OSDN Git Service
Chalard Jean [Mon, 20 May 2019 04:11:37 +0000 (13:11 +0900)]
Protect VPN dialogs against overlay.
Bug:
130568701
Test: manual. After this, can't display on top of it
Change-Id: Ib032f800edb0416cc15f01a34954340d0d0ffa78
Merged-In: Ib032f800edb0416cc15f01a34954340d0d0ffa78
(cherry picked from commit
4e80dc2861614d25a1f957f50040a8cf04812d11)
Jonathan Scott [Tue, 7 May 2019 15:27:17 +0000 (16:27 +0100)]
[RESTRICT AUTOMERGE] Make Lock task default behaviour consistent with Settings.
Bug:
127605586
Test: Manual
Change-Id: I5b5b0f9184220a4ed3080ca27792f66d1f5d41aa
TreeHugger Robot [Wed, 10 Apr 2019 23:26:01 +0000 (23:26 +0000)]
Merge "Permission Check For DPM.getPermittedAccessibilityServices" into nyc-dev
TreeHugger Robot [Wed, 10 Apr 2019 22:20:55 +0000 (22:20 +0000)]
Merge "[RESTRICT AUTOMERGE]: Add cross user permission check - areNotificationsEnabledForPackage" into nyc-dev
Pavel Grafov [Wed, 10 Apr 2019 11:47:25 +0000 (12:47 +0100)]
Limit IsSeparateProfileChallengeAllowed to system callers
Fixes:
128599668
Test: build, set up separate challenge
Merged-In: I2fef9ab13614627c0f1bcca04759d0974fc6181a
Change-Id: I2fef9ab13614627c0f1bcca04759d0974fc6181a
Julia Reynolds [Wed, 27 Mar 2019 16:15:57 +0000 (12:15 -0400)]
[RESTRICT AUTOMERGE]: Add cross user permission check - areNotificationsEnabledForPackage
Test: atest
Fixes:
128599467
Change-Id: I13a0ca7590f8c4b44379730e0ee2088aba400c2a
(cherry picked from commit
657d164136199126ae241848887de0230699cea0)
Bryan Ferris [Thu, 4 Apr 2019 22:18:52 +0000 (15:18 -0700)]
[RESTRICT AUTOMERGE] Added missing permission check to isPackageDeviceAdminOnAnyUser.
Added a check for the MANAGE_USERS permission to
PackageManagerService#isPackageDeviceAdminOnAnyUser.
Test: Modify the settings app to log the call attempt and follow the
steps below
In order to work around the limitations of N builds we needed to modify
the settings app to log the call attempt. This is described in detail at
b/
128599183#comment15
Bug:
128599183
Change-Id: Ie96c8e174983f61574f12d5d4b210d06377054e5
Eran Messeri [Mon, 25 Mar 2019 14:31:04 +0000 (14:31 +0000)]
Permission Check For DPM.getPermittedAccessibilityServices
Bug:
128599660
Test: com.android.server.devicepolicy.DevicePolicyManagerTest
Test: com.google.android.gts.devicepolicy.DeviceOwnerTest
Change-Id: I8be915bd6a4ff99884d23005a4c6f0100806dbe8
Merged-In: I8ee3f876fcaffa63636645f0f59709cd147254ef
WyattRiley [Tue, 19 Feb 2019 21:19:13 +0000 (13:19 -0800)]
DO NOT MERGE - SUPL ES Extension - Safer Init and Not After Boot
Safe order of pointer setting and background thread start
Verifying mCallEndElapsedRealtimeMillis is not the initial value
Bug:
112159033
Bug:
115361555
Bug:
125124724
Test: Verified not-after-boot with test code b/
115361555#comment14
Test: Reproed NPE on Nexus 5x with test thread sleep and verify fix
Change-Id: I596f913bc79873274c2743132c93ef2381d9f3c7
Guliz Tuncay [Wed, 16 Aug 2017 19:02:31 +0000 (12:02 -0700)]
Select only preinstalled Spell Checker Services
When we are setting a new spell checker as the default one in
Secure.Settings, TSMS#findAvailSpellCheckerLocked can pick up
any available spell checker service. This violates the principle
that user should be warned whenever we are setting an untrusted
spell checker service as the default service, since the warning
dialog is never shown.
Fixes:
64764051
Bug:
118694079
Test: Manually as follows:
1. Open 'packages/inputmethods/LatinIME/java/AndroidManifest.xml'
and remove 'AndroidSpellCheckerService'
2. lunch aosp_buillhead-userdebug && make -j
3. Flash the image
4. adb shell dumpsys textservices
-> no spell checker is recognized
5. adb shell settings get secure selected_spell_checker
-> null
6. tapas SampleSpellCheckerService
7. make -j
8. adb install -r $OUT/system/app/SampleSpellCheckerService/SampleSpellCheckerService.apk
9. adb shell dumpsys textservices
-> SampleSpellCheckerService is recognized
10. adb shell settings get secure selected_spell_checker
-> null
Change-Id: I16f12293d15258c9148677c7ee09fe6dcf81e81d
Merged-In: Idab3ecc246fe9344a09e6907a0ba39f8ea6506f9
Bryan Ferris [Wed, 9 Jan 2019 23:22:20 +0000 (15:22 -0800)]
Revert "Select only preinstalled Spell Checker Services"
This reverts commit
fa265ed97026e3b8675a2ccbf4035cad6dc1523f.
Reason for revert: The backport for b/
118694079 was applied improperly.
The fix involved filtering the class members list of spell checkers into a new list before searching it. The backport filtered the list but failed to update references to the class member into references to the local variable, creating no change in observable behavior. A new version of this commit will be simultaneously uploaded, which both fixes the bad behavior and allows us to have exactly 1 CL per branch that fixes the issue.
Bug:
118694079
Change-Id: Ic38a2ca2ddede7f0929779b0f2292b7823c11e87
Merged-In: Idab3ecc246fe9344a09e6907a0ba39f8ea6506f9
Tony Mak [Thu, 29 Nov 2018 17:37:42 +0000 (17:37 +0000)]
RESTRICT AUTOMERGE Do not linkify text with RLO/LRO characters.
Also don't show smart actions for selections in text with unsupported
characters.
Bug:
116321860
Test: runtest -x cts/tests/tests/text/src/android/text/util/cts/LinkifyTest.java
Change-Id: Id271cab8aef6b9b13ef17f1a8654c7616f75cf13
WyattRiley [Thu, 6 Dec 2018 19:43:58 +0000 (11:43 -0800)]
Adding SUPL NI Emergency Extension Time
Configurable by carrier config.xml resource
Bug:
118839234
Bug:
115361555
Bug:
112159033
Test: On device, see b/
115361555#comment14
Change-Id: I52e61656cca8b6fa6468d32d2e69bf60f4c83c61
Merged-In: I52e61656cca8b6fa6468d32d2e69bf60f4c83c61
Guliz Tuncay [Wed, 16 Aug 2017 19:02:31 +0000 (12:02 -0700)]
Select only preinstalled Spell Checker Services
When we are setting a new spell checker as the default one in
Secure.Settings, TSMS#findAvailSpellCheckerLocked can pick up
any available spell checker service. This violates the principle
that user should be warned whenever we are setting an untrusted
spell checker service as the default service, since the warning
dialog is never shown.
Fixes:
64764051
Bug:
118694079
Test: Manually as follows:
0. Make sure AOSP keyboard is pre-installed.
1. adb shell settings put --user 0 secure selected_spell_checker com.android.inputmethod.latin/.spellcheck.AndroidSpellCheckerService
2. tapas SampleSpellCheckerService
3. make -j
4. adb install --user 0 -r out/target/product/generic/system/app/SampleSpellCheckerService/SampleSpellCheckerService.apk
5. adb shell pm disable com.android.inputmethod.latin
6. adb shell settings get --user 0 secure selected_spell_checker
-> com.android.inputmethod.latin/.spellcheck.AndroidSpellCheckerService
7. adb reboot
8. adb shell settings get --user 0 secure selected_spell_checker
-> com.android.inputmethod.latin/.spellcheck.AndroidSpellCheckerService
Change-Id: I298ffbcfa5e32f43753f54fbebc40a414a5c0f9e
Merged-In: I298ffbcfa5e32f43753f54fbebc40a414a5c0f9e
Jeff Sharkey [Mon, 24 Sep 2018 19:23:57 +0000 (13:23 -0600)]
RESTRICT AUTOMERGE: Recover shady content:// paths.
The path-permission element offers prefix or regex style matching of
paths, but most providers internally use UriMatcher to decide what
to do with an incoming Uri.
This causes trouble because UriMatcher uses Uri.getPathSegments(),
which quietly ignores "empty" paths. Consider this example:
<path-permission android:pathPrefix="/private" ... />
uriMatcher.addURI("com.example", "/private", CODE_PRIVATE);
content://com.example//private
The Uri above will pass the security check, since it's not
technically a prefix match. But the UriMatcher will then match it
as CODE_PRIVATE, since it ignores the "//" zero-length path.
Since we can't safely change the behavior of either path-permission
or UriMatcher, we're left with recovering these shady paths by
trimming away zero-length paths.
Bug:
112555574
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
Change-Id: Ibadbfa4fc904ec54780c8102958735b03293fb9a
Atanas Kirilov [Fri, 28 Sep 2018 23:21:47 +0000 (23:21 +0000)]
Merge "RESTRICT AUTOMERGE: Revert "RESTRICT AUTOMERGE: Revoke permissions defined in a to-be removed package."" into nyc-dev
Atanas Kirilov [Fri, 28 Sep 2018 23:20:32 +0000 (23:20 +0000)]
Merge "RESTRICT AUTOMERGE: Revert "RESTRICT AUTOMERGE: Check both self and shared user id package for requested permissions."" into nyc-dev
Atanas Kirilov [Fri, 28 Sep 2018 20:21:54 +0000 (20:21 +0000)]
RESTRICT AUTOMERGE: Revert "RESTRICT AUTOMERGE: Check both self and shared user id package for requested permissions."
This reverts commit
8da6786608e374c20ae584b1c404fd4894786e46.
Reason for revert: Not a security fix and the security fix needs this cl is reverted.
Bug:
114365189
Change-Id: I1826a5b6889f21fbbe16311a3da66c93e26383f3
Atanas Kirilov [Fri, 28 Sep 2018 20:16:49 +0000 (20:16 +0000)]
RESTRICT AUTOMERGE: Revert "RESTRICT AUTOMERGE: Revoke permissions defined in a to-be removed package."
This reverts commit
fa69d725eb99b8c20a15135304bf5be4ea811573.
Reason for revert: triggers other issue.
Bug:
114365189
Change-Id: I746c74b00f4524575279cdaa831435d12425de20
TreeHugger Robot [Thu, 6 Sep 2018 01:29:28 +0000 (01:29 +0000)]
Merge "Verify number of Map entries written to Parcel" into nyc-dev
TreeHugger Robot [Wed, 5 Sep 2018 23:39:21 +0000 (23:39 +0000)]
Merge "Hide overlay windows when requesting media projection permission." into nyc-dev
Wale Ogunwale [Wed, 16 May 2018 23:42:29 +0000 (16:42 -0700)]
Hide overlay windows when requesting media projection permission.
1: Cherry-pick ag/
4067454 - Setting PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS
updateNonSystemOverlayWindowsVisibilityIfNeeded on relayoutWindow
2: Cherry-pick ag/
3650369 - If PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS changed on
relayoutWindow() then updateNonSystemOverlayWindowsVisibilityIfNeeded
3: Add permissions to SystemUI to allow it to hide non-system overlays
Bug:
34170870
Test: manual (see bug for poc)
Change-Id: I57cb0f390d9a78e721c5ddce49a377d385002753
Michael Wachenschwanz [Sat, 25 Aug 2018 04:50:35 +0000 (21:50 -0700)]
Verify number of Map entries written to Parcel
Make sure the number of entries written by Parcel#writeMapInternal
matches the size written. If a mismatch were allowed, an exploitable
scenario could occur where the data read from the Parcel would not
match the data written.
Fixes:
112859604
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest
Change-Id: I325d08a8b66b6e80fe76501359c41b6656848607
Merged-In: I325d08a8b66b6e80fe76501359c41b6656848607
akirilov [Fri, 24 Aug 2018 22:43:05 +0000 (15:43 -0700)]
RESTRICT AUTOMERGE: Check both self and shared user id package for requested permissions.
Bug:
111752150
Test: Manual local test
Change-Id: I0b48a20525f87fc6f5ab8d7e70aa7d11cd747f97
Mihai Popa [Wed, 15 Aug 2018 19:23:35 +0000 (19:23 +0000)]
Merge changes from topic "am-
0f30ee3d-94a0-4dc3-bb14-
762781265ad9" into nyc-dev
* changes:
[automerger] Fix crash during cursor moving on BiDi text am:
95218ce7ea am:
b7a2d47ec2 skipped:
723f13d01f am:
04c7154fd9
[automerger] Fix crash during cursor moving on BiDi text am:
95218ce7ea am:
b7a2d47ec2 skipped:
723f13d01f
[automerger] Fix crash during cursor moving on BiDi text am:
95218ce7ea am:
b7a2d47ec2
[automerger] Fix crash during cursor moving on BiDi text am:
95218ce7ea
Fix crash during cursor moving on BiDi text
Mihai Popa [Wed, 15 Aug 2018 19:17:04 +0000 (19:17 +0000)]
Merge "Fix crash during cursor moving on BiDi text" into nyc-dev
Seigo Nonaka [Thu, 19 Jul 2018 23:22:02 +0000 (16:22 -0700)]
Fix crash during cursor moving on BiDi text
The crash was introduced by Ib66ef392c19c937718e7101f6d48fac3abe51ad0
The root cause of the crashing is requesting out-of-line access for the
horizontal width. This invalid access is silently ignored by
TextLine#measure() method but new implementation end up with out of
bounds access.
To makes behavior as old implementation, calling getHorizontal instead
of accessing measured result array.
Bug:
78464361,
111580019
Test: Manually done
Change-Id: I5c5778718f6b397adbb1e4f2cf95e9f635f6e5c8
(cherry picked from commit
960647d582911ae7ab8b9491097898e6c313aaf1)
Merged-In: I5c5778718f6b397adbb1e4f2cf95e9f635f6e5c8
Android Build Merger (Role) [Wed, 15 Aug 2018 00:28:52 +0000 (00:28 +0000)]
[automerger] Fix crash during cursor moving on BiDi text am:
95218ce7ea am:
b7a2d47ec2 skipped:
723f13d01f am:
04c7154fd9
Change-Id: Ic801a54fa6cb048ddf911c7b315849ab40bd7a52
Android Build Merger (Role) [Wed, 15 Aug 2018 00:28:41 +0000 (00:28 +0000)]
[automerger] Fix crash during cursor moving on BiDi text am:
95218ce7ea am:
b7a2d47ec2 skipped:
723f13d01f
Change-Id: If1607fb19bd806cb6d0f9b9010032e95df6549a8
Android Build Merger (Role) [Wed, 15 Aug 2018 00:26:19 +0000 (00:26 +0000)]
[automerger] Fix crash during cursor moving on BiDi text am:
95218ce7ea am:
b7a2d47ec2
Change-Id: I6995aab201805b64e81022db295356ef8abda30c
Android Build Merger (Role) [Wed, 15 Aug 2018 00:26:10 +0000 (00:26 +0000)]
[automerger] Fix crash during cursor moving on BiDi text am:
95218ce7ea
Change-Id: Id97c3f508a0dcd82978b06891b3a979921d4be3a
Seigo Nonaka [Thu, 19 Jul 2018 23:22:02 +0000 (16:22 -0700)]
Fix crash during cursor moving on BiDi text
The crash was introduced by Ib66ef392c19c937718e7101f6d48fac3abe51ad0
The root cause of the crashing is requesting out-of-line access for the
horizontal width. This invalid access is silently ignored by
TextLine#measure() method but new implementation end up with out of
bounds access.
To makes behavior as old implementation, calling getHorizontal instead
of accessing measured result array.
Bug:
111580019
Test: Manually done
Change-Id: I5c5778718f6b397adbb1e4f2cf95e9f635f6e5c8
Merged-In: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
Atanas Kirilov [Tue, 14 Aug 2018 19:40:27 +0000 (19:40 +0000)]
Merge "RESTRICT AUTOMERGE: Revoke permissions defined in a to-be removed package." into nyc-dev
Jeff Sharkey [Wed, 25 Jul 2018 20:52:14 +0000 (14:52 -0600)]
DO NOT MERGE. Extend SQLiteQueryBuilder for update and delete.
Developers often accept selection clauses from untrusted code, and
SQLiteQueryBuilder already supports a "strict" mode to help catch
SQL injection attacks. This change extends the builder to support
update() and delete() calls, so that we can help secure those
selection clauses too.
Bug:
111085900
Test: atest packages/providers/DownloadProvider/tests/
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/SQLiteQueryBuilderTest.java
Change-Id: Ib4fc8400f184755ee7e971ab5f2095186341730c
Merged-In: Ib4fc8400f184755ee7e971ab5f2095186341730c
Jeff Sharkey [Wed, 25 Jul 2018 20:01:59 +0000 (14:01 -0600)]
DO NOT MERGE. Execute "strict" queries with extra parentheses.
SQLiteQueryBuilder has a setStrict() mode which can be used to
detect SQL attacks from untrusted sources, which it does by running
each query twice: once with an extra set of parentheses, and if that
succeeds, it runs the original query verbatim.
This sadly doesn't catch inputs of the type "1=1) OR (1=1", which
creates valid statements for both tests above, but the final executed
query ends up leaking data due to SQLite operator precedence.
Instead, we need to continue compiling both variants, but we need
to execute the query with the additional parentheses to ensure
data won't be leaked.
Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/SQLiteQueryBuilderTest.java
Bug:
111085900
Change-Id: I6e8746fa48f9de13adae37d2990de11c9c585381
Merged-In: I6e8746fa48f9de13adae37d2990de11c9c585381
akirilov [Thu, 19 Jul 2018 00:50:05 +0000 (17:50 -0700)]
RESTRICT AUTOMERGE: Revoke permissions defined in a to-be removed package.
Bug:
67319274
Test: run cts-dev --module CtsPermissionTestCases --test android.permission.cts.RemovePermissionTest#permissionShouldBeRevokedIfRemoved
Change-Id: I69edee8ed044cc2a8cdb01515f7996b004209c81
TreeHugger Robot [Mon, 16 Jul 2018 19:25:14 +0000 (19:25 +0000)]
Merge "Fix TrackInfo parcel write" into nyc-dev
Robert Shih [Mon, 9 Jul 2018 20:38:31 +0000 (13:38 -0700)]
Fix TrackInfo parcel write
Bug:
77600398
Change-Id: Ia316f1c5dc4879f6851fdb78fe8b9039579be7bc
Arthur Ishiguro [Mon, 25 Jun 2018 18:31:33 +0000 (11:31 -0700)]
Resolve inconsistent parcel read in NanoAppFilter
Bug:
77599679
Test: Compile only
Change-Id: Ib417a5cb4d51744442d2fb14437cabbe5fd1c266
akirilov [Thu, 7 Jun 2018 21:36:25 +0000 (14:36 -0700)]
RESTRICT AUTOMERGE: Backporting of b/
77821568
Enforce permission check before returning application info
Test: manually tested (see bug for repro steps)
Bug:
77821568
Change-Id: I5d81345b2d958c2bb0a62bbcb8bd8c714a1cf41e
Ryan Mitchell [Wed, 6 Jun 2018 23:33:08 +0000 (23:33 +0000)]
Merge changes from topic "dynamic-ref-se-mnc-dev" into mnc-dr1.5-dev
* changes:
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0 am:
d65dbf91ce am:
aeb2fc64d9
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0 am:
d65dbf91ce
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0
Fix DynamicRefTable::load security bug
Ryan Mitchell [Wed, 6 Jun 2018 23:33:08 +0000 (23:33 +0000)]
Merge changes from topic "dynamic-ref-se-mnc-dev" into cw-e-dev
* changes:
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0 am:
d65dbf91ce
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0
Fix DynamicRefTable::load security bug
Ryan Mitchell [Wed, 6 Jun 2018 23:33:08 +0000 (23:33 +0000)]
Merge changes from topic "dynamic-ref-se-mnc-dev" into mnc-dr-dev
* changes:
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0
Fix DynamicRefTable::load security bug
Ryan Mitchell [Wed, 6 Jun 2018 23:33:08 +0000 (23:33 +0000)]
Merge "Fix DynamicRefTable::load security bug" into mnc-dev
Ryan Mitchell [Wed, 6 Jun 2018 23:33:08 +0000 (23:33 +0000)]
Merge changes from topic "dynamic-ref-se-mnc-dev" into nyc-dev
* changes:
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0 am:
d65dbf91ce am:
aeb2fc64d9 am:
0938689606
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0 am:
d65dbf91ce am:
aeb2fc64d9
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0 am:
d65dbf91ce
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0
Fix DynamicRefTable::load security bug
TreeHugger Robot [Wed, 6 Jun 2018 22:09:54 +0000 (22:09 +0000)]
Merge changes from topic "am-
c1e91e5e-2686-4871-b188-
107c0ddf3273" into mnc-dr1.5-dev
* changes:
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008 am:
fd1097e436 am:
5a632d1b59
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008 am:
fd1097e436
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008
ResStringPool: Prevenet boot loop from se fix
TreeHugger Robot [Wed, 6 Jun 2018 22:09:54 +0000 (22:09 +0000)]
Merge changes from topic "am-
c1e91e5e-2686-4871-b188-
107c0ddf3273" into cw-e-dev
* changes:
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008 am:
fd1097e436
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008
ResStringPool: Prevenet boot loop from se fix
TreeHugger Robot [Wed, 6 Jun 2018 22:09:54 +0000 (22:09 +0000)]
Merge changes from topic "am-
c1e91e5e-2686-4871-b188-
107c0ddf3273" into mnc-dr-dev
* changes:
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008
ResStringPool: Prevenet boot loop from se fix
TreeHugger Robot [Wed, 6 Jun 2018 22:09:54 +0000 (22:09 +0000)]
Merge "ResStringPool: Prevenet boot loop from se fix" into mnc-dev
TreeHugger Robot [Wed, 6 Jun 2018 22:09:54 +0000 (22:09 +0000)]
Merge changes from topic "am-
c1e91e5e-2686-4871-b188-
107c0ddf3273" into nyc-dev
* changes:
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008 am:
fd1097e436 am:
5a632d1b59 am:
6714a260e6
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008 am:
fd1097e436 am:
5a632d1b59
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008 am:
fd1097e436
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008
ResStringPool: Prevenet boot loop from se fix
Android Build Merger (Role) [Wed, 6 Jun 2018 17:12:24 +0000 (17:12 +0000)]
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0 am:
d65dbf91ce am:
aeb2fc64d9 am:
0938689606
Change-Id: Ib9e372290f9b2e1fa73470db3f7fd67bc9190711
Android Build Merger (Role) [Wed, 6 Jun 2018 17:12:18 +0000 (17:12 +0000)]
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0 am:
d65dbf91ce am:
aeb2fc64d9
Change-Id: I0556ef6fb1ceb02f4972c7434895cfeb5e13188d
Android Build Merger (Role) [Wed, 6 Jun 2018 17:12:11 +0000 (17:12 +0000)]
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0 am:
d65dbf91ce
Change-Id: I17fcbac2b6a7860749ddaabf6324cd89e3b78570
Android Build Merger (Role) [Wed, 6 Jun 2018 17:12:04 +0000 (17:12 +0000)]
[automerger] Fix DynamicRefTable::load security bug am:
8cf0f988b0
Change-Id: I17682a41fbacafd30a032bd78b176a883bc7bdd8
Ryan Mitchell [Wed, 30 May 2018 19:17:01 +0000 (12:17 -0700)]
Fix DynamicRefTable::load security bug
DynamicRefTables parsed from apks are missing bounds checks that prevent
buffer overflows. This changes verifies the bounds of the header before
attempting to preform operations on the chunk.
Bug:
79488511
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: I02c8ad957da244fce777ac68a482e4e8fa70f846
Merged-In: I02c8ad957da244fce777ac68a482e4e8fa70f846
Android Build Merger (Role) [Wed, 6 Jun 2018 16:27:30 +0000 (16:27 +0000)]
[automerger] Optimise the hit test algorithm am:
3b6f84b77c am:
5b224ccf41 skipped:
eb86ac42e6 am:
a60d0b2e93
Change-Id: I23ca86e3bf3df6684d88f1be575f2be1599ac9eb
Android Build Merger (Role) [Wed, 6 Jun 2018 16:27:24 +0000 (16:27 +0000)]
[automerger] Optimise the hit test algorithm am:
3b6f84b77c am:
5b224ccf41 skipped:
eb86ac42e6
Change-Id: Ida4ae11d778115fb1f0d373523f71845fff88331
Mihai Popa [Wed, 6 Jun 2018 16:21:21 +0000 (16:21 +0000)]
Merge "Optimise the hit test algorithm" into nyc-dev
Android Build Merger (Role) [Wed, 6 Jun 2018 15:05:24 +0000 (15:05 +0000)]
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008 am:
fd1097e436 am:
5a632d1b59 am:
6714a260e6
Change-Id: I5c8048d78c4e499419cee8b60e1a591c47b5456b
Android Build Merger (Role) [Wed, 6 Jun 2018 15:05:12 +0000 (15:05 +0000)]
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008 am:
fd1097e436 am:
5a632d1b59
Change-Id: I0de34641572b18ba701f41df542124b6331537c0
Android Build Merger (Role) [Wed, 6 Jun 2018 15:04:54 +0000 (15:04 +0000)]
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008 am:
fd1097e436
Change-Id: I50e23f33371f7f1e47b65d421628ab771238b278
Android Build Merger (Role) [Wed, 6 Jun 2018 15:04:30 +0000 (15:04 +0000)]
[automerger] ResStringPool: Prevenet boot loop from se fix am:
c31cf80008
Change-Id: Ie8651904560e43e89374df132bf30cd615718192
Ryan Mitchell [Mon, 21 May 2018 20:59:23 +0000 (13:59 -0700)]
ResStringPool: Prevenet boot loop from se fix
Changes the logs adding in a previous security fix to warnings so
devices with malformed APKs currently on them will not undergo DOS when
they are upgraded to P.
Bug:
79724567
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: Ied54e4bb14abdaf79da562022c7ea6075187c1f8
(cherry picked from commit
f05f47b2c1838529e682ad8f931d3da72244b1a1)
Android Build Merger (Role) [Mon, 4 Jun 2018 15:28:37 +0000 (15:28 +0000)]
[automerger] Optimise the hit test algorithm am:
3b6f84b77c am:
5b224ccf41
Change-Id: I4c318ee8e717792cbe25caa830e6567572bd03f7
Android Build Merger (Role) [Mon, 4 Jun 2018 15:28:29 +0000 (15:28 +0000)]
[automerger] Optimise the hit test algorithm am:
3b6f84b77c
Change-Id: I881f5f6db05ad200a6d8507956664c8f25172dc9
Mihai Popa [Wed, 9 May 2018 16:31:48 +0000 (17:31 +0100)]
Optimise the hit test algorithm
Layout#getOffsetForHorizontal was running in O(n^2) time, where n is the
length of the current line. The method is used when a touch event
happens on a text line, to compute the cursor offset (and the character)
where it happened. Although this is not an issue in common usecases,
where the number of characters on a line is relatively small, this can
be very inefficient as a consequence of Unicode containing 0-width
(invisible) characters. Specifically, there are characters defining the
text direction (LTR or RTL), which cause our algorithm to touch the
worst case quadratic runtime. For example, a person is able to send a
message containing a few visible characters, and also a lot of these
direction changing invisible ones. When the receiver touches the message
(causing the Layout#getOffsetForHorizontal method to be called), the
receiver's application would become not responsive.
This CL optimizes the method to run in O(n) worst case. This is achieved
by computing the measurements of all line prefixes at first, which can
be done in a single pass. Then, all the prefix measurement queries will
be answered in O(1), rather than O(n) as it was happening before.
Bug:
79215201
Test: manual testing
Change-Id: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
Merged-In: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
Mihai Popa [Wed, 9 May 2018 16:31:48 +0000 (17:31 +0100)]
Optimise the hit test algorithm
Layout#getOffsetForHorizontal was running in O(n^2) time, where n is the
length of the current line. The method is used when a touch event
happens on a text line, to compute the cursor offset (and the character)
where it happened. Although this is not an issue in common usecases,
where the number of characters on a line is relatively small, this can
be very inefficient as a consequence of Unicode containing 0-width
(invisible) characters. Specifically, there are characters defining the
text direction (LTR or RTL), which cause our algorithm to touch the
worst case quadratic runtime. For example, a person is able to send a
message containing a few visible characters, and also a lot of these
direction changing invisible ones. When the receiver touches the message
(causing the Layout#getOffsetForHorizontal method to be called), the
receiver's application would become not responsive.
This CL optimizes the method to run in O(n) worst case. This is achieved
by computing the measurements of all line prefixes at first, which can
be done in a single pass. Then, all the prefix measurement queries will
be answered in O(1), rather than O(n) as it was happening before.
Bug:
79215201
Test: manual testing
Change-Id: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
Merged-In: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
Todd Kennedy [Thu, 3 May 2018 09:05:04 +0000 (10:05 +0100)]
Make safe label more safe
* limit the absolute maximum size of the label to 50000 characters
[which is probably far more than necessary, but, can be dialed down]
* use a string buffer while processing the string [instead of creating
multiple string objects]
Bug:
62537081
Test: Manual. Install APK in bug and see that it can be uninstalled
Change-Id: Ibf63c2691ad7438a123e92110d95b1f50050f8b1
Merged-In: Ibf63c2691ad7438a123e92110d95b1f50050f8b1
Android Build Merger (Role) [Thu, 10 May 2018 17:40:32 +0000 (17:40 +0000)]
[automerger] clearCallingIdentity before calling into getPackageUidAsUser am:
857326e373 am:
b1f2848510 am:
884d2c7360 am:
6a42ea18b3
Change-Id: If82fd8b2c76bedf089bec4501169417427854b1d
Android Build Merger (Role) [Thu, 10 May 2018 17:40:27 +0000 (17:40 +0000)]
[automerger] clearCallingIdentity before calling into getPackageUidAsUser am:
857326e373 am:
b1f2848510 am:
884d2c7360
Change-Id: I0e5ba8adaed2d6247137319262278fac98f467e1
Android Build Merger (Role) [Thu, 10 May 2018 17:40:22 +0000 (17:40 +0000)]
[automerger] clearCallingIdentity before calling into getPackageUidAsUser am:
857326e373 am:
b1f2848510
Change-Id: I689d44b6617f0ed949e3f72367980158ea06ad0d
Android Build Merger (Role) [Thu, 10 May 2018 17:40:16 +0000 (17:40 +0000)]
[automerger] clearCallingIdentity before calling into getPackageUidAsUser am:
857326e373
Change-Id: I2166c2f9ca0a6654e1a88b1d183062eb1564c24d
Tony Mak [Thu, 14 Dec 2017 12:40:07 +0000 (12:40 +0000)]
clearCallingIdentity before calling into getPackageUidAsUser
Fix:
70585244
Bug:
69981755
Test: Enable any accessibility service -> inflate work profile
-> Tap on any work app -> no longer crash
Test: cts-tradefed run cts-dev --module DevicePolicyManager --test com.android.cts.devicepolicy.CrossProfileAppsHostSideTest.testPrimaryUserToManagedProfile
Change-Id: I80d18f4e2ab76a228cb0aa2c8312c323a9b5c84d
Android Build Merger (Role) [Wed, 9 May 2018 17:19:18 +0000 (17:19 +0000)]
[automerger] Nullcheck to fix Autofill CTS am:
6c68a69288 am:
743abb939a am:
a99414f51f am:
6b95503960
Change-Id: Ia3658c17dc890ca2de951da5c701e953ce8c969b
Android Build Merger (Role) [Wed, 9 May 2018 17:19:12 +0000 (17:19 +0000)]
[automerger] Nullcheck to fix Autofill CTS am:
6c68a69288 am:
743abb939a am:
a99414f51f
Change-Id: I7aaceff0646a5e738ed862c34645e548aabf62f1
Android Build Merger (Role) [Wed, 9 May 2018 17:19:07 +0000 (17:19 +0000)]
[automerger] Nullcheck to fix Autofill CTS am:
6c68a69288 am:
743abb939a
Change-Id: Ia89ea1adb47be3b70f5db292677c4c19194a04db
Android Build Merger (Role) [Wed, 9 May 2018 17:19:02 +0000 (17:19 +0000)]
[automerger] Nullcheck to fix Autofill CTS am:
6c68a69288
Change-Id: I379d54d926e01da53b637bba6b3b1ee8577cbdbb
Eugene Susla [Mon, 11 Dec 2017 18:07:03 +0000 (10:07 -0800)]
Nullcheck to fix Autofill CTS
Test: presubmit
Fixes:
70506475
Bug:
69981755
Change-Id: I187bed4889a4901a7137a2995178ea651ed09186
android-build-team Robot [Thu, 3 May 2018 23:10:52 +0000 (23:10 +0000)]
Merge "DO NOT MERGE Truncate newline and tab characters in BluetoothDevice name" into nyc-dev
Hansong Zhang [Thu, 26 Apr 2018 21:13:45 +0000 (14:13 -0700)]
DO NOT MERGE Truncate newline and tab characters in BluetoothDevice name
Test: manual
Bug:
73173182
Change-Id: I3c25af233742e63351a68e8c5a279b51a94e49e2
Android Build Merger (Role) [Thu, 26 Apr 2018 21:18:32 +0000 (21:18 +0000)]
[automerger] DO NOT MERGE Truncate newline and tab characters in BluetoothDevice name am:
984dfe074c am:
8fbe4bce1e am:
0cd0cef08f skipped:
365fb1c844
Change-Id: I2d42a069fb0b4bae27b8e29e1182e2935c604835
Android Build Merger (Role) [Thu, 26 Apr 2018 21:18:27 +0000 (21:18 +0000)]
[automerger] DO NOT MERGE Truncate newline and tab characters in BluetoothDevice name am:
984dfe074c am:
8fbe4bce1e am:
0cd0cef08f
Change-Id: I937e2d9a676b38f6a18cda70f42d06eaa22ce051
Android Build Merger (Role) [Thu, 26 Apr 2018 21:18:21 +0000 (21:18 +0000)]
[automerger] DO NOT MERGE Truncate newline and tab characters in BluetoothDevice name am:
984dfe074c am:
8fbe4bce1e
Change-Id: If7693b2ff5785a1a09920061b318aaac33f5d6b6
Android Build Merger (Role) [Thu, 26 Apr 2018 21:18:14 +0000 (21:18 +0000)]
[automerger] DO NOT MERGE Truncate newline and tab characters in BluetoothDevice name am:
984dfe074c
Change-Id: Iac403f5118d55d9919745d98eba260dd2929d56c
Hansong Zhang [Thu, 26 Apr 2018 21:13:45 +0000 (14:13 -0700)]
DO NOT MERGE Truncate newline and tab characters in BluetoothDevice name
Test: manual
Bug:
73173182
Change-Id: I3c25af233742e63351a68e8c5a279b51a94e49e2
TreeHugger Robot [Sat, 14 Apr 2018 02:21:07 +0000 (02:21 +0000)]
Merge "DO NOT MERGE (N) Revoke permision when group changed" into nyc-dev
TreeHugger Robot [Sat, 14 Apr 2018 01:56:10 +0000 (01:56 +0000)]
Merge "DO NOT MERGE (M) Revoke permision when group changed" into mnc-dev
Android Build Merger (Role) [Sat, 14 Apr 2018 01:07:25 +0000 (01:07 +0000)]
[automerger] DO NOT MERGE (M) Revoke permision when group changed am:
d87a1a7d53 am:
5630564178 am:
90cb8f7b6e skipped:
275e6bf1b4
Change-Id: I40f818e3e3174645c8786263ddbe6428ce927084
Android Build Merger (Role) [Sat, 14 Apr 2018 01:07:19 +0000 (01:07 +0000)]
[automerger] DO NOT MERGE (M) Revoke permision when group changed am:
d87a1a7d53 am:
5630564178 am:
90cb8f7b6e
Change-Id: I12743702ec15b7d92b0197496e8a3426777ed4db
Android Build Merger (Role) [Sat, 14 Apr 2018 01:07:14 +0000 (01:07 +0000)]
[automerger] DO NOT MERGE (M) Revoke permision when group changed am:
d87a1a7d53 am:
5630564178
Change-Id: I5220d4063a27154243b74e7cd43dc8fd8ffdeb51
Android Build Merger (Role) [Sat, 14 Apr 2018 01:07:08 +0000 (01:07 +0000)]
[automerger] DO NOT MERGE (M) Revoke permision when group changed am:
d87a1a7d53
Change-Id: Ie178331d03d590e50a81117498a0f5dabe4d83ae
Philip P. Moltmann [Thu, 12 Apr 2018 23:44:43 +0000 (16:44 -0700)]
DO NOT MERGE (M) Revoke permision when group changed
If a run time permission of a group is already granted we grant the
other permission of the group automatically when requested.
Hence if an already granted permission changed its group during an
update suddenly permission of a potentially not approved group will
get auto-granted.
This is undesirable, hence we revoke the permission during the update
process.
Test: atest android.permission.cts.PermissionGroupChange
Bug:
72710897
Change-Id: Ib2165d1ae53b80455ebe02e07775853e37a2e339
Philip P. Moltmann [Thu, 12 Apr 2018 20:48:13 +0000 (13:48 -0700)]
DO NOT MERGE (N) Revoke permision when group changed
If a run time permission of a group is already granted we grant the
other permission of the group automatically when requested.
Hence if an already granted permission changed its group during an
update suddenly permission of a potentially not approved group will
get auto-granted.
This is undesirable, hence we revoke the permission during the update
process.
Test: atest android.permission.cts.PermissionGroupChange
Bug:
72710897
Change-Id: Ib2165d1ae53b80455ebe02e07775853e37a2e339
Android Build Merger (Role) [Fri, 13 Apr 2018 20:34:34 +0000 (20:34 +0000)]
[automerger] ResStringPool: Fix security vulnerability am:
7e54c3f261 am:
98e2d2ec50 am:
24a89da344 am:
d85632ae40
Change-Id: I24a1df41eb29a6ac7e6c67368f07c6702dacf071
Android Build Merger (Role) [Fri, 13 Apr 2018 20:34:29 +0000 (20:34 +0000)]
[automerger] ResStringPool: Fix security vulnerability am:
7e54c3f261 am:
98e2d2ec50 am:
24a89da344
Change-Id: Ia175db4206119bed5e1a6b1aeeff72ae86489d38
Android Build Merger (Role) [Fri, 13 Apr 2018 20:34:24 +0000 (20:34 +0000)]
[automerger] ResStringPool: Fix security vulnerability am:
7e54c3f261 am:
98e2d2ec50
Change-Id: I0a5c57b7a50d9221b3be4d193388ac610ba92f73
Android Build Merger (Role) [Fri, 13 Apr 2018 20:34:20 +0000 (20:34 +0000)]
[automerger] ResStringPool: Fix security vulnerability am:
7e54c3f261
Change-Id: I57e2ea2122d22341c43b9b445291cc4b02ec2b11
y [Fri, 6 Apr 2018 00:57:27 +0000 (17:57 -0700)]
ResStringPool: Fix security vulnerability
Adds detection of attacker-modified size and data fields passed to
ResStringPool::setTo(). These attacks are modified apks that AAPT would
not normally generate. In the rare case this occurs, the installation
cannot be allowed to continue.
Bug:
71361168
Bug:
71360999
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
Merged-In: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
akirilov [Tue, 27 Mar 2018 20:08:47 +0000 (13:08 -0700)]
RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to nyc-dev)
Test: added AccessibilityEndToEndTest#testPackageNameCannotBeFaked
cts-tradefed run cts -m CtsAccessibilityServiceTestCases
cts-tradefed run cts -m CtsAccessibilityTestCases
Bug:
69981755
Change-Id: I187e3e9839f654cea9e06e5de93e10e4d1de3109
Android Build Merger (Role) [Mon, 9 Apr 2018 21:00:26 +0000 (21:00 +0000)]
[automerger] RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to mnc-dev) am:
de71ee469a am:
d672eef559 am:
86f5488521 skipped:
0df0b30be9
Change-Id: Idc789e68b33b1f8fd841204ce9ffb4b988f9c553