a261715668494da0d0ab5a6440d42
2016-08-18 19:26:27 +03:00
Abhisek Devkota
2a2b06df1b Fix xxxhdpi 3072 heap sizes
Bootloops on shamu with current values

Fix for 94774ac01d

Change-Id: Iade253bd8bc5074486d2d69bb9c738844615b08d
2016-08-17 09:08:58 -07:00
Pablo Ceballos
07cd4cdf21 Region: Detect malicious overflow in unflatten
Bug 29983260

Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
2016-08-16 15:52:32 -07:00
Alex Naidis
94774ac01d dalvik: rework 3 and 4-GB dalvik heap configurations
The previous configuration sets target utilization as .25, which is geared towards
low memory devices. This path increases it to .75 and makes us pass the check:
(heaptargetutilization / 2) * heapsize = heapgrowthlimit

Example:
heapgrowthlimit: 256m
heapsize: 512m
heaptargetutilization: 0.75
0.75/2 * 512 = 192

To pass the check this has to be true:

192 = 256 (WRONG)

Check not passed.

This new configuration is optimized for higher RAM devices and passes the check:

heapgrowthlimit: 384m
heapsize: 1024m
heaptargetutilization: 0.75

0.75/2 * 1024 = 384

384 = 384 (TRUE)

Check passed.

Change-Id: I6839339382229da80546761c3746a032081ff2cd
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
2016-08-15 14:27:57 -07:00
Namit Solanki
a5f80a555a surfaceflinger: Access s3d flags only for valid display ID.
- Check if display id is within display ID range. Negative
  display ids lead to undefined behavior in CTS tests.

Change-Id: I2db8caf8d7ac65700e5bc37c180763357cc90aad
CRs-Fixed: 1043297
2016-08-13 01:31:13 -07:00
FPtje
3b418d69a3 Fixed stylus eraser being rejected by palm rejection
The stylus eraser appeared not to work, i.e. Android did not respond to
input from the eraser. It turned out that all input except stylus input
is rejected when palm rejection is activated. The problem was that the
eraser itself activates palm rejection when it hovers. The solution is
to allow the eraser during palm rejection. This solution makes sense
because the eraser input works in the exact same way as normal stylus
input.

Change-Id: I9c7451112ce7dbca14a1e1694eedca2d4ed041a1
2016-08-05 13:41:31 -05:00
Steve Kondik
542b068e32 surfaceflinger: Fix uninitialized variable
* And don't try to reinit the lib after a failure.

Change-Id: Ic055a48670ed8cf01e27b16c5d4ddf214db53d20
2016-08-03 15:28:43 -07:00
Steve Kondik
da998f4845 surfaceflinger: Unbreak casting and other use cases
* If QCOM WFD isn't in use, we'll get -1 here. Don't try and
   dig into the array because we'll get some random memory back.

Change-Id: Ib14642fea760dc0e659473bb183c5e0116622302
2016-08-03 15:02:31 -07:00
Anjaneya Prasad Musunuri
52b8462635 surfaceflinger: Add check for number of queued buffers
Pop buffer item from shadow queue only when
number of queued buffer items is greater than zero.

Change-Id: I039bc133842293c29e3e130efd65f521ef0049c6
CRs-Fixed: 1009466
2016-08-03 14:19:04 -07:00
Jessica Wagantall
2ab013db02 Android 6.0.1 Release 61 (MOB30Z)
-----BEGIN PGP SIGNATURE-----
 
 iEYEABECAAYFAlefxC4ACgkQ6K0/gZqxDngITwCeMdmdcGa6c+PuQ9bNxd6MfVYf
 /nIAoIItBcjf6ZMHmwfz7OZZQ1ixeszf
 =IRN9
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r61' into HEAD

Android 6.0.1 Release 61 (MOB30Z)

Change-Id: I581a4bc571ffe74fe33956018ffd93df05263755
2016-08-02 11:37:44 -07:00
dianlujitao
b86bb46b4d sf: Fix compliation for non-8996 platforms
Change-Id: I3edad5934ef9d9ec523e091fa2c959bbc9770f29
2016-08-02 20:11:17 +08:00
Steve Kondik
193a8c9334 surfaceflinger: Isolate S3D code to msm8996 only
Change-Id: Ie4b77b55eb306c795b452c59d8ae3383bd2804bc
2016-08-01 13:24:26 -07:00
Steve Kondik
534f857430 surfaceflinger: Cleanups for blur
* Dynamically load it so no direct linkage or headers are required.

Change-Id: I4eba035f527ae4f0fa2485e24a8586145baf0adc
2016-08-01 13:08:02 -07:00
Tatenda Chipeperekwa
f5486d6f47 sf: Allow HWC composition of virtual displays for HDMI primary
Allow HWC composition of virtual displays for HDMI primary only
when the output pixel format of the HDMI display is RGB.

CRs-Fixed: 1007249
Change-Id: I9680b162d844e9e6397f919e8dcc1b1a948d182c
2016-07-31 14:28:55 -07:00
feifanz
537364c722 SF: Add support to draw S3D framebuffer target
Add support to draw S3D framebuffer target in case HWC driver
can not handle due to resource or capability issue.

Change-Id: I536fa4a03e246d51891045b692d5dc5be88f2adf
CRs-fixed: 999055
2016-07-31 14:15:30 -07:00
Steve Kondik
8cafa373aa surfaceflinger: Fix the fix of the opaque check fix
* Use the right define.

Change-Id: I78e2aea4bf4ff933ec828cffee1a3e925622ad31
2016-07-24 16:19:39 -07:00
Pablo Ceballos
1ecb999624 Region: Detect malicious overflow in unflatten
Bug 29983260

Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
2016-07-21 17:34:57 -07:00
Ramkumar Radhakrishnan
d67b177ff6 SF: Fix NULL pointer dereferencing in dumpDrawCycle()
Check for NULL before dereferencing a pointer in dumpDrawCycle()

Change-Id: I1f06214577d0065c988877acb0f1b4378080690f
CRs-Fixed: 1018335
2016-07-20 04:16:16 -07:00
Saurabh Shah
a887c19994 SF: Add support for all flips of panel mount
Add support for all flips of panel mount, H, V, HV (180). Property
persist.panel.mountflip can be set to 1 for H-Flip, 2 for V-Flip,
3 for HV-Flip (180 / inverse mount).

Change-Id: Ide7b8378ad6a423e5d7335fedc27d480a25b53ae
CRs-fixed: 990622
2016-07-20 04:16:16 -07:00
Nick Kralevich
c91bafb88a DO NOT MERGE: dumpstate: execute procrank using su
procrank is a setuid binary which only exists on userdebug/eng
builds. Instead of executing the setuid binary, run the binary using
the su command. This eliminates one more setuid binary, and allows
the tightening of the SELinux policy.

Bug: 18342188

(cherry picked from commit 2b1f88b6ac78e330ff006da6fecf8bc9d976ec67)
Bug: 25951005

Change-Id: I90c86f89974b3878273a29277b2a5d5d7c4b81c7
2016-07-20 04:16:16 -07:00
Haixia Shi
179bd77ab6 SF: more DispSync improvements.
Pass the reference time to DispSyncThread. Since the phase offset is calculated
using timestamps relative to the reference time, we must also adjust the phase
offset by the same reference time when computing the next refresh time.

Always reset phase offset to zero when updating the reference time because the
reference time equals the first timestamp.

After beginResync() we need to keep HW vsync enabled until the model is updated.

Bug: 25113115
Change-Id: I8eae227bee91c24a99bf8e57fbebceb98d29c77d
Test: check in systrace that app/sf vsync events have correct phase
2016-07-20 04:16:16 -07:00
Haixia Shi
95cda3b92f SF: use first sample timestamp as reference.
Do not use the absolute 64-bit nsecs_t timestamp directly in phase
and error calculations. Compared to the estimated vsync period, the
timestamp tend to many orders of magnitudes larger, and consequently
the integer modulo operation used to calculate phase and error can
be very sensitive to tiny fluctuation in vsync period.

Bug: 25113115
Test: set kTraceDetailedInfo=true; see Phase and Error are stable in systrace

Change-Id: I687703eec31b1072c606898c0424a96c0a8ca033
2016-07-20 04:16:16 -07:00
Arne Coucheron
a5761b164a sf: Fix blending mode for legacy BSP
* After 0c5f3af, glitches when blending is observed on
   A family devices. Modify ifdef to not include QCOM_BSP_LEGACY.

Change-Id: Ibb53df5709abbb0e7132065aec23a14f7accf4b3
2016-07-20 00:46:07 +02:00
Mark Salyzyn
839f0dd964 system_server BINDER_TYPE_FD driver ashmem accessors
check if device matches the ashmem rdev, before calling
ashmem_get_size_region. This eliminates making this call
when associated with other driver file descriptors.

Bug: 26374183
Bug: 26918423
Bug: 26871259
Change-Id: I1f88c2c93ea35a73c8e14125f3d1a6c67fa4f15b
2016-07-15 13:04:30 -07:00
Mark Salyzyn
d70043eaf4 system_server BINDER_TYPE_FD sockets using ashmem accessors
check if device is a character device, before calling
ashmem_get_size_region. We do not check if the st_rdev
matches /dev/ashmem. So this at least eliminates making
this call when associated with a socket.

Bug: 26374183
Change-Id: I68ed9d1c2cd4c47228ed065e3e18eb4151f038f4
2016-07-15 13:04:30 -07:00
Mark Salyzyn
e481771aa3 Parcel: file descriptor leak
Resolve a file descriptor leak when a request for
ashmem size adjustment is not filed.

Change-Id: I4ebccfd096ec5313725fd99dc3e025f9561d061f
2016-07-15 13:04:30 -07:00
radhakrishna
0c5f3af37a sf: Make sure HWC_BLENDING_NONE is set for opaque layer
Before configuring the layers to HWC, make sure
HWC_BLENDING_NONE is set if the layer is opaque

Change-Id: Ie84aa9d93e98a244692a0cffc2de653a9079f8b4
Crs-fixed: 957373
2016-07-15 13:03:55 -07:00
Jessica Wagantall
cf27ee8089 Merge remote-tracking branch 'remotes/android-6.0.1_r52' into HEAD
Ticket: CYNGNOS-3020

Change-Id: I13076de5caf1546b8eef44417ee83cd9b2cb9d62
2016-07-07 14:15:35 -07:00
Pablo Ceballos
3bcf0caa8c Add FrameStats default constructor
Bug 28592402

Change-Id: I857e46c9ab3ffae0d96923d665d13a4128a6cafa
2016-06-23 15:06:26 -07:00
Christopher N. Hesse
2a2eaab883 sf: Only apply hwrotation to primary displays
Change-Id: Ib51030cec5ce7609f12be9a5e46310f75442b680
2016-06-17 16:10:21 +02:00
Jessica Wagantall
508eb7749a Android 6.0.1 release 46
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAldVtQ8ACgkQ6K0/gZqxDnhIVgCfWRMpjlr3RQ8yoizXrd1JT2e8
 M6kAn2lFAPOBl7D6M28oTaPBQpLrZMdF
 =kdz+
 -----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r46' into HEAD

Android 6.0.1 release 46

# gpg: Signature made Mon 06 Jun 2016 10:38:23 AM PDT using DSA key ID 9AB10E78
# gpg: Can't check signature: public key not found
2016-06-07 10:10:09 -07:00
Louis Popi
6500d428ce Add dalvik heap/hwui overrides for xxxhdpi phone with 4096MB RAM
Change-Id: I8e7bd9b520c20e0cd07c9b17d74e4ae79f2769b4
2016-05-31 11:09:56 -07:00
Marco Nelissen
54cb02ad73 Correctly handle dup() failure in Parcel::readNativeHandle
bail out if dup() fails, instead of creating an invalid native_handle_t

Bug: 28395952

Change-Id: Ia1a6198c0f45165b9c6a55a803e5f64d8afa0572
2016-05-27 11:31:22 -07:00
Scott Mertz
ea0ee316d8 dumpstate: add CM version to output
Change-Id: Ibd804872d7d32ac1d26efaf30927a2359d2da287
2016-05-26 16:32:59 -07:00
Louis Popi
0921754415 Add dalvik heap/hwui overrides for xxhdpi phone with 3072MB RAM
Change-Id: I0ebf2033341e8f09004c1e2dec5f4438aa52e5dc
2016-05-24 13:20:34 -07:00
Danesh M
bd41ea359f SurfaceFlinger : Ensure position changes are drawn with correct buffer size
If a single transaction has both positional and size changes, ensure we don't draw
any frames using the incorrect buffer size using the updated position. Wait for the correct
buffer size and then proceed.

Change-Id: I8e25f21f17e0936e66bb5053f85f8336c8464c7b
2016-05-12 10:07:24 -07:00