OSDN Git Service
Charles He [Thu, 29 Dec 2016 11:03:26 +0000 (11:03 +0000)]
Prevent writing to FRP partition during factory reset. am:
a9437bd1ca am:
2ce5c4320d am:
133ff4d611 am:
00a581f882 am:
e5156ec1e9 am:
9a47fa7fc0 am:
8bcdab7e6f am:
dd7837c5ad
am:
9bc2d6b446
Change-Id: I7e5794885bf78dfd1d755a7fdb0b1edf66b9fdee
Charles He [Thu, 29 Dec 2016 10:55:23 +0000 (10:55 +0000)]
Prevent writing to FRP partition during factory reset. am:
a9437bd1ca am:
2ce5c4320d am:
133ff4d611 am:
00a581f882 am:
e5156ec1e9 am:
9a47fa7fc0 am:
8bcdab7e6f
am:
dd7837c5ad
Change-Id: I2124f52b38314199950d1448cddd2bbd328c85ce
Charles He [Thu, 29 Dec 2016 10:41:25 +0000 (10:41 +0000)]
Prevent writing to FRP partition during factory reset. am:
a9437bd1ca am:
2ce5c4320d am:
133ff4d611 am:
00a581f882 am:
e5156ec1e9 am:
9a47fa7fc0
am:
8bcdab7e6f
Change-Id: I6e41bfad4ce66ca80bca636a5fb4ddc85b71e83a
Charles He [Thu, 29 Dec 2016 10:34:04 +0000 (10:34 +0000)]
Prevent writing to FRP partition during factory reset. am:
a9437bd1ca am:
2ce5c4320d am:
133ff4d611 am:
00a581f882 am:
e5156ec1e9
am:
9a47fa7fc0
Change-Id: Ifb9f5b177f7c031352e6e9cf308e6295f7c60074
Charles He [Thu, 29 Dec 2016 10:25:50 +0000 (10:25 +0000)]
Prevent writing to FRP partition during factory reset. am:
a9437bd1ca am:
2ce5c4320d am:
133ff4d611 am:
00a581f882
am:
e5156ec1e9
Change-Id: I62b79fe7ef5a2febce27729f4709a599832cb3da
Charles He [Thu, 29 Dec 2016 10:18:49 +0000 (10:18 +0000)]
Prevent writing to FRP partition during factory reset. am:
a9437bd1ca am:
2ce5c4320d am:
133ff4d611
am:
00a581f882
Change-Id: I016955744e48d7a91380c2ff39f7c64536a39c7e
Charles He [Thu, 29 Dec 2016 10:11:20 +0000 (10:11 +0000)]
Prevent writing to FRP partition during factory reset. am:
a9437bd1ca am:
2ce5c4320d
am:
133ff4d611
Change-Id: I54b163f645f561243aac3df1a55c1023531997b3
Charles He [Thu, 29 Dec 2016 10:03:53 +0000 (10:03 +0000)]
Prevent writing to FRP partition during factory reset. am:
a9437bd1ca
am:
2ce5c4320d
Change-Id: I29339a634fd22cd46bfc08619464da8fe159a2b7
Charles He [Thu, 29 Dec 2016 09:48:45 +0000 (09:48 +0000)]
Prevent writing to FRP partition during factory reset.
am:
a9437bd1ca
Change-Id: Ib0b8db2357317dc3e680910c08f15f098baf2af9
Andrew Solovay [Wed, 28 Dec 2016 20:24:34 +0000 (20:24 +0000)]
Merge "[DAC FIXIT]: Noted that UNINSTALL_SHORTCUT is no longer supported." into nyc-mr1-dev
am:
61dad4b2fc
Change-Id: I1918b70ad644f7aded33d27bcc55e05478d9f773
Andrew Solovay [Wed, 28 Dec 2016 20:24:30 +0000 (20:24 +0000)]
[DAC FIXIT]: Noted that UNINSTALL_SHORTCUT is no longer supported.
am:
40ba793b33
Change-Id: I5d15df8192fee8362dca8dcc53d84b75af29a13f
Andrew Solovay [Wed, 28 Dec 2016 20:16:26 +0000 (20:16 +0000)]
Merge "[DAC FIXIT]: Noted that UNINSTALL_SHORTCUT is no longer supported." into nyc-mr1-dev
Tom O'Neill [Thu, 22 Dec 2016 18:04:44 +0000 (18:04 +0000)]
Fix exploit where can hide the fact that a location was mocked am:
a206a0f17e am:
d417e54872 am:
3380a77516 am:
0a8978f04b am:
1684e5f344 am:
d28eef0cc2 am:
1f458fdc66 am:
d82f8a67fc am:
1ac8affd51 am:
56098f81b6 am:
7cec76de0f am:
2da05d0f9e
am:
3b7d90c024
Change-Id: I46c1bf565b04175c8c97c9faeceed55bda41dbde
Tom O'Neill [Thu, 22 Dec 2016 17:59:47 +0000 (17:59 +0000)]
Fix exploit where can hide the fact that a location was mocked am:
a206a0f17e am:
d417e54872 am:
3380a77516 am:
0a8978f04b am:
1684e5f344 am:
d28eef0cc2 am:
1f458fdc66 am:
d82f8a67fc am:
1ac8affd51 am:
56098f81b6 am:
7cec76de0f
am:
2da05d0f9e
Change-Id: I8c94a06f5fa722312436484609bafcb0585d6d18
Tom O'Neill [Thu, 22 Dec 2016 17:54:44 +0000 (17:54 +0000)]
Fix exploit where can hide the fact that a location was mocked am:
a206a0f17e am:
d417e54872 am:
3380a77516 am:
0a8978f04b am:
1684e5f344 am:
d28eef0cc2 am:
1f458fdc66 am:
d82f8a67fc am:
1ac8affd51 am:
56098f81b6
am:
7cec76de0f
Change-Id: I9168d45717c26e71bb356dd7304276e23c519bd9
Tom O'Neill [Thu, 22 Dec 2016 17:44:46 +0000 (17:44 +0000)]
Fix exploit where can hide the fact that a location was mocked am:
a206a0f17e am:
d417e54872 am:
3380a77516 am:
0a8978f04b am:
1684e5f344 am:
d28eef0cc2 am:
1f458fdc66 am:
d82f8a67fc am:
1ac8affd51
am:
56098f81b6
Change-Id: I14fcacaede569580c8ca8e5bbbebb408ddcce76a
Tom O'Neill [Thu, 22 Dec 2016 17:39:18 +0000 (17:39 +0000)]
Fix exploit where can hide the fact that a location was mocked am:
a206a0f17e am:
d417e54872 am:
3380a77516 am:
0a8978f04b am:
1684e5f344 am:
d28eef0cc2 am:
1f458fdc66 am:
d82f8a67fc
am:
1ac8affd51
Change-Id: I965c900e266a9189c595612cef6ddac839498949
Tom O'Neill [Thu, 22 Dec 2016 17:34:11 +0000 (17:34 +0000)]
Fix exploit where can hide the fact that a location was mocked am:
a206a0f17e am:
d417e54872 am:
3380a77516 am:
0a8978f04b am:
1684e5f344 am:
d28eef0cc2 am:
1f458fdc66
am:
d82f8a67fc
Change-Id: I25e43680e464c5169e8a5b9e8151b0dab2d2cf86
Tom O'Neill [Thu, 22 Dec 2016 17:29:05 +0000 (17:29 +0000)]
Fix exploit where can hide the fact that a location was mocked am:
a206a0f17e am:
d417e54872 am:
3380a77516 am:
0a8978f04b am:
1684e5f344 am:
d28eef0cc2
am:
1f458fdc66
Change-Id: I61d4b25ee0264397693f30e2091997c058d0c5fc
Tom O'Neill [Thu, 22 Dec 2016 17:23:39 +0000 (17:23 +0000)]
Fix exploit where can hide the fact that a location was mocked am:
a206a0f17e am:
d417e54872 am:
3380a77516 am:
0a8978f04b am:
1684e5f344
am:
d28eef0cc2
Change-Id: If937d91cee2bb06406cf3cd1ae6ac3402a51e88d
Tom O'Neill [Thu, 22 Dec 2016 17:19:10 +0000 (17:19 +0000)]
Fix exploit where can hide the fact that a location was mocked am:
a206a0f17e am:
d417e54872 am:
3380a77516 am:
0a8978f04b
am:
1684e5f344
Change-Id: I0ebd2856e2e2f3793273ba952b44dc77e85b021e
Tom O'Neill [Thu, 22 Dec 2016 17:14:05 +0000 (17:14 +0000)]
Fix exploit where can hide the fact that a location was mocked am:
a206a0f17e am:
d417e54872 am:
3380a77516
am:
0a8978f04b
Change-Id: I693665a57465ec57f946fad57cda9ce48389408f
Tom O'Neill [Thu, 22 Dec 2016 17:09:09 +0000 (17:09 +0000)]
Fix exploit where can hide the fact that a location was mocked am:
a206a0f17e am:
d417e54872
am:
3380a77516
Change-Id: Ice61f337e1fcfd0569431538e475d94f9d205423
Tom O'Neill [Thu, 22 Dec 2016 17:04:07 +0000 (17:04 +0000)]
Fix exploit where can hide the fact that a location was mocked am:
a206a0f17e
am:
d417e54872
Change-Id: I2f47020055f962b36f095137d75c9cbfe6b1a6db
Tom O'Neill [Thu, 22 Dec 2016 16:58:33 +0000 (16:58 +0000)]
Fix exploit where can hide the fact that a location was mocked
am:
a206a0f17e
Change-Id: Ib3af056919a4b909d3d11dd3fe2b46eaa7cdf0f4
Mark Lu [Mon, 19 Dec 2016 20:22:00 +0000 (20:22 +0000)]
Merge "docs: remove implicit intent from bindService and startService" into nyc-mr1-dev
am:
cbfb58c9d7
Change-Id: If12008d4e9fe1883c6c4f21e6e6736045b325182
Mark Lu [Mon, 19 Dec 2016 20:21:57 +0000 (20:21 +0000)]
docs: remove implicit intent from bindService and startService
am:
94ebbe0e58
Change-Id: Iaf24452f3456703c917a2a574ff218c9eac854bd
Mark Lu [Mon, 19 Dec 2016 20:16:15 +0000 (20:16 +0000)]
docs: update Paint.setTextSize() to indicate pixel units
am:
5f05256106
Change-Id: I9709ea36fe7657c8a06abe1c58760b30112e0e63
Mark Lu [Mon, 19 Dec 2016 20:13:15 +0000 (20:13 +0000)]
Merge "docs: remove implicit intent from bindService and startService" into nyc-mr1-dev
Charles Mendis [Mon, 19 Dec 2016 19:05:49 +0000 (19:05 +0000)]
Merge "Fix OnCancelListener for Dialogs on swipe to dismiss." into cw-f-dev
Mark Lu [Wed, 14 Dec 2016 00:29:51 +0000 (16:29 -0800)]
docs: remove implicit intent from bindService and startService
bug:
18295867
Change-Id: Ib4b561dd215f4b124ce9a90b446bc03676f7e00a
Mark Lu [Fri, 16 Dec 2016 22:23:47 +0000 (14:23 -0800)]
docs: update Paint.setTextSize() to indicate pixel units
bug:
2321154
Change-Id: Ic71404677a8079c744b99d4848d69c6ff52089ab
Joe Fernandez [Sat, 17 Dec 2016 04:48:04 +0000 (04:48 +0000)]
docs: Add deprecation message for the developer.android.com docs am:
b9bd6cca9e am:
045ae0458a
am:
e161f75d38
Change-Id: I622c23e61f4e8db5a51a9d2425cc1fe379ec9505
Joe Fernandez [Sat, 17 Dec 2016 04:37:05 +0000 (04:37 +0000)]
docs: Add deprecation message for the developer.android.com docs am:
b9bd6cca9e
am:
045ae0458a
Change-Id: I2257467a9b263897d2af594720de61d29a982709
Joe Fernandez [Sat, 17 Dec 2016 04:26:02 +0000 (04:26 +0000)]
docs: Add deprecation message for the developer.android.com docs
am:
b9bd6cca9e
Change-Id: I3ba7d4519c491bdf09836f096106b4a6bc52e116
Svet Ganov [Sat, 17 Dec 2016 03:42:58 +0000 (03:42 +0000)]
[DO NOT MERGE] Fix vulnerability in MemoryIntArray - fix build file am:
c3db570a00 -s ours am:
c91845f753
am:
5034efbaf3
Change-Id: I22c38f921047ba7ecea5826701e3024de9a3d110
Svet Ganov [Sat, 17 Dec 2016 03:32:01 +0000 (03:32 +0000)]
[DO NOT MERGE] Fix vulnerability in MemoryIntArray - fix build file am:
c3db570a00 -s ours
am:
c91845f753
Change-Id: Ia85d2855dd8360b94fecb4bf6cd280ea4518d0e1
Svet Ganov [Sat, 17 Dec 2016 03:21:28 +0000 (03:21 +0000)]
[DO NOT MERGE] Fix vulnerability in MemoryIntArray - fix build file
am:
c3db570a00 -s ours
Change-Id: I63b03cd2b057f95aefab23cdb4a29766ec304544
Joe Fernandez [Sat, 17 Dec 2016 02:20:56 +0000 (18:20 -0800)]
docs: Add deprecation message for the developer.android.com docs
Change-Id: Ia091df49099482696abbc3a596cf1787ca904d67
Mark Lu [Sat, 17 Dec 2016 02:19:55 +0000 (02:19 +0000)]
Merge "docs: update description for BitmapFactory.Options#inBitmap" into nyc-mr1-dev
am:
88e64bb739
Change-Id: Idcaf2dabd54d5fc07cce825e44237ddb3fc0e51f
Mark Lu [Sat, 17 Dec 2016 02:19:51 +0000 (02:19 +0000)]
docs: update description for BitmapFactory.Options#inBitmap
am:
a8f4286272
Change-Id: I163f1f5f8a9d688407aa7c0d76895bf18efa3430
Mark Lu [Sat, 17 Dec 2016 02:04:23 +0000 (02:04 +0000)]
Merge "docs: update description for BitmapFactory.Options#inBitmap" into nyc-mr1-dev
Mark Lu [Fri, 16 Dec 2016 23:43:27 +0000 (15:43 -0800)]
docs: update description for BitmapFactory.Options#inBitmap
bug:
18730109
Change-Id: Iab062d41af3a32208d3500179d3737278a035188
Michael Kwan [Fri, 16 Dec 2016 20:38:10 +0000 (12:38 -0800)]
Fix OnCancelListener for Dialogs on swipe to dismiss.
Swipe to dismiss on dialogs did not dispatch onCancel events
to OnCancelListeners. Resolve by adding listener to monitor
swipe to dismiss events and dispatch onCancel events when
that occurs.
Bug:
33663411
Change-Id: I64ff29e008d485a4559eb3d1ff7f0e74dccff404
Mark Lu [Fri, 16 Dec 2016 04:59:10 +0000 (04:59 +0000)]
Merge "docs: changes to broadcast documentation" into nyc-mr1-dev
am:
7b22d549d4
Change-Id: I41ac74d65f48258c21afcbd39bf1eb518976a5f2
Mark Lu [Fri, 16 Dec 2016 04:59:08 +0000 (04:59 +0000)]
docs: changes to broadcast documentation
am:
33ec106d22
Change-Id: I673efc100756ee6d6ef0d2afa99d48d471ce0987
Mark Lu [Fri, 16 Dec 2016 04:48:36 +0000 (04:48 +0000)]
Merge "docs: changes to broadcast documentation" into nyc-mr1-dev
Svet Ganov [Thu, 15 Dec 2016 22:51:17 +0000 (14:51 -0800)]
[DO NOT MERGE] Fix vulnerability in MemoryIntArray - fix build file
bug:
33039926
bug:
33042690
Change-Id: If0431b77ec546c72f8cc25bb605a851572bb22a6
Michael Kwan [Thu, 15 Dec 2016 21:09:53 +0000 (21:09 +0000)]
Merge "Fix swipe-to-dismiss to properly react to swipe gestures." into cw-f-dev
Tom O'Neill [Thu, 15 Dec 2016 18:26:28 +0000 (10:26 -0800)]
Fix exploit where can hide the fact that a location was mocked
- Even if call setTestProviderLocation() with inconsistent providers,
should still end up with a location that is flagged as mocked
- Bug:
33091107
Change-Id: I39e038f25b975989c2e8651bfd9ec9e74073e6cd
Phil Weaver [Wed, 2 Nov 2016 22:40:42 +0000 (15:40 -0700)]
Add null check to a11y interrupt.
Also adding same robustness to interrupt that we have for
sending a11y events.
Bug:
32507871
Test: Ran a11y CTS. Verified manually with sample app
that sends interrupt and accessibility service that
crashes when started. That case used to crash the
app, and doesn't anymore.
Change-Id: I5cf05dcbb54ea23ae876cb3258dd206c55dce775
(cherry picked from commit
867ad35d9c676b5ba2047b0fc9a4006737e5c4aa)
Julius D'souza [Wed, 14 Dec 2016 19:18:04 +0000 (19:18 +0000)]
fix case issues with mGoingIdleWakeLock in DeviceIdleController am:
e6f8cb29ec -s ours am:
7a69e8f3d8 am:
af0b547fc7 am:
20081c4e71
am:
8cc9f081aa
Change-Id: I39ecaf420d8bc4390c737fd378fd0e32202e2d8c
Julius D'souza [Wed, 14 Dec 2016 19:11:59 +0000 (19:11 +0000)]
fix case issues with mGoingIdleWakeLock in DeviceIdleController am:
e6f8cb29ec -s ours am:
7a69e8f3d8 am:
af0b547fc7
am:
20081c4e71
Change-Id: I5e461a835cf64ba69894da2c5493a9d8a1ebcbcf
Julius D'souza [Wed, 14 Dec 2016 19:06:29 +0000 (19:06 +0000)]
fix case issues with mGoingIdleWakeLock in DeviceIdleController am:
e6f8cb29ec -s ours am:
7a69e8f3d8
am:
af0b547fc7
Change-Id: I23ef765ebbd2dde2110946fcc46c6b61e11733f2
Julius D'souza [Wed, 14 Dec 2016 19:00:38 +0000 (19:00 +0000)]
fix case issues with mGoingIdleWakeLock in DeviceIdleController am:
e6f8cb29ec -s ours
am:
7a69e8f3d8
Change-Id: I581e1cd6ef0dec7042802b29dd76db8ffc02cec3
Julius D'souza [Wed, 14 Dec 2016 18:54:02 +0000 (18:54 +0000)]
fix case issues with mGoingIdleWakeLock in DeviceIdleController
am:
e6f8cb29ec -s ours
Change-Id: Ia7bdba0fd3d52bb2d7c33f81d376336563f3a5cb
Julius D'souza [Wed, 14 Dec 2016 18:30:25 +0000 (10:30 -0800)]
fix case issues with mGoingIdleWakeLock in DeviceIdleController
Bug:
31900521
Change-Id: I9484b10f0e6b99dfaf11266bb275a31d7ff3868c
Julius D'souza [Wed, 14 Dec 2016 18:09:25 +0000 (18:09 +0000)]
DO NOT MERGE ANYWHERE: Hold a wake lock while DeviceIdleController is going idle. am:
f9f39cc4a8 -s ours am:
589f83e686 -s ours am:
495aa09cc6 -s ours am:
10a9005003 -s ours
am:
03c946e06b -s ours
Change-Id: I75323469d9e15ea3b8652bb5f972d0e14a06cc7a
Julius D'souza [Wed, 14 Dec 2016 18:03:26 +0000 (18:03 +0000)]
DO NOT MERGE ANYWHERE: Hold a wake lock while DeviceIdleController is going idle. am:
f9f39cc4a8 -s ours am:
589f83e686 -s ours am:
495aa09cc6 -s ours
am:
10a9005003 -s ours
Change-Id: I7a1d2d5b60b27765b2381e6d85fd3f8e967a40e1
Julius D'souza [Wed, 14 Dec 2016 17:56:53 +0000 (17:56 +0000)]
DO NOT MERGE ANYWHERE: Hold a wake lock while DeviceIdleController is going idle. am:
f9f39cc4a8 -s ours am:
589f83e686 -s ours
am:
495aa09cc6 -s ours
Change-Id: I0f1a50fac9a6fc8a5c21b890aaa3aea5ea2aca74
Julius D'souza [Wed, 14 Dec 2016 17:51:28 +0000 (17:51 +0000)]
DO NOT MERGE ANYWHERE: Hold a wake lock while DeviceIdleController is going idle. am:
f9f39cc4a8 -s ours
am:
589f83e686 -s ours
Change-Id: I76a619ed9824174735d0a86c55fe13a3d6e90ec5
Julius D'souza [Wed, 14 Dec 2016 17:44:27 +0000 (17:44 +0000)]
DO NOT MERGE ANYWHERE: Hold a wake lock while DeviceIdleController is going idle.
am:
f9f39cc4a8 -s ours
Change-Id: Ibd0b18a9e833afcc85845f4db57a927e80739cc2
Charles He [Thu, 24 Nov 2016 14:05:00 +0000 (14:05 +0000)]
Prevent writing to FRP partition during factory reset.
Avoid potential race condition between FRP wipe and write operations
during factory reset by making the FRP partition unwritable after
wipe.
Bug:
30352311
Test: manual
Change-Id: If3f024a1611366c0677a996705724458094fcfad
(cherry picked from commit
a629c772f4a7a5ddf7ff9f78fb19f7ab86c2a9c2)
Mark Lu [Mon, 5 Dec 2016 18:57:55 +0000 (10:57 -0800)]
docs: changes to broadcast documentation
- move BroadcastReceiver info to developer guide. see cl/
140402421
- add usage note to CONNECTIVITY_ACTION broadcast
bug:
32533262
bug:
33106411
Change-Id: Ic2aa517831d29418e0c42aa6fc1e7f9aeb50f802
Julius D'souza [Tue, 13 Dec 2016 01:15:17 +0000 (17:15 -0800)]
DO NOT MERGE ANYWHERE: Hold a wake lock while DeviceIdleController
is going idle.
The inputs to DeviceIdleController (alarm manager, sensors)
hold wake locks while they call it. But then the real work
happens in a handler which is outside of the wakelock, so
listeners don't get a chance to run right away, which in
the case of NetworkPolicyManager means the device is in a
higher power state than it should be.
It's not clear that this will 100% fix the bug, because
NetworkPolicyManagerService also has its own internal
Handler, and isn't holding its own wakelock for this,
but this change allows NPMS to be fixed if it really
needed to be.
Bug:
31900521
Change-Id: I706045aa189147824c9214c57abc13993aee9a5b
Michael Kwan [Wed, 14 Dec 2016 01:10:12 +0000 (17:10 -0800)]
Fix swipe-to-dismiss to properly react to swipe gestures.
Test: manual test
Bug:
33588580
Change-Id: If8d03f90a25e989e254e3a21bafef4e76bab5d7b
Ivan Podogov [Tue, 13 Dec 2016 15:55:24 +0000 (15:55 +0000)]
Merge changes from topic 'f-radio-toggle' into cw-f-dev
* changes:
Add WiFi toggle prompts - framework
Add Bluetooth toggle prompts - framework
TreeHugger Robot [Fri, 9 Dec 2016 17:22:19 +0000 (17:22 +0000)]
Merge "Fix race condition bug related to freezing apps." into cw-f-dev
Jeff Sharkey [Fri, 9 Dec 2016 16:06:12 +0000 (09:06 -0700)]
Fix race condition bug related to freezing apps.
Consider the following situation:
1. Package is frozen.
2. We try forking the app while frozen, causing a ProcessRecord with
PID 0 to be recorded in mProcessNames. As a result of the failed
fork, removeProcessLocked() tears down that ProcessRecord, but a
special case records it into mRemovedProcesses.
3. Package is unfrozen.
4. We try forking the app, and this time it proceeds normally now
that we're unfrozen. The new valid ProcessRecord is recorded in
mProcessNames.
5. activityIdleInternalLocked() triggers a clean-up pass of
mRemovedProcesses. trimApplications() ends up cleaning up the
stale reference from (2) above *by hash key* and not *by reference*,
which causes us to remove the new valid ProcessRecord. This results
in the valid ProcessRecord in (4) becoming an orphaned PID, which
starts a chain reaction of havoc that ensues.
This issue is fixed by checking the expected ProcessRecord by value
before actually removing it, thus preventing orphaned PIDs.
Test: builds, boots, over 600 installs without orphaned PIDs
Bug:
28395549
Change-Id: I5ea1b31c3fd374ea7f5cc40ff35bb9195d9f3e2b
Svetoslav Ganov [Fri, 9 Dec 2016 01:48:16 +0000 (01:48 +0000)]
Fix vulnerability in MemoryIntArray am:
1181f448c1
am:
d08cf2b071
Change-Id: I436a09f1e49626fa45a7f6cc6bff92b2e5486a97
Svetoslav Ganov [Fri, 9 Dec 2016 01:43:52 +0000 (01:43 +0000)]
Fix vulnerability in MemoryIntArray
am:
1181f448c1
Change-Id: I4217066be49bb9525e945f110c22eb864ec6c212
Svetoslav Ganov [Thu, 8 Dec 2016 23:58:02 +0000 (23:58 +0000)]
Fix vulnerability in MemoryIntArray
MemoryIntArray was using the size of the undelying
ashmem region to mmap the data but the ashmem size
can be changed until the former is memory mapped.
Since we use the ashmem region size for boundary
checking and memory unmapping if it does not match
the size used while mapping an attacker can force
the system to unmap memory or to access undefined
memory and crash.
Also we were passing the memory address where the
ashmem region is mapped in the owner process to
support cases where the client can pass back the
MemoryIntArray instance. This allows an attacker
to put invalid address and cause arbitrary memory
to be freed.
Now we no longer support passing back the instance
to the owner process (the passed back instance is
read only), so no need to pass the memory adress
of the owner's mapping, thus not allowing freeing
arbitrary memory.
Further, we now check the memory mapped size against
the size of the underlying ashmem region after we do
the memory mapping (to fix the ahsmem size) and if
an attacker changed the size under us we throw.
Tests: Updated the tests and they pass.
bug:
33039926
bug:
33042690
Change-Id: Ibf56827209a9b791aa83ae679219baf829ffc2ac
Bill Napier [Thu, 8 Dec 2016 22:34:34 +0000 (22:34 +0000)]
Revert "Fix vulnerability in MemoryIntArray am:
a97171ec49" am:
43966dafb3
am:
498547ec6c
Change-Id: I8874250d553a7271305efc3f027c933e4aad3b1d
Bill Napier [Thu, 8 Dec 2016 22:30:02 +0000 (22:30 +0000)]
Revert "Fix vulnerability in MemoryIntArray am:
a97171ec49"
am:
43966dafb3
Change-Id: I01bc83edd411dc39cb696e64ea35b5d4a8497fbf
Bill Napier [Thu, 8 Dec 2016 22:22:38 +0000 (22:22 +0000)]
Revert "Fix vulnerability in MemoryIntArray am:
a97171ec49"
This reverts commit
fb12dd509f8e106d034f67c2e404845128128994.
Change-Id: I9e1b22b8df0e754095541a758096cba279a81ab1
Svetoslav Ganov [Thu, 8 Dec 2016 21:46:34 +0000 (21:46 +0000)]
Fix vulnerability in MemoryIntArray am:
a97171ec49 am:
fb12dd509f
am:
a5ee109029
Change-Id: If1b852faa812b0bcb7419ae0f75a3e2349926de0
Svetoslav Ganov [Thu, 8 Dec 2016 21:42:05 +0000 (21:42 +0000)]
Fix vulnerability in MemoryIntArray am:
a97171ec49
am:
fb12dd509f
Change-Id: I269ec7d61ebdc9f485d759d1398d5fa4eacf868f
Svetoslav Ganov [Thu, 8 Dec 2016 21:37:33 +0000 (21:37 +0000)]
Fix vulnerability in MemoryIntArray
am:
a97171ec49
Change-Id: Ifa2221a9b8ca705ef0239d61772938ac11761ce2
Svetoslav Ganov [Thu, 8 Dec 2016 19:48:19 +0000 (11:48 -0800)]
Fix vulnerability in MemoryIntArray
MemoryIntArray was using the size of the undelying
ashmem region to mmap the data but the ashmem size
can be changed until the former is memory mapped.
Since we use the ashmem region size for boundary
checking and memory unmapping if it does not match
the size used while mapping an attacker can force
the system to unmap memory or to access undefined
memory and crash.
Also we were passing the memory address where the
ashmem region is mapped in the owner process to
support cases where the client can pass back the
MemoryIntArray instance. This allows an attacker
to put invalid address and cause arbitrary memory
to be freed.
Now we no longer support passing back the instance
to the owner process (the passed back instance is
read only), so no need to pass the memory adress
of the owner's mapping, thus not allowing freeing
arbitrary memory.
Further, we now check the memory mapped size against
the size of the underlying ashmem region after we do
the memory mapping (to fix the ahsmem size) and if
an attacker changed the size under us we throw.
Tests: Updated the tests and they pass.
bug:
33039926
bug:
33042690
Change-Id: I1004579181ff7a223ef659e85c46100c47ab2409
TreeHugger Robot [Thu, 8 Dec 2016 17:00:37 +0000 (17:00 +0000)]
Merge "Import translations. DO NOT MERGE" into cw-f-dev
TreeHugger Robot [Thu, 8 Dec 2016 17:00:10 +0000 (17:00 +0000)]
Merge "Import translations. DO NOT MERGE" into cw-f-dev
TreeHugger Robot [Thu, 8 Dec 2016 16:59:44 +0000 (16:59 +0000)]
Merge "Import translations. DO NOT MERGE" into cw-f-dev
TreeHugger Robot [Thu, 8 Dec 2016 16:59:16 +0000 (16:59 +0000)]
Merge "Import translations. DO NOT MERGE" into cw-f-dev
TreeHugger Robot [Thu, 8 Dec 2016 16:58:48 +0000 (16:58 +0000)]
Merge "Import translations. DO NOT MERGE" into cw-f-dev
Bill Yi [Thu, 8 Dec 2016 07:47:19 +0000 (23:47 -0800)]
Import translations. DO NOT MERGE
Change-Id: Iaf10ebaae14bf032c8e6ee512c3968c970b6438e
Auto-generated-cl: translation import
Bill Yi [Thu, 8 Dec 2016 07:21:48 +0000 (23:21 -0800)]
Import translations. DO NOT MERGE
Change-Id: I82ffbc76e650cbe5b782ad8ff4a257270d11b03f
Auto-generated-cl: translation import
Bill Yi [Thu, 8 Dec 2016 07:18:44 +0000 (23:18 -0800)]
Import translations. DO NOT MERGE
Change-Id: Ifebc058ab8d5b151e49ef51ea2fd895817d70bd9
Auto-generated-cl: translation import
Bill Yi [Thu, 8 Dec 2016 07:00:43 +0000 (23:00 -0800)]
Import translations. DO NOT MERGE
Change-Id: I1b1c0c189c1979a7a885b4e6e6fef21bae6dd22a
Auto-generated-cl: translation import
Bill Yi [Thu, 8 Dec 2016 06:46:57 +0000 (22:46 -0800)]
Import translations. DO NOT MERGE
Change-Id: I4de79adeee71e5aa9f9055d09f6a6dd14d6a5dec
Auto-generated-cl: translation import
Svetoslav Ganov [Thu, 8 Dec 2016 02:36:54 +0000 (02:36 +0000)]
Revert "Fix vulnerability in MemoryIntArray" am:
1f06508bc6 am:
64b5725900
am:
60357eb6bd
Change-Id: Ib81f6d25a1f59c14f47fe79325c95b02c7cbe639
Svetoslav Ganov [Thu, 8 Dec 2016 02:33:00 +0000 (02:33 +0000)]
Revert "Fix vulnerability in MemoryIntArray" am:
1f06508bc6
am:
64b5725900
Change-Id: Id7021fb02059cfb3bb9184ef24f417c0be7f55b9
Svetoslav Ganov [Thu, 8 Dec 2016 02:29:00 +0000 (02:29 +0000)]
Revert "Fix vulnerability in MemoryIntArray"
am:
1f06508bc6
Change-Id: Id387817495b1857f304203c8487da3db49bdd0e4
Svetoslav Ganov [Thu, 8 Dec 2016 02:17:40 +0000 (02:17 +0000)]
Revert "Fix vulnerability in MemoryIntArray"
This reverts commit
4694cad51122c20880d00389ef95833d7a14b358.
Change-Id: I235ea3c4bd86d90bf97bc1a2d023f4780251e570
Svetoslav Ganov [Thu, 8 Dec 2016 02:00:55 +0000 (02:00 +0000)]
Fix vulnerability in MemoryIntArray am:
4694cad511 am:
ec40a70ffb
am:
138a541eaa
Change-Id: I659d82f39cab9f6d73ceb118cdc74307ee995dfb
Svetoslav Ganov [Thu, 8 Dec 2016 01:56:24 +0000 (01:56 +0000)]
Fix vulnerability in MemoryIntArray am:
4694cad511
am:
ec40a70ffb
Change-Id: I5d03aaa04fe13b3af20bcc61e9bb925b471ab825
Aart Bik [Thu, 8 Dec 2016 01:52:51 +0000 (01:52 +0000)]
Revert "Fix vulnerability in MemoryIntArray" am:
29139a8ae5 am:
86699f980f
am:
65cf055ad9
Change-Id: Iae6e4fe6eada607d71a20b8ea588ee8efd56a8e0
Svetoslav Ganov [Thu, 8 Dec 2016 01:49:21 +0000 (01:49 +0000)]
Fix vulnerability in MemoryIntArray
am:
4694cad511
Change-Id: I64257a851c06e4a333056ee132ff8a2ea29aef5c
Aart Bik [Thu, 8 Dec 2016 01:44:54 +0000 (01:44 +0000)]
Revert "Fix vulnerability in MemoryIntArray" am:
29139a8ae5
am:
86699f980f
Change-Id: I7876874ba0d6815920f21021a47e3fe1b3e1c42f
Aart Bik [Thu, 8 Dec 2016 01:36:50 +0000 (01:36 +0000)]
Revert "Fix vulnerability in MemoryIntArray"
am:
29139a8ae5
Change-Id: I3975cfc51bd03a65855c113dfdb827d24471e0ba
Svetoslav Ganov [Thu, 8 Dec 2016 01:30:38 +0000 (01:30 +0000)]
Fix vulnerability in MemoryIntArray
MemoryIntArray was using the size of the undelying
ashmem region to mmap the data but the ashmem size
can be changed until the former is memory mapped.
Since we use the ashmem region size for boundary
checking and memory unmapping if it does not match
the size used while mapping an attacker can force
the system to unmap memory or to access undefined
memory and crash.
Also we were passing the memory address where the
ashmem region is mapped in the owner process to
support cases where the client can pass back the
MemoryIntArray instance. This allows an attacker
to put invalid address and cause arbitrary memory
to be freed.
Now we no longer support passing back the instance
to the owner process (the passed back instance is
read only), so no need to pass the memory adress
of the owner's mapping, thus not allowing freeing
arbitrary memory.
Further, we now check the memory mapped size against
the size of the underlying ashmem region after we do
the memory mapping (to fix the ahsmem size) and if
an attacker changed the size under us we throw.
Tests: Updated the tests and they pass.
bug:
33039926
bug:
33042690
Change-Id: Id7f0e8a4c861b0b9fa796767e0c22d96633b14d1
OSDN Git Service
