Commit Graph

3025 Commits

Author SHA1 Message Date
Pablo Ceballos
07cd4cdf21 Region: Detect malicious overflow in unflatten
Bug 29983260

Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
2016-08-16 15:52:32 -07:00
Marco Nelissen
54cb02ad73 Correctly handle dup() failure in Parcel::readNativeHandle
bail out if dup() fails, instead of creating an invalid native_handle_t

Bug: 28395952

Change-Id: Ia1a6198c0f45165b9c6a55a803e5f64d8afa0572
2016-05-27 11:31:22 -07:00
Dianne Hackborn
a59b827869 Fix issue #27252896: Security Vulnerability -- weak binder
Sending transaction to freed BBinder through weak handle
can cause use of a (mostly) freed object.  We need to try to
safely promote to a strong reference first.

Change-Id: Ic9c6940fa824980472e94ed2dfeca52a6b0fd342
(cherry picked from commit c11146106f94e07016e8e26e4f8628f9a0c73199)
2016-03-25 17:47:54 -07:00
Pablo Ceballos
a30d7d90c4 BQ: fix some uninitialized variables
Bug 27555981
Bug 27556038

Change-Id: I436b6fec589677d7e36c0e980f6e59808415dc0e
2016-03-25 17:47:54 -07:00
Pablo Ceballos
5243afa8fa Add SN logging
Bug 27046057

Change-Id: Iede7c92e59e60795df1ec7768ebafd6b090f1c27
2016-02-26 16:56:15 -08:00
Christopher Tate
25719f6e1f Sanity check IMemory access versus underlying mmap
Bug 26877992

Change-Id: Ibbf4b1061e4675e4e96bc944a865b53eaf6984fe
2016-02-26 16:56:14 -08:00
Pablo Ceballos
b3a9e6d04d BQ: Add permission check to BufferQueueConsumer::dump
Bug 27046057

Change-Id: Id7bd8cf95045b497943ea39dde49e877aa6f5c4e
2016-02-26 16:56:14 -08:00
Robert Shih
daca8c3407 IGraphicBufferProducer: fix QUEUE_BUFFER info leak
Bug: 26338109
Change-Id: I8a979469bfe1e317ebdefa43685e19f9302baea8
2016-01-22 13:37:17 -08:00
Robert Shih
93312a3a38 IGraphicBufferConsumer: fix ATTACH_BUFFER info leak
Bug: 26338113
Change-Id: I019c4df2c6adbc944122df96968ddd11a02ebe33
2016-01-22 13:37:16 -08:00
Adrian Roos
6bb3114246 Maintain Parcel ABI
Makes sure we don't change the memory layout of the Parcel class
to maintain binary compatibility with prebuilts linking against
libbinder.

Bug: 25004154
Change-Id: I656687497f08bb85cefda796aafa2341e601e30a
2015-10-22 17:48:16 -07:00
Adrian Roos
cbf3726357 Revert "Revert "Track ashmem memory usage in Parcel""
This reverts commit 6880307e8e.

Bug: 25004154
Change-Id: I9b432d1ebc39f3bbcd7afdefc403f0fb6ced8158
2015-10-22 17:47:27 -07:00
Ian Pedowitz
6880307e8e Revert "Track ashmem memory usage in Parcel"
This reverts commit e2f499fb73.

Bug: 25169267
Bug: 25191602
Bug: 25004154
Change-Id: I24bb0da4e8739ee5a0c251e4adac9904827144e0
2015-10-22 22:09:16 +00:00
Adrian Roos
e2f499fb73 Track ashmem memory usage in Parcel
Bug: 25004154
Change-Id: Id9d5656dd0605f1b50525596b75601309f67ebdc
2015-10-21 22:32:35 +00:00
Aravind Akella
2ac7405bda Merge "Set DATA_INJECTION mode flag for sensors." into mnc-dr-dev 2015-10-14 21:03:07 +00:00
Adam Lesinski
16b0ae105e Merge "add number constraint for samples per MotionEvent" into mnc-dr-dev 2015-10-12 22:15:50 +00:00
Flanker
552a8a5d8d add number constraint for samples per MotionEvent
Bug:23905002
Change-Id: Ifd24802977c3dcdd1dbc5120a78aac41beae4603

Signed-off-by: Adam Lesinski <adamlesinski@google.com>
2015-10-12 11:22:37 -07:00
Puneet Kumar
2f3c3eb4e4 Merge "Allow defining replacement key events in keymap" into mnc-dr-dev 2015-10-08 08:16:31 +00:00
Andrew de los Reyes
de18f6c32a InputResampling: Don't extrapolate for very low frame rates.
In very low framerate situations, extrapolation is generally going to
either cause no benefit or make a mistake. We can safely turn it off
with no user-visible negative impact.

BUG=https://buganizer.corp.google.com/u/0/issues/24550942
TEST=Scrolled very slowly and saw mispredictions on Angler. With change,
saw the log message that the mispredictions were suppressed.

Change-Id: Ic9747d3ff098d7918047ada2ed1c2d21282c65b0
2015-10-01 15:57:25 -07:00
Dmitry Torokhov
115f93eeeb Allow defining replacement key events in keymap
Currently keyboard maps allow to assign character sequences to key
events and allow specifying a so-called "fallback" key events that are
re-injected into input stream if target application indicates that it
was not able to handle the original key event. Unfortunately there is no
way to perform substitution before handing the event to applicationis.

This change adds a new keymap keyword "replace" that allows users query
"replacement" actions for key (if any), with the intent that such
replacement happens early in the event handling process.

Bug: 24504154

Change-Id: I3e6a2476c856524171df00ad22ff56f2018c1278
2015-09-29 13:26:30 -07:00
Naveen Leekha
b0127aadaf am 69412a51: am c4bd7211: resolved conflicts for 7534e4e6 to lmp-mr1-ub-dev
* commit '69412a51f58fa9450f1cb077c8d4b6410128d993':
  resolved conflicts for 7534e4e6 to lmp-mr1-ub-dev
2015-09-24 23:35:41 +00:00
Naveen Leekha
69412a51f5 am c4bd7211: resolved conflicts for 7534e4e6 to lmp-mr1-ub-dev
* commit 'c4bd7211373cf5b745c7d4f849f43f7a2d2b1141':
  resolved conflicts for 7534e4e6 to lmp-mr1-ub-dev
2015-09-24 23:27:31 +00:00
Naveen Leekha
c4bd721137 resolved conflicts for 7534e4e6 to lmp-mr1-ub-dev
Change-Id: I543df164076b44578b14d41031800bb62b81586d
2015-09-24 15:55:21 -07:00
Naveen Leekha
83e60e4257 am 571e27e2: am e889592e: am 73887c08: am b414255f: Initialize local variables to avoid data leak
* commit '571e27e20e30560985d7c3a3ba8885693695b0fc':
  Initialize local variables to avoid data leak
2015-09-24 22:26:22 +00:00
Naveen Leekha
571e27e20e am e889592e: am 73887c08: am b414255f: Initialize local variables to avoid data leak
* commit 'e889592e33891c9b88ff6ba655426118f8ef12ee':
  Initialize local variables to avoid data leak
2015-09-24 22:20:59 +00:00
Naveen Leekha
e889592e33 am 73887c08: am b414255f: Initialize local variables to avoid data leak
* commit '73887c0864c9a928db6f66bd48c5aea4d31d9a8b':
  Initialize local variables to avoid data leak
2015-09-24 22:13:06 +00:00
Naveen Leekha
73887c0864 am b414255f: Initialize local variables to avoid data leak
* commit 'b414255f53b560a06e642251535b019327ba0d7b':
  Initialize local variables to avoid data leak
2015-09-24 22:00:33 +00:00
Naveen Leekha
b414255f53 Initialize local variables to avoid data leak
The uninitialized local variables pick up
whatever the memory content was there on stack.
This data gets sent to the remote process in
case of a failed transaction, which is a security
issue. Fixed.

(Partial manual merge of master change
 12ba0f57d028a9c8f4eb3afddc326b70677d1e0c. Rest
 to automerge from klp-dev)

For b/23696300

Change-Id: I704c9fab327b3545c58e8a9a96ac542eb7469c2a
2015-09-22 18:04:44 -07:00
Aravind Akella
f9b7f8548e Set DATA_INJECTION mode flag for sensors.
Bug: 24001171
Change-Id: I70133546c68fb478b2c2062f05a4164a36cd9e4b
2015-09-11 11:33:49 -07:00
Prashant Malani
13c638255f am e35c7d65: Add body sensors app op for custom sensors
* commit 'e35c7d65bb3c226fe3c5fc5e3933f64f0963eaeb':
  Add body sensors app op for custom sensors
2015-09-03 17:26:13 +00:00
Prashant Malani
e35c7d65bb Add body sensors app op for custom sensors
If the custom sensor requires the BODY SENSOR permission, we should add
the body sensors app op for the custom sensor

Bug: 23396558
Change-Id: I132917d1bca12c76c8a9fb146e00951cba3e6d7a
2015-09-03 04:03:25 +00:00
Aravind Akella
8f35ca9730 SensorManager fixes.
i) Use pingBinder() to check the status of sensorservice everytime an
   event_queue is created. Retry to establish the binder connection if
   SensorService has recovered from a runtime restart.
ii) LOG_ALWAYS_FATAL_IF getService(SensorService) returns NULL or malloc
    returns NULL.

Bug: 22634472
Change-Id: I4e3912839b6f4114be1a124510878774dbd576a4
2015-08-25 11:24:02 -07:00
Aravind Akella
e2806cb445 Bug fix in SensorManager.
If SensorService hasn't started when SensorManager instance is requested, keep retrying for a
longer duration.

Bug: 22529981
Change-Id: I3c506d962b61347085fc80b2c5832289539d6853
2015-07-30 19:05:21 +00:00
Narayan Kamath
8034fc63a0 Revert "Bug fix in SensorManager."
This reverts commit 869eb2089e.

Change-Id: I4fb865e3b18bbb011fa4e4b4732336930c3a45ae
2015-07-29 09:36:05 +00:00
Aravind Akella
869eb2089e Bug fix in SensorManager.
If SensorService hasn't started when SensorManager instance is requested, keep retrying for a
longer duration.

Bug: 22529981
Change-Id: I4ba6b760608e34d79273aeb39568f0fa72fbaf9d
2015-07-26 11:48:06 -07:00
Lajos Molnar
5f920c1a2c BufferQueueConsumer: signal onFrameReleased on dropped frames
Bug: 22552826
Change-Id: I9bdfeb8c68f403301af90d4b494f0ae7166a767c
2015-07-17 08:37:47 -07:00
Christopher Tate
134fd91bcc am 708b42e0: am eba7afcc: am 2f340be3: Disregard alleged binder entities beyond parcel bounds
* commit '708b42e0ee5ad97b8426a6245f73131ddfc59a33':
  Disregard alleged binder entities beyond parcel bounds
2015-07-02 01:55:43 +00:00
Christopher Tate
eba7afcc14 am 2f340be3: Disregard alleged binder entities beyond parcel bounds
* commit '2f340be345612d9fc2ecb1ea2a4c9e147610a593':
  Disregard alleged binder entities beyond parcel bounds
2015-07-02 01:28:56 +00:00
Amith Dsouza
bbd4f23247 Merge "Revert "Revert "Modify EGL to disconnect the window when the surface gets destroyed.""" into mnc-dev 2015-07-01 17:45:05 +00:00
Aravind Akella
8719e3b631 Merge "Enable sensor data injection mode through adb." into mnc-dev 2015-07-01 17:40:08 +00:00
Amith Dsouza
4f21a4cc22 Revert "Revert "Modify EGL to disconnect the window when the surface gets destroyed.""
This reverts commit 6e1a2fea67.

Driver level issues fixed by an updated graphics driver.

Bug: 21266976
Change-Id: I93339fb6c6bab988f3550adb49ef8e70cda6473e
2015-07-01 10:22:22 -07:00
Aravind Akella
841a5926fc Enable sensor data injection mode through adb.
Change-Id: I415cf8ff0871fa74babaf9b879c68f210298b472
2015-06-30 14:59:58 -07:00
Chad Brubaker
e59cb43eda Fix writeByteArray/writeInt32Array size on x64
writeByteArray writes the size using sizeof(size_t), however it is always
read using readInt32(). On devices where sizeof(size_t) != 4 this causes
extra bytes to be written.

BUG: 22204736
Change-Id: I8d4507b6b616857ef5827f1fe9da0907d09abf0e
2015-06-30 14:50:09 -07:00
Dan Stoza
db4850c01f libgui: Fix handling of rotated surface damage
Incoming surface damage was not aware that the EGL implementation was
rotating buffers in response to SurfaceFlinger's transform hint. This
didn't affect all cases because the effect was to apply a 90 degree
rotation instead of a 270 degree rotation. For full-screen updates,
things more or less worked, but in other cases this caused corruption.

This fixes that by correctly undoing the effect of rotated buffers on
the incoming surface damage, and then passing that damage down
untouched to HWC.

Bug: 22068334
Change-Id: I226ecfc7a91fe2e16edd2aa6d9149f0d26b529d6
2015-06-25 16:10:18 -07:00
Christopher Tate
2f340be345 Disregard alleged binder entities beyond parcel bounds
When appending one parcel's contents to another, ignore binder
objects within the source Parcel that appear to lie beyond the
formal bounds of that Parcel's data buffer.

Bug 17312693

Change-Id: If592a260f3fcd9a56fc160e7feb2c8b44c73f514
(cherry picked from commit 27182be9f2)
2015-06-24 20:46:38 +00:00
Christopher Tate
1b8a2f82fe Disregard alleged binder entities beyond parcel bounds
When appending one parcel's contents to another, ignore binder
objects within the source Parcel that appear to lie beyond the
formal bounds of that Parcel's data buffer.

Bug 17312693

Change-Id: If592a260f3fcd9a56fc160e7feb2c8b44c73f514
(cherry picked from commit 27182be9f2)
2015-06-24 20:46:05 +00:00
Dan Stoza
2311608667 libgui/SF: Propagate SECURE Layer flag changes
This allows changes to the SECURE flag to propagate down to
Layers in SurfaceFlinger so that WindowManager can change it on the fly
in response to device policy updates.

Bug: 20934462
Change-Id: I558f6d22c6273be373f1f480365e42536af18a33
2015-06-18 15:11:20 -07:00
Dan Stoza
6cd8771c9c Merge "GLConsumer: Fix crop math" into mnc-dev 2015-06-11 17:12:49 +00:00
Dan Stoza
ec4cb38750 GLConsumer: Fix crop math
When we have excess pixels that need to be removed from (for example)
the left and right sides, we currently do something like:

  left += excess / 2;
  right -= excess / 2;

If excess is odd, however, this removes 1 too few pixels since the odd
pixel gets rounded down twice. This changes the math to effectively:

  left += excess / 2;
  right -= (excess - excess / 2);

Which removes the correct total number of pixels.

Bug: 19611086
Change-Id: I8d1ad9fe7ba67c149794c148663d12acbccccef0
2015-06-10 10:24:51 -07:00
Christopher Tate
ed7a50cc7d Prevent integer overflow when calculating buffer resizes
Make sure that we don't go haywire if an exponential buffer growth
operation winds up wrapping integer range.  Along the way, fix a
bookkeeping bug in BufferedTextOutput that would cause it to keep
spuriously realloc()ing on every append().

Bug 20674694

Change-Id: Ia845b7de36b90672a151a918ffc26c7da68e20a2
2015-06-08 14:49:09 -07:00
Christopher Tate
98e67d352b Don't corrupt parcel when writeFileDescriptor() fails
We now check for fd-legality before committing binder objects to
the flattened data buffer rather than after.  Previously we would
wind up corrupting the parcel and incurring driver-level errors,
as well as potentially leaking FDs.

Bug 21428802

Change-Id: Ice0d641b3dcc41fb1b8c68ce2e2ebd744c2863a1
2015-06-08 13:13:19 -07:00