diff options
author | Sally Qi <sallyqi@google.com> | 2023-01-24 00:22:31 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-01-24 00:22:31 +0000 |
commit | e3ae4f39f6a15ffb6f0972c051aa7435e812ecad (patch) | |
tree | 20a402c60f53eb2e483c708865960a3f09f23ffe | |
parent | fbceef032950b5917ac701ec4283afd0e668cba1 (diff) | |
parent | 8b172cefcbcb3856d623844f8bdffb7d9cd6a7c4 (diff) | |
download | native-e3ae4f39f6a15ffb6f0972c051aa7435e812ecad.tar.gz |
Mitigate the security vulnerability by sanitizing the transaction flags. am: 3ea58dbc1d am: 8b172cefcb
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/native/+/20886664
Change-Id: I3831739ed5fe30094f64400fc38e9c8a18cf7807
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | libs/gui/LayerState.cpp | 21 | ||||
-rw-r--r-- | libs/gui/include/gui/LayerState.h | 1 | ||||
-rw-r--r-- | services/surfaceflinger/SurfaceFlinger.cpp | 9 | ||||
-rw-r--r-- | services/surfaceflinger/SurfaceFlinger.h | 2 |
4 files changed, 28 insertions, 5 deletions
diff --git a/libs/gui/LayerState.cpp b/libs/gui/LayerState.cpp index bf275a5900..9654a60310 100644 --- a/libs/gui/LayerState.cpp +++ b/libs/gui/LayerState.cpp @@ -391,6 +391,27 @@ void DisplayState::merge(const DisplayState& other) { } } +void DisplayState::sanitize(int32_t permissions) { + if (what & DisplayState::eLayerStackChanged) { + if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) { + what &= ~DisplayState::eLayerStackChanged; + ALOGE("Stripped attempt to set eLayerStackChanged in sanitize"); + } + } + if (what & DisplayState::eDisplayProjectionChanged) { + if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) { + what &= ~DisplayState::eDisplayProjectionChanged; + ALOGE("Stripped attempt to set eDisplayProjectionChanged in sanitize"); + } + } + if (what & DisplayState::eSurfaceChanged) { + if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) { + what &= ~DisplayState::eSurfaceChanged; + ALOGE("Stripped attempt to set eSurfaceChanged in sanitize"); + } + } +} + void layer_state_t::sanitize(int32_t permissions) { // TODO: b/109894387 // diff --git a/libs/gui/include/gui/LayerState.h b/libs/gui/include/gui/LayerState.h index 2a8d30d2da..e5a029b1ff 100644 --- a/libs/gui/include/gui/LayerState.h +++ b/libs/gui/include/gui/LayerState.h @@ -278,6 +278,7 @@ struct DisplayState { DisplayState(); void merge(const DisplayState& other); + void sanitize(int32_t permissions); uint32_t what; sp<IBinder> token; diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp index 758cc705f9..2f8c03949b 100644 --- a/services/surfaceflinger/SurfaceFlinger.cpp +++ b/services/surfaceflinger/SurfaceFlinger.cpp @@ -3469,7 +3469,7 @@ void SurfaceFlinger::flushTransactionQueues() { // to prevent onHandleDestroyed from being called while the lock is held, // we must keep a copy of the transactions (specifically the composer // states) around outside the scope of the lock - std::vector<const TransactionState> transactions; + std::vector<TransactionState> transactions; // Layer handles that have transactions with buffers that are ready to be applied. std::unordered_set<sp<IBinder>, ISurfaceComposer::SpHash<IBinder>> bufferLayersReadyToPresent; { @@ -3533,7 +3533,7 @@ void SurfaceFlinger::flushTransactionQueues() { } // Now apply all transactions. - for (const auto& transaction : transactions) { + for (auto& transaction : transactions) { applyTransactionState(transaction.frameTimelineInfo, transaction.states, transaction.displays, transaction.flags, transaction.inputWindowCommands, transaction.desiredPresentTime, @@ -3753,7 +3753,7 @@ status_t SurfaceFlinger::setTransactionState( void SurfaceFlinger::applyTransactionState(const FrameTimelineInfo& frameTimelineInfo, const Vector<ComposerState>& states, - const Vector<DisplayState>& displays, uint32_t flags, + Vector<DisplayState>& displays, uint32_t flags, const InputWindowCommands& inputWindowCommands, const int64_t desiredPresentTime, bool isAutoTimestamp, const client_cache_t& uncacheBuffer, @@ -3762,7 +3762,8 @@ void SurfaceFlinger::applyTransactionState(const FrameTimelineInfo& frameTimelin const std::vector<ListenerCallbacks>& listenerCallbacks, int originPid, int originUid, uint64_t transactionId) { uint32_t transactionFlags = 0; - for (const DisplayState& display : displays) { + for (DisplayState& display : displays) { + display.sanitize(permissions); transactionFlags |= setDisplayStateLocked(display); } diff --git a/services/surfaceflinger/SurfaceFlinger.h b/services/surfaceflinger/SurfaceFlinger.h index 74fe7d97d0..58c3b3784f 100644 --- a/services/surfaceflinger/SurfaceFlinger.h +++ b/services/surfaceflinger/SurfaceFlinger.h @@ -832,7 +832,7 @@ private: * Transactions */ void applyTransactionState(const FrameTimelineInfo& info, const Vector<ComposerState>& state, - const Vector<DisplayState>& displays, uint32_t flags, + Vector<DisplayState>& displays, uint32_t flags, const InputWindowCommands& inputWindowCommands, const int64_t desiredPresentTime, bool isAutoTimestamp, const client_cache_t& uncacheBuffer, const int64_t postTime, |