OSDN Git Service

android-x86/frameworks-native.git
7 years agoMerge "libgui: Check slot received from IGBP in Surface" into lmp-dev
TreeHugger Robot [Tue, 16 May 2017 20:30:06 +0000 (20:30 +0000)]
Merge "libgui: Check slot received from IGBP in Surface" into lmp-dev

7 years agoMerge "ui: Fix bad size check in Fence::unflatten" into klp-dev am: 25556811f0 am...
Chris Forbes [Tue, 16 May 2017 19:15:38 +0000 (19:15 +0000)]
Merge "ui: Fix bad size check in Fence::unflatten" into klp-dev am: 25556811f0 am: 71d3ef1340
am: 5c5ee81b0c

Change-Id: Ie7ec2067057ea2dbd4b9af0c93a00ba53879b72f

7 years agoMerge "ui: Fix bad size check in Fence::unflatten" into klp-dev am: 25556811f0
Chris Forbes [Tue, 16 May 2017 19:12:38 +0000 (19:12 +0000)]
Merge "ui: Fix bad size check in Fence::unflatten" into klp-dev am: 25556811f0
am: 71d3ef1340

Change-Id: I75797414173ebfb38eefe02ac0a635f10c59d883

7 years agoMerge "ui: Fix bad size check in Fence::unflatten" into klp-dev
Chris Forbes [Tue, 16 May 2017 19:10:08 +0000 (19:10 +0000)]
Merge "ui: Fix bad size check in Fence::unflatten" into klp-dev
am: 25556811f0

Change-Id: I5a267f8dccb75625fafd96e67bc0fbb9a2492ce7

7 years agoMerge "ui: Fix bad size check in Fence::unflatten" into klp-dev
Chris Forbes [Tue, 16 May 2017 19:00:54 +0000 (19:00 +0000)]
Merge "ui: Fix bad size check in Fence::unflatten" into klp-dev

7 years agoui: Fix bad size check in Fence::unflatten
Chris Forbes [Wed, 10 May 2017 20:12:00 +0000 (13:12 -0700)]
ui: Fix bad size check in Fence::unflatten

Differs slightly from mnc+ patch: GetFlattenedSize was fixed in mnc.

Test: Boot device, run poc from bug, observe no longer crashes
Bug: 37285689
Change-Id: Id8b851733b088cce0d07493fbf76e7e24f9299ad

7 years agolibgui: Check slot received from IGBP in Surface
Dan Stoza [Mon, 1 May 2017 23:31:53 +0000 (16:31 -0700)]
libgui: Check slot received from IGBP in Surface

Checks that the slot number received from mGraphicBufferProducer in
Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to
protect against a malicious BnGraphicBufferProducer.

Bug: 36991414
Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa

7 years agolibgui: Check slot received from IGBP in Surface am: ac93b3a30e am: 7cb9cd3df2
Dan Stoza [Mon, 15 May 2017 18:13:30 +0000 (18:13 +0000)]
libgui: Check slot received from IGBP in Surface am: ac93b3a30e am: 7cb9cd3df2
am: 057ae95ab2  -s ours

Change-Id: I2c6441b19650f31c7bbab9ce22191ae162ba9e58

7 years agolibgui: Check slot received from IGBP in Surface am: ac93b3a30e
Dan Stoza [Mon, 15 May 2017 18:02:29 +0000 (18:02 +0000)]
libgui: Check slot received from IGBP in Surface am: ac93b3a30e
am: 7cb9cd3df2

Change-Id: Iff706258762cac4bfb7d97af7d365412d9ee661d

7 years agolibgui: Check slot received from IGBP in Surface
Dan Stoza [Mon, 15 May 2017 17:59:58 +0000 (17:59 +0000)]
libgui: Check slot received from IGBP in Surface
am: ac93b3a30e

Change-Id: I6ab9bc7f577634c0bf23359b5eb60e6dd07e4854

7 years agolibgui: Check slot received from IGBP in Surface
Dan Stoza [Mon, 1 May 2017 23:31:53 +0000 (16:31 -0700)]
libgui: Check slot received from IGBP in Surface

Checks that the slot number received from mGraphicBufferProducer in
Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to
protect against a malicious BnGraphicBufferProducer.

Bug: 36991414
Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa

7 years agoFix security vulnerability am: 2ae83f4f62 am: 11ab583834
Fabien Sanglard [Thu, 2 Feb 2017 01:31:32 +0000 (01:31 +0000)]
Fix security vulnerability am: 2ae83f4f62 am: 11ab583834
am: ac2b87ac0f

Change-Id: I3b249a9ec1820917dc015c72bd093535927c9ed6

7 years agoFix security vulnerability am: 2ae83f4f62
Fabien Sanglard [Thu, 2 Feb 2017 01:29:02 +0000 (01:29 +0000)]
Fix security vulnerability am: 2ae83f4f62
am: 11ab583834

Change-Id: I09ec85b9f83e1f4458940415cd07f6fca725c552

7 years agoFix security vulnerability
Fabien Sanglard [Thu, 2 Feb 2017 01:27:03 +0000 (01:27 +0000)]
Fix security vulnerability
am: 2ae83f4f62

Change-Id: Ie0590dbb8429b5b289f3095055abdc8d29b95a7f

8 years agoFix security vulnerability
Fabien Sanglard [Thu, 19 Jan 2017 19:13:20 +0000 (11:13 -0800)]
Fix security vulnerability

Test: hammerhead
Bug: 32628763
Change-Id: I19a81b63fffee8f323a5925c7e8633fbd640b91c

8 years agoCorrect overflow check in Parcel resize code
Christopher Tate [Thu, 3 Nov 2016 20:32:41 +0000 (13:32 -0700)]
Correct overflow check in Parcel resize code

Bug 31929765

Change-Id: Ie27b9945f1de056624668869bdf9a5578abff467

8 years agoFix SF security vulnerability: 32660278
Fabien Sanglard [Tue, 8 Nov 2016 23:31:32 +0000 (15:31 -0800)]
Fix SF security vulnerability: 32660278

Because of lack of mutex lock when get mSidebandStream, if one thread
getSidebandStream, another thread setSidebandStream frequently, an UAF
will be triggered.

Bug: 32660278
Test: Marlin device with poc
Change-Id: Idbcf0976ce2db682d0f13455105c45a5c7481a45

8 years agoServiceManager: Allow system services running as secondary users to add services
Arve Hjønnevåg [Thu, 18 Aug 2016 22:42:35 +0000 (15:42 -0700)]
ServiceManager: Allow system services running as secondary users to add services

This should be reverted when all system services have been cleaned up to not
do this. A process looking up a service while running in the background will
see the service registered by the active user (assuming the service is
registered on every user switch), not the service registered by the user that
the process itself belongs to.

BUG: 30795333
Change-Id: I1b74d58be38ed358f43c163692f9e704f8f31dbe

8 years agoDO NOT MERGE ServiceManager: Restore basic uid check
Arve Hjønnevåg [Mon, 1 Aug 2016 23:05:17 +0000 (16:05 -0700)]
DO NOT MERGE ServiceManager: Restore basic uid check

Prevent apps from registering services without relying on selinux checks.

Bug: 29431260

Change-Id: I38c6e8bc7f7cba1cbd3568e8fed1ae7ac2054a9b

8 years agoAdd FrameStats default constructor
Pablo Ceballos [Thu, 26 May 2016 22:35:55 +0000 (15:35 -0700)]
Add FrameStats default constructor

Bug 28592402

Change-Id: I857e46c9ab3ffae0d96923d665d13a4128a6cafa

8 years agoCorrectly handle dup() failure in Parcel::readNativeHandle am: 1de7966c72 am: 275c9f60f9
Marco Nelissen [Mon, 9 May 2016 20:54:25 +0000 (20:54 +0000)]
Correctly handle dup() failure in Parcel::readNativeHandle am: 1de7966c72 am: 275c9f60f9
am: 853702ce3d

* commit '853702ce3d1ba5e45ce58f332ed1d40008a44375':
  Correctly handle dup() failure in Parcel::readNativeHandle

Change-Id: I2b8f6070ecc873d67be5a4c72ca870606af93a3d

8 years agoCorrectly handle dup() failure in Parcel::readNativeHandle am: 1de7966c72
Marco Nelissen [Mon, 9 May 2016 20:48:32 +0000 (20:48 +0000)]
Correctly handle dup() failure in Parcel::readNativeHandle am: 1de7966c72
am: 275c9f60f9

* commit '275c9f60f94780bd686eca9750ec41cc1fafa333':
  Correctly handle dup() failure in Parcel::readNativeHandle

Change-Id: I6516dea7eac82d06e1ffd1d269dbb6415fece948

8 years agoCorrectly handle dup() failure in Parcel::readNativeHandle
Marco Nelissen [Mon, 9 May 2016 20:43:16 +0000 (20:43 +0000)]
Correctly handle dup() failure in Parcel::readNativeHandle
am: 1de7966c72

* commit '1de7966c72981aebc3c7f9978ab129678ac89258':
  Correctly handle dup() failure in Parcel::readNativeHandle

Change-Id: Ie043622a17b241c489429273d369e9a478b7ebcc

8 years agoCorrectly handle dup() failure in Parcel::readNativeHandle
Marco Nelissen [Tue, 26 Apr 2016 15:44:09 +0000 (08:44 -0700)]
Correctly handle dup() failure in Parcel::readNativeHandle

bail out if dup() fails, instead of creating an invalid native_handle_t

Bug: 28395952

Change-Id: Ia1a6198c0f45165b9c6a55a803e5f64d8afa0572

8 years agoFix issue #27252896: Security Vulnerability -- weak binder am: 41e7b17
Dianne Hackborn [Wed, 23 Mar 2016 22:15:19 +0000 (22:15 +0000)]
Fix issue #27252896: Security Vulnerability -- weak binder am: 41e7b17
am: 74d2c4b  -s ours

* commit '74d2c4b4c97dbbcf43a9f8870007593d61beb547':
  Fix issue #27252896: Security Vulnerability -- weak binder

8 years agoFix issue #27252896: Security Vulnerability -- weak binder
Dianne Hackborn [Wed, 23 Mar 2016 22:07:32 +0000 (22:07 +0000)]
Fix issue #27252896: Security Vulnerability -- weak binder
am: 41e7b17

* commit '41e7b1780f106d2eb4304b1f9cf060ce44177cae':
  Fix issue #27252896: Security Vulnerability -- weak binder

8 years agoFix issue #27252896: Security Vulnerability -- weak binder
Dianne Hackborn [Mon, 21 Mar 2016 17:36:54 +0000 (10:36 -0700)]
Fix issue #27252896: Security Vulnerability -- weak binder

Sending transaction to freed BBinder through weak handle
can cause use of a (mostly) freed object.  We need to try to
safely promote to a strong reference first.

Change-Id: Ic9c6940fa824980472e94ed2dfeca52a6b0fd342
(manually cherry picked and resolved conflicts from commit
c11146106f94e07016e8e26e4f8628f9a0c73199)

8 years agoFix issue #27252896: Security Vulnerability -- weak binder
Dianne Hackborn [Mon, 21 Mar 2016 17:36:54 +0000 (10:36 -0700)]
Fix issue #27252896: Security Vulnerability -- weak binder

Sending transaction to freed BBinder through weak handle
can cause use of a (mostly) freed object.  We need to try to
safely promote to a strong reference first.

Change-Id: Ic9c6940fa824980472e94ed2dfeca52a6b0fd342
(cherry picked from commit c11146106f94e07016e8e26e4f8628f9a0c73199)

8 years agoMerge "DO NOT MERGE BQ: fix some uninitialized variables" into klp-dev am: b4eac74
Pablo Ceballos [Fri, 18 Mar 2016 18:03:50 +0000 (18:03 +0000)]
Merge "DO NOT MERGE BQ: fix some uninitialized variables" into klp-dev am: b4eac74
am: dc5d0f4  -s ours

* commit 'dc5d0f46de1f8a800b3af340ca57278989df151a':
  DO NOT MERGE BQ: fix some uninitialized variables

8 years agoMerge "DO NOT MERGE BQ: fix some uninitialized variables" into klp-dev
Pablo Ceballos [Fri, 18 Mar 2016 18:01:32 +0000 (18:01 +0000)]
Merge "DO NOT MERGE BQ: fix some uninitialized variables" into klp-dev
am: b4eac74

* commit 'b4eac742c9e3f0238d5d03b237b2038df885ed2c':
  DO NOT MERGE BQ: fix some uninitialized variables

8 years agoMerge "DO NOT MERGE BQ: fix some uninitialized variables" into klp-dev
Pablo Ceballos [Fri, 18 Mar 2016 17:52:55 +0000 (17:52 +0000)]
Merge "DO NOT MERGE BQ: fix some uninitialized variables" into klp-dev

8 years agoDO NOT MERGE BQ: fix some uninitialized variables
Pablo Ceballos [Wed, 16 Mar 2016 01:10:49 +0000 (18:10 -0700)]
DO NOT MERGE BQ: fix some uninitialized variables

Bug 27555981
Bug 27556038

Change-Id: I436b6fec589677d7e36c0e980f6e59808415dc0e

8 years agoBQ: fix some uninitialized variables
Pablo Ceballos [Wed, 16 Mar 2016 01:10:49 +0000 (18:10 -0700)]
BQ: fix some uninitialized variables

Bug 27555981
Bug 27556038

Change-Id: I436b6fec589677d7e36c0e980f6e59808415dc0e

8 years agoDO NOT MERGE Add SN logging am: 24cd2b9627
Pablo Ceballos [Tue, 23 Feb 2016 00:40:58 +0000 (00:40 +0000)]
DO NOT MERGE Add SN logging am: 24cd2b9627
am: ec7538a254  -s ours

* commit 'ec7538a254f283afc7b046aa8ca2fe908d4e3b0c':
  DO NOT MERGE Add SN logging

8 years agoDO NOT MERGE Add SN logging
Pablo Ceballos [Tue, 23 Feb 2016 00:34:17 +0000 (00:34 +0000)]
DO NOT MERGE Add SN logging
am: 24cd2b9627

* commit '24cd2b96279ac29b936ba09ed708b1bcb922d04c':
  DO NOT MERGE Add SN logging

8 years agoDO NOT MERGE Add SN logging
Pablo Ceballos [Sat, 20 Feb 2016 19:30:43 +0000 (11:30 -0800)]
DO NOT MERGE Add SN logging

Bug 27046057

Change-Id: I942876c09fdbe841c19807e463f5426287e07803

8 years agoAdd SN logging
Pablo Ceballos [Sat, 20 Feb 2016 19:26:13 +0000 (11:26 -0800)]
Add SN logging

Bug 27046057

Change-Id: Iede7c92e59e60795df1ec7768ebafd6b090f1c27

8 years agoMerge "DO NOT MERGE BQ: Add permission check to BufferQueueConsumer::dump" into klp...
Pablo Ceballos [Sat, 20 Feb 2016 00:00:50 +0000 (00:00 +0000)]
Merge "DO NOT MERGE BQ: Add permission check to BufferQueueConsumer::dump" into klp-dev am: c232606413
am: 1d0e811e5a  -s ours

* commit '1d0e811e5ac853669fe96370e499428049a5b7ee':
  DO NOT MERGE BQ: Add permission check to BufferQueueConsumer::dump

8 years agoMerge "DO NOT MERGE BQ: Add permission check to BufferQueueConsumer::dump" into klp-dev
Pablo Ceballos [Fri, 19 Feb 2016 23:54:34 +0000 (23:54 +0000)]
Merge "DO NOT MERGE BQ: Add permission check to BufferQueueConsumer::dump" into klp-dev
am: c232606413

* commit 'c2326064136adb834d12c3fed47af5d66cd42c15':
  DO NOT MERGE BQ: Add permission check to BufferQueueConsumer::dump

8 years agoMerge "BQ: Add permission check to BufferQueueConsumer::dump" into lmp-dev
Pablo Ceballos [Fri, 19 Feb 2016 23:39:53 +0000 (23:39 +0000)]
Merge "BQ: Add permission check to BufferQueueConsumer::dump" into lmp-dev

8 years agoMerge "DO NOT MERGE BQ: Add permission check to BufferQueueConsumer::dump" into klp-dev
Pablo Ceballos [Fri, 19 Feb 2016 23:39:36 +0000 (23:39 +0000)]
Merge "DO NOT MERGE BQ: Add permission check to BufferQueueConsumer::dump" into klp-dev

8 years agoSanity check IMemory access versus underlying mmap am: 94b0d4e3ab
Christopher Tate [Wed, 17 Feb 2016 18:44:11 +0000 (18:44 +0000)]
Sanity check IMemory access versus underlying mmap am: 94b0d4e3ab
am: ef6908e2b3

* commit 'ef6908e2b3e6ee6514620acc338b458ade7c3640':
  Sanity check IMemory access versus underlying mmap

8 years agoSanity check IMemory access versus underlying mmap
Christopher Tate [Wed, 17 Feb 2016 18:37:52 +0000 (18:37 +0000)]
Sanity check IMemory access versus underlying mmap
am: 94b0d4e3ab

* commit '94b0d4e3ab023cfa03a7a4e85f3e09d3743da715':
  Sanity check IMemory access versus underlying mmap

8 years agoSanity check IMemory access versus underlying mmap
Christopher Tate [Sat, 6 Feb 2016 03:02:56 +0000 (19:02 -0800)]
Sanity check IMemory access versus underlying mmap

Bug 26877992

Change-Id: Ibbf4b1061e4675e4e96bc944a865b53eaf6984fe

8 years agoBQ: Add permission check to BufferQueueConsumer::dump
Pablo Ceballos [Fri, 12 Feb 2016 02:01:49 +0000 (18:01 -0800)]
BQ: Add permission check to BufferQueueConsumer::dump

Bug 27046057

Change-Id: Id7bd8cf95045b497943ea39dde49e877aa6f5c4e

8 years agoDO NOT MERGE BQ: Add permission check to BufferQueueConsumer::dump
Pablo Ceballos [Fri, 12 Feb 2016 03:15:35 +0000 (19:15 -0800)]
DO NOT MERGE BQ: Add permission check to BufferQueueConsumer::dump

Bug 27046057
Change-Id: I387178708f460596433f75bb059854a26cc22e78

9 years agoIGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37
Robert Shih [Fri, 15 Jan 2016 01:38:56 +0000 (01:38 +0000)]
IGraphicBufferProducer: fix QUEUE_BUFFER info leak am: d06421fd37
am: 413318311c

* commit '413318311c8cc356dd7e0837ce26e937a9f4c56a':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak

9 years agoIGraphicBufferProducer: fix QUEUE_BUFFER info leak
Robert Shih [Fri, 15 Jan 2016 01:27:23 +0000 (01:27 +0000)]
IGraphicBufferProducer: fix QUEUE_BUFFER info leak
am: d06421fd37

* commit 'd06421fd37fbb7fd07002e6738fac3a223cb1a62':
  IGraphicBufferProducer: fix QUEUE_BUFFER info leak

9 years agoIGraphicBufferProducer: fix QUEUE_BUFFER info leak
Robert Shih [Mon, 11 Jan 2016 23:02:12 +0000 (15:02 -0800)]
IGraphicBufferProducer: fix QUEUE_BUFFER info leak

Bug: 26338109
Change-Id: I8a979469bfe1e317ebdefa43685e19f9302baea8

9 years agoIGraphicBufferConsumer: fix ATTACH_BUFFER info leak
Robert Shih [Mon, 11 Jan 2016 19:42:48 +0000 (11:42 -0800)]
IGraphicBufferConsumer: fix ATTACH_BUFFER info leak

Bug: 26338113
Change-Id: I019c4df2c6adbc944122df96968ddd11a02ebe33

9 years agoDO NOT MERGE: fix build try #2 am: 778b6f4902
Nick Kralevich [Fri, 23 Oct 2015 04:19:51 +0000 (04:19 +0000)]
DO NOT MERGE: fix build try #2 am: 778b6f4902
am: 034bc1799c  -s ours

* commit '034bc1799cbbc4184aa507eba181573c0a3b9b35':
  DO NOT MERGE: fix build try #2

9 years agoDO NOT MERGE: fix build try #2
Nick Kralevich [Fri, 23 Oct 2015 04:15:21 +0000 (04:15 +0000)]
DO NOT MERGE: fix build try #2
am: 778b6f4902

* commit '778b6f4902ad824d5fc62071caaa837bb47deee5':
  DO NOT MERGE: fix build try #2

9 years agoresolve merge conflicts of 834ac204ce to klp-modular-dev.
Nick Kralevich [Fri, 23 Oct 2015 01:44:26 +0000 (01:44 +0000)]
resolve merge conflicts of 834ac204ce to klp-modular-dev.
am: 7f1ea80d65

* commit '7f1ea80d65996ab687ff56a884da915535cdc176':
  DO NOT MERGE: fix build breakage

9 years agoresolve merge conflicts of 834ac204ce to klp-modular-dev.
Nick Kralevich [Fri, 23 Oct 2015 00:26:19 +0000 (17:26 -0700)]
resolve merge conflicts of 834ac204ce to klp-modular-dev.

Bug: 23905002
Change-Id: Ic7262861af91a8fff27692c0f68761cb3ab12aa3

9 years agoDO NOT MERGE: fix build try #2
Nick Kralevich [Thu, 22 Oct 2015 21:48:50 +0000 (14:48 -0700)]
DO NOT MERGE: fix build try #2

On klp-dev, UINT16_MAX isn't available unless __STDINT_LIMITS
is defined, which it's not for this code. This isn't relevant
for later branches due to bionic commit
e2a292d278b94fec3d078b1f1b27c1f89942c276

Don't use UINT16_MAX when we can just hardcode 65535.

Bug: 23905002
Change-Id: Ia1fd0f749cb7a4d19866075abc28ed6960424e54

9 years agoDO NOT MERGE: fix build breakage
Nick Kralevich [Thu, 22 Oct 2015 14:09:23 +0000 (07:09 -0700)]
DO NOT MERGE: fix build breakage

fix klp-dev only build breakage.

  frameworks/native/libs/input/Input.cpp: In member function 'android::status_t android::MotionEvent::readFromParcel(android::Parcel*)':
  frameworks/native/libs/input/Input.cpp:494:47: error: 'UINT16_MAX' was not declared in this scope

Bug: 23905002
Change-Id: I4b6b864ca64d39a8873d045a61e0ddaea2ab9109

9 years agoadd number constraint for samples per MotionEvent am: 5d17838ade
Flanker [Thu, 22 Oct 2015 02:04:55 +0000 (02:04 +0000)]
add number constraint for samples per MotionEvent am: 5d17838ade
am: 72c8ca4a01

* commit '72c8ca4a0191827fd3265c0820b685a6cf420be1':
  add number constraint for samples per MotionEvent

9 years agoadd number constraint for samples per MotionEvent
Flanker [Thu, 22 Oct 2015 02:02:46 +0000 (02:02 +0000)]
add number constraint for samples per MotionEvent
am: 5d17838ade

* commit '5d17838adef13062717322e79d4db0b9bb6b2395':
  add number constraint for samples per MotionEvent

9 years agoadd number constraint for samples per MotionEvent
Flanker [Mon, 7 Sep 2015 07:28:58 +0000 (15:28 +0800)]
add number constraint for samples per MotionEvent

Bug:23905002

Signed-off-by: Adam Lesinski <adamlesinski@google.com>
(cherry picked from commit 552a8a5d8df32f659b8d11311a244cdc6d3b7733)

Change-Id: I9b7ea859889b7697bee4165a2746602212120543

9 years agoam e2c4f4fb: am c1e6fbb5: Initialize local variables to avoid data leak
Naveen Leekha [Thu, 24 Sep 2015 22:04:48 +0000 (22:04 +0000)]
am e2c4f4fb: am c1e6fbb5: Initialize local variables to avoid data leak

* commit 'e2c4f4fb8b34e36a4f2760f3812c942604cabfb6':
  Initialize local variables to avoid data leak

9 years agoam c1e6fbb5: Initialize local variables to avoid data leak
Naveen Leekha [Thu, 24 Sep 2015 22:00:13 +0000 (22:00 +0000)]
am c1e6fbb5: Initialize local variables to avoid data leak

* commit 'c1e6fbb52c3f85cc7610d1d07d12be38f70b4ed4':
  Initialize local variables to avoid data leak

9 years agoInitialize local variables to avoid data leak
Naveen Leekha [Wed, 23 Sep 2015 01:04:44 +0000 (18:04 -0700)]
Initialize local variables to avoid data leak

The uninitialized local variables pick up
whatever the memory content was there on stack.
This data gets sent to the remote process in
case of a failed transaction, which is a security
issue. Fixed.

(Partial manual merge of master change
 12ba0f57d028a9c8f4eb3afddc326b70677d1e0c. Rest
 to automerge from klp-dev)

For b/23696300

Change-Id: I704c9fab327b3545c58e8a9a96ac542eb7469c2a

9 years agoInitialize local variables to avoid data leak
Naveen Leekha [Wed, 23 Sep 2015 00:58:21 +0000 (17:58 -0700)]
Initialize local variables to avoid data leak

The uninitialized local variables pick up
whatever the memory content was there on stack.
This data gets sent to the remote process in
case of a failed transaction, which is a security
issue. Fixed.

(Manual merge of master change
 12ba0f57d028a9c8f4eb3afddc326b70677d1e0c )

For b/23696300

Change-Id: I665212d10da56f0803b5bb772d14c77e632ba2ab

9 years agoam dc3d6af9: am bb686c25: Disregard alleged binder entities beyond parcel bounds
Christopher Tate [Thu, 2 Jul 2015 01:42:09 +0000 (01:42 +0000)]
am dc3d6af9: am bb686c25: Disregard alleged binder entities beyond parcel bounds

* commit 'dc3d6af97d521678981c773ad9f4e1da088d7870':
  Disregard alleged binder entities beyond parcel bounds

9 years agoam bb686c25: Disregard alleged binder entities beyond parcel bounds
Christopher Tate [Thu, 2 Jul 2015 01:31:09 +0000 (01:31 +0000)]
am bb686c25: Disregard alleged binder entities beyond parcel bounds

* commit 'bb686c25b214edadd1830abd056db2d570d716ff':
  Disregard alleged binder entities beyond parcel bounds

9 years agoDisregard alleged binder entities beyond parcel bounds
Christopher Tate [Thu, 28 May 2015 00:53:02 +0000 (17:53 -0700)]
Disregard alleged binder entities beyond parcel bounds

When appending one parcel's contents to another, ignore binder
objects within the source Parcel that appear to lie beyond the
formal bounds of that Parcel's data buffer.

Bug 17312693

Change-Id: If592a260f3fcd9a56fc160e7feb2c8b44c73f514
(cherry picked from commit 27182be9f20f4f5b48316666429f09b9ecc1f22e)

9 years agoDisregard alleged binder entities beyond parcel bounds
Christopher Tate [Thu, 28 May 2015 00:53:02 +0000 (17:53 -0700)]
Disregard alleged binder entities beyond parcel bounds

When appending one parcel's contents to another, ignore binder
objects within the source Parcel that appear to lie beyond the
formal bounds of that Parcel's data buffer.

Bug 17312693

Change-Id: If592a260f3fcd9a56fc160e7feb2c8b44c73f514
(cherry picked from commit 27182be9f20f4f5b48316666429f09b9ecc1f22e)

9 years agoam 9004e7f5: am 4ff0cb44: Verify that the native handle was created
Adam Lesinski [Thu, 28 May 2015 20:40:46 +0000 (20:40 +0000)]
am 9004e7f5: am 4ff0cb44: Verify that the native handle was created

* commit '9004e7f5516c5b4a1b4178fa6a8bb4b3ca4ddcd0':
  Verify that the native handle was created

9 years agoam 4ff0cb44: Verify that the native handle was created
Adam Lesinski [Thu, 28 May 2015 20:26:02 +0000 (20:26 +0000)]
am 4ff0cb44: Verify that the native handle was created

* commit '4ff0cb4404db31576cd8a81ca5ef3b044d492904':
  Verify that the native handle was created

9 years agoVerify that the native handle was created
Adam Lesinski [Wed, 13 May 2015 00:35:48 +0000 (17:35 -0700)]
Verify that the native handle was created

The inputs to native_handle_create can cause an overflowed allocation,
so check the return value of native_handle_create before accessing
the memory it returns.

Bug:19334482
Change-Id: I1f489382776c2a1390793a79dc27ea17baa9b2a2
(cherry picked from commit eaac99a7172da52a76ba48c26413778a74951b1a)

9 years agoam dc2d031a: am da9fd70d: am 2758eb2e: am fde92eb0: Update maxNumber to be smaller.
Michael Lentine [Thu, 19 Feb 2015 00:32:42 +0000 (00:32 +0000)]
am dc2d031a: am da9fd70d: am 2758eb2e: am fde92eb0: Update maxNumber to be smaller.

* commit 'dc2d031a7ee05725ad3d8cab4887d6c7a4063967':
  Update maxNumber to be smaller.

9 years agoam da9fd70d: am 2758eb2e: am fde92eb0: Update maxNumber to be smaller.
Michael Lentine [Thu, 19 Feb 2015 00:25:34 +0000 (00:25 +0000)]
am da9fd70d: am 2758eb2e: am fde92eb0: Update maxNumber to be smaller.

* commit 'da9fd70de125b0e6df4fb6285f538be9133c7b22':
  Update maxNumber to be smaller.

9 years agoam 2758eb2e: am fde92eb0: Update maxNumber to be smaller.
Michael Lentine [Thu, 19 Feb 2015 00:15:40 +0000 (00:15 +0000)]
am 2758eb2e: am fde92eb0: Update maxNumber to be smaller.

* commit '2758eb2e67d935cf1f04e3d713438c6ac7fe8b89':
  Update maxNumber to be smaller.

9 years agoam fde92eb0: Update maxNumber to be smaller.
Michael Lentine [Thu, 19 Feb 2015 00:10:11 +0000 (00:10 +0000)]
am fde92eb0: Update maxNumber to be smaller.

* commit 'fde92eb0ffcc37106d5fe85bf1f1ba30d8639d17':
  Update maxNumber to be smaller.

9 years agoUpdate maxNumber to be smaller.
Michael Lentine [Wed, 18 Feb 2015 18:14:18 +0000 (10:14 -0800)]
Update maxNumber to be smaller.

There shouldn't be more than 4096 fds (probably signficantly smaller) and
there shouldn't be more than 4096 ints.

Bug: 18076253

Change-Id: I3a3e50ee3078a4710e9737114e65afc923ed0573

10 years agoresolved conflicts for merge of d6308379 to lmp-dev
Michael Lentine [Tue, 2 Dec 2014 19:15:56 +0000 (11:15 -0800)]
resolved conflicts for merge of d6308379 to lmp-dev

Change-Id: I92ed61b6fdfe458cf5f8bfd6f0b37ff736280500

10 years agoam 76ebd319: am 3d89edca: am e6f7a44e: Fix for corruption when numFds or numInts...
Michael Lentine [Tue, 2 Dec 2014 18:04:09 +0000 (18:04 +0000)]
am 76ebd319: am 3d89edca: am e6f7a44e: Fix for corruption when numFds or numInts is too large.

* commit '76ebd319d96494049a2a598f4449c0ec417220f6':
  Fix for corruption when numFds or numInts is too large.

10 years agoam 3d89edca: am e6f7a44e: Fix for corruption when numFds or numInts is too large.
Michael Lentine [Tue, 2 Dec 2014 17:52:00 +0000 (17:52 +0000)]
am 3d89edca: am e6f7a44e: Fix for corruption when numFds or numInts is too large.

* commit '3d89edca65e07319c9ac3b9bb9889e80e8c40578':
  Fix for corruption when numFds or numInts is too large.

10 years agoam e6f7a44e: Fix for corruption when numFds or numInts is too large.
Michael Lentine [Tue, 2 Dec 2014 17:45:44 +0000 (17:45 +0000)]
am e6f7a44e: Fix for corruption when numFds or numInts is too large.

* commit 'e6f7a44e835d320593fa33052f35ea52948ff0b2':
  Fix for corruption when numFds or numInts is too large.

10 years agoFix for corruption when numFds or numInts is too large.
Michael Lentine [Fri, 31 Oct 2014 22:25:03 +0000 (15:25 -0700)]
Fix for corruption when numFds or numInts is too large.

Bug: 18076253
Change-Id: I4c5935440013fc755e1d123049290383f4659fb6

10 years agosurfaceflinger: don't close fence fds after passing to queueBuffer
Jesse Hall [Tue, 21 Oct 2014 18:09:17 +0000 (11:09 -0700)]
surfaceflinger: don't close fence fds after passing to queueBuffer

ANativeWindow::queueBuffer takes ownership of the fence fd passed to
it, and will close it before returning. SurfaceFlinger's screenshot
code was also closing the syncFd it passed to queueBuffer. Most of the
time this meant the second close() silently failed, but in a rare race
condition the file descriptor could be reused between the two
close()s.

Bug: 17946343
Change-Id: Ib74fcb1dce52cc21328059c99b7c4c76f41aa3a5

10 years agoMerge "bufferqueue: workaround: allow NULL fence with queueBuffer (DO NOT MERGE)...
Jesse Hall [Mon, 20 Oct 2014 13:59:24 +0000 (13:59 +0000)]
Merge "bufferqueue: workaround: allow NULL fence with queueBuffer (DO NOT MERGE)" into lmp-dev

10 years agoAdd version number to SensorService dump output.
Aravind Akella [Sat, 18 Oct 2014 23:37:13 +0000 (16:37 -0700)]
Add version number to SensorService dump output.

Change-Id: I64f9482ade523ec3fafe14bff14db7196e32413f

10 years agobufferqueue: workaround: allow NULL fence with queueBuffer (DO NOT MERGE)
Jesse Hall [Sun, 19 Oct 2014 04:47:04 +0000 (21:47 -0700)]
bufferqueue: workaround: allow NULL fence with queueBuffer (DO NOT MERGE)

On one device there is a bug, not yet root-caused, that causes fence
fds to not make it across binder from producer to consumer in the
IGraphicBufferProducer::queueBuffer call. Rather than returning an
error, which the producer typically treats as a fatal error, this
change allows the buffer to be queued with no fence. This avoids an
application crash at the risk of (likely single-frame) visible
corruption.

Bug: 17946343
Change-Id: I9ca89f94098c455e1e90f5f58d5336c936b04a9c

10 years agoMigrate CA certificates to all users
Robin Lee [Tue, 7 Oct 2014 15:55:02 +0000 (16:55 +0100)]
Migrate CA certificates to all users

Copies the /data/misc/keychain/cacert-* directories to all users on
the device, whereas previously they were simply copied to user 0.

This is a shallow copy so anything that wasn't supposed to be there
will disappear.

Bug: 17811821
Change-Id: Iae5909ab8d5efdb83c9c8fdf0e10ab7060d022cc

10 years agomedia: add kMetadataBufferTypeGraphicBuffer
Lajos Molnar [Tue, 14 Oct 2014 05:56:09 +0000 (22:56 -0700)]
media: add kMetadataBufferTypeGraphicBuffer

Bug: 17935149
Change-Id: I1c26d1e83d8fa0a9ccdb25f6f3b19a86b1dc6f37

10 years agoImprove ANR diagnostics.
Jeff Brown [Sat, 11 Oct 2014 02:01:34 +0000 (19:01 -0700)]
Improve ANR diagnostics.

Print more details about the exact reason that an ANR has occurred.
Also start checking that the window actually has a registered
input connection that is not in a broken state.  These windows
are supposed to be cleaned up by the window manager promptly
as if the app had crashed but the pattern of ANRs we are observing
suggests that broken windows might be sticking around longer than
they should.

Bug: 17721767
Change-Id: Ie2803a3fa9642381ecadc198fec15e1b70d93c20

10 years agoFix broken error check in Parcel::readBlob
Narayan Kamath [Wed, 8 Oct 2014 16:35:45 +0000 (17:35 +0100)]
Fix broken error check in Parcel::readBlob

mmap returns MAP_FAILED (which is -1) and not NULL on
failure.

Diagnosed by cferris.

bug: 17909809

Change-Id: I609788ebf94742ef88af002d2d3f3bc9b9e520ac

10 years agoChange ordering of memory allocation and calling Thread::run().
Aravind Akella [Tue, 7 Oct 2014 21:13:12 +0000 (14:13 -0700)]
Change ordering of memory allocation and calling Thread::run().

In some cases this is causing a crash as device.poll is called with
NULL.

Bug: 17896339
Change-Id: Id431599f2c661338c355c7081b6602f8449a9198

10 years agoMerge "Parcel: extra validation/debug code for writeDupFileDescriptor" into lmp-dev
Jesse Hall [Mon, 6 Oct 2014 22:36:53 +0000 (22:36 +0000)]
Merge "Parcel: extra validation/debug code for writeDupFileDescriptor" into lmp-dev

10 years agoParcel: extra validation/debug code for writeDupFileDescriptor
Jesse Hall [Mon, 6 Oct 2014 16:49:45 +0000 (09:49 -0700)]
Parcel: extra validation/debug code for writeDupFileDescriptor

Temporary extra debug validation for b/17477219: a Parcel recipient is
getting a positive but invalid fd unexpectedly. Trying to track down
where it's coming from.

Debug code for bug: 17477219
Change-Id: Idb1e71621025a3928c7adc88fd44790e1abd2a01

10 years agoMerge "Fix sockfd leakage in SensorService." into lmp-dev
Aravind Akella [Fri, 3 Oct 2014 21:45:36 +0000 (21:45 +0000)]
Merge "Fix sockfd leakage in SensorService." into lmp-dev

10 years agoGenerate the SurfaceFlinger shader cache on initialization
Riley Andrews [Mon, 29 Sep 2014 20:29:40 +0000 (13:29 -0700)]
Generate the SurfaceFlinger shader cache on initialization

Blobcache is not yet enabled for surfaceflinger (as it should be).
As a temporary workaround, generate all needed shaders during
surfaceflinger initialization instead of doing the compilation
on-demand during ui transitions.

Change-Id: I14455b20a3f85f177d85c9c8b76d8ccc35379b39

10 years agoFix sockfd leakage in SensorService.
Aravind Akella [Mon, 29 Sep 2014 00:52:41 +0000 (17:52 -0700)]
Fix sockfd leakage in SensorService.

i) Call removeFd() only if the fd in the BitTube has been
previously added to the Looper. Use a flag to determine whether the fd
has been previously added or not.
ii) Increment mPendingFlushEventsToSend after holding a connectionLock.
iii) Store the number of acks that are pending in SensorEventQueue
 and send them all at once.

Bug: 17472228
Change-Id: I1ec834fea1112a9cfbd9cddd2198438793698502

10 years agoMerge "Surface: cancel the dequeued buffer when requestBuffer fails" into lmp-dev
Jesse Hall [Thu, 2 Oct 2014 23:11:08 +0000 (23:11 +0000)]
Merge "Surface: cancel the dequeued buffer when requestBuffer fails" into lmp-dev

10 years agoMerge "add OMX_VIDEO_AVCLevel52 constant" into lmp-dev
Lajos Molnar [Thu, 2 Oct 2014 22:44:30 +0000 (22:44 +0000)]
Merge "add OMX_VIDEO_AVCLevel52 constant" into lmp-dev

10 years agoMerge "Add more logging for dup(fd) failure" into lmp-dev
Michael Lentine [Thu, 2 Oct 2014 19:01:09 +0000 (19:01 +0000)]
Merge "Add more logging for dup(fd) failure" into lmp-dev

10 years agoSurface: cancel the dequeued buffer when requestBuffer fails
Jesse Hall [Thu, 2 Oct 2014 18:09:03 +0000 (11:09 -0700)]
Surface: cancel the dequeued buffer when requestBuffer fails

Partial fix for bug: 17477219
Change-Id: Ibf5a9e26e02c4be8854925a77a70f5c9c7dcf6f2

10 years agoAdd more logging for dup(fd) failure
Michael Lentine [Thu, 2 Oct 2014 16:11:04 +0000 (09:11 -0700)]
Add more logging for dup(fd) failure

Bug: 17477219
Change-Id: Ide0ae16d777c9af783023c705c18a93c00999147

10 years agoadd OMX_VIDEO_AVCLevel52 constant
Lajos Molnar [Thu, 2 Oct 2014 04:49:18 +0000 (21:49 -0700)]
add OMX_VIDEO_AVCLevel52 constant

Bug: 17676461
Change-Id: I120041e9b2ffe2a232a2419bcb5fe88cb49961cb