summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-06-16Merge cherrypicks of [2420306, 2420248, 2420158, 2420321, 2420159, 2420160, ↵android-7.1.1_r58android-7.1.1_r53android-7.1.1_r49nougat-mr1-volantis-releasenougat-mr1-flounder-releaseandroid-build-team Robot
2420266, 2420284, 2420308, 2420342, 2420177, 2420195, 2420344, 2420345, 2420179, 2420324, 2420251, 2420269, 2420271, 2420325, 2420310, 2420220, 2420348, 2420291, 2420328, 2420330, 2420383, 2420331, 2420255, 2420296, 2420278, 2420229, 2420335] into nyc-mr1-volantis-release Change-Id: Id96a57cd611bbf4b646783c10c130830f82212a9
2017-06-16fix race condition that can cause a use after freeMathias Agopian
Backported from 12a0ccd6f7201bac706d903ac3f436c4358fe203. Bug: 33004354 Test: manual Change-Id: I9b38ee644b02268c9b995a330db758aa2e568399 (cherry picked from commit 59485525a6047453e6ba16c03989381e2a0d56ec)
2017-05-31Merge cherrypicks of [2337407, 2337461, 2337391, 2337257, 2337318, 2337340, ↵android-7.1.1_r46android-build-team Robot
2337423, 2337481, 2337412, 2337521, 2337413, 2337426, 2337414, 2337415, 2337523, 2337502, 2337503, 2337524, 2337463, 2337483, 2337417, 2337427, 2337561, 2337464, 2337581, 2337484, 2337525, 2337526, 2337527, 2337394, 2337562, 2337528, 2337504, 2337563, 2337565, 2337584, 2337602, 2337530, 2337585, 2337532, 2337487, 2337396, 2337505, 2337432, 2337603, 2337604, 2337534, 2337536, 2337508, 2337606] into nyc-mr1-volantis-release Change-Id: I7b3418078c92672d361ec160a0a3ac8956929dff
2017-05-31libgui: check for invalid slot in attachBufferChia-I Wu
Bug: 37478824 Test: manual Change-Id: I369337d53539bf7f7e3d925bccdae4045da1b404 (cherry picked from commit c79a29689c1046f1f0301c75df9b9a67cba8bf04)
2017-05-31libgui: Check slot received from IGBP in SurfaceDan Stoza
Checks that the slot number received from mGraphicBufferProducer in Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to protect against a malicious BnGraphicBufferProducer. Bug: 36991414 Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa (cherry picked from commit 90ce2a9c1d3af422c66b4061805831cb208263d8)
2017-05-31ui: Fix bad size check in Fence::unflattenChris Forbes
Differs slightly from mnc+ patch: GetFlattenedSize was fixed in mnc. Test: Boot device, run poc from bug, observe no longer crashes Bug: 37285689 Change-Id: Id8b851733b088cce0d07493fbf76e7e24f9299ad (cherry picked from commit 9809602ac32dcb7bceaa5bc34df5b7fb68aacd38)
2017-02-22Fix security vulnerabilityandroid-7.1.1_r43android-7.1.1_r41android-7.1.1_r39android-7.1.1_r33android-7.1.1_r32android-7.1.1_r31Fabien Sanglard
Change-Id: I4c9ea3a3177131fa29d2561da71ef18bec3af108 Test: angler, marlin Bug: 32628763 (cherry picked from commit 45b202513ba7440beaefbf9928f73fb6683dcfbd)
2016-12-14Fix security vulneratibly 31960359android-7.1.1_r24android-7.1.1_r15android-7.1.1_r14Fabien Sanglard
BufferQueueCore features a variable mLastQueuedSlot which is not initialized in its constructor resulting in security vulnerability Bug: 31960359 Change-Id: If892f59f6288d8b81b1e312995832a20c8341494 Tests: Manually on Angler (cherry picked from commit dffa078205f6b6c17e24214928f642393423e081)
2016-12-14Fix SF security vulnerability: 32706020Fabien Sanglard
Because of lack of mutex lock when get mConsumerName, if one thread getConsumerName, another thread setConsumerName frequently, an UAF will be triggered. Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65 Test: Marling with poc provided in bug report. Bug: 32706020 (cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436)
2016-12-08Correct overflow check in Parcel resize codeChristopher Tate
Fix merge conflict into nyc-mr1-security-a-release Bug 31929765 Change-Id: Ie27b9945f1de056624668869bdf9a5578abff467
2016-11-30Fix SF security vulnerability: 32660278android-7.1.1_r12android-7.1.1_r11android-7.1.1_r10Fabien Sanglard
Because of lack of mutex lock when get mSidebandStream, if one thread getSidebandStream, another thread setSidebandStream frequently, an UAF will be triggered. Bug: 32660278 Test: Marlin device with poc Change-Id: Idbcf0976ce2db682d0f13455105c45a5c7481a45 (cherry picked from commit 2d8a2432e04234d9edbb3b099f9bbbaa36ad4843)
2016-11-30Fix integer overflow in unsafeReadTypedVectorCasey Dahlin
Passing a size to std::vector that is too big causes it to silently under-allocate when exceptions are disabled, leaving us open to an OOB write. We check the bounds and the resulting size now to verify allocation succeeds. Test: Verified reproducer attached to bug no longer crashes Camera service. Bug: 31677614 Change-Id: I064b1442838032d93658f8bf63b7aa6d021c99b7 (cherry picked from commit 65a8f07e57a492289798ca709a311650b5bd5af1)
2016-10-31Check and restorecon cache/code_cache directories.android-cts_7.1_r1android-cts-7.1_r1android-7.1.1_r6android-7.1.1_r4android-7.1.1_r3android-7.1.1_r2android-7.1.1_r1Jeff Sharkey
To speed up boot times, we recently relaxed SELinux restorecon logic to only consider relabeling app storage when the top level SELinux label changed. However, if an app manually deletes either their cache or code_cache directories, installd will helpfully recreate those directories at the next boot, but they'll be stuck with incorrect SELinux labels which an app can't fix. (Our historically aggressive restorecons had relabeled them, which is why we didn't observe until now.) This change checks the labels of the cache/code_cache directories, and runs a restorecon if needed, fixing the issue above. Test: delete cache and verify recreated with correct label Bug: 32504081 Change-Id: I0114ae4129223e5909b1075d56a9b1145ebc5ef4 (cherry picked from commit 397ec266753a675e6891c479971e6506491b1b44)
2016-10-26merge in nyc-mr1-release history after reset to nyc-mr1-devgitbuildkicker
2016-10-26Merge "Do not set VR mode feature as handset default." into nyc-mr1-devnougat-mr1-devRuben Brunk
2016-10-25Revert "services: surfaceflinger: ASAN fix"Steve Pfetsch
This reverts commit 1d3df546d5ee4dcc9e7cae6f8b8b790f741539af. Original patch may have caused a stability issue caught in monkey testing. Bug: 32312240 Change-Id: Ie8d291679590e624b8b90c4786b1c25c76cb2c9f (cherry picked from commit 598f6d5429b290f33107ef678328914b99c8312e)
2016-10-25Merge "Revert "services: surfaceflinger: ASAN fix"" into nyc-mr1-devSteve Pfetsch
2016-10-25Revert "services: surfaceflinger: ASAN fix"Steve Pfetsch
This reverts commit 1d3df546d5ee4dcc9e7cae6f8b8b790f741539af. Original patch may have caused a stability issue caught in monkey testing. Bug: 32312240 Change-Id: Ie8d291679590e624b8b90c4786b1c25c76cb2c9f
2016-10-25Merge "DO NOT MERGE. Revert "Dumpstate should hold a wakelock to save bug ↵TreeHugger Robot
report time."" into nyc-mr1-dev
2016-10-25DO NOT MERGE. Revert "Dumpstate should hold a wakelock to save bug report time."Felipe Leme
This reverts commit f87959e00732d7d737527f1248a71adea99ae29d. BUG: 32402587 Fixes: 32365477 Change-Id: Ic4daec37efbaef1906450bf6609d5588d5c9a835
2016-10-24Do not set VR mode feature as handset default.Ruben Brunk
Bug: 31959453 Change-Id: I6fef6781e14f3c1239197798b79cc9239d34d53d
2016-10-23merge in nyc-mr1-release history after reset to nyc-mr1-devgitbuildkicker
2016-10-21DO NOT MERGE. Added a is_zipping() function.Felipe Leme
BUG: 32219165 Fixes: 32335112 Change-Id: I2bc630f9c840ccd3a2e0474ed16a766e8a405ad8
2016-10-19merge in nyc-mr1-release history after reset to nyc-mr1-devgitbuildkicker
2016-10-18services: surfaceflinger: ASAN fixSteve Pfetsch
Move layer removal to the main thread, while the display is on. Bug: 30281222 Change-Id: Id9f956c1e626819734868340e7fa12abf257b702
2016-10-12merge in nyc-mr1-release history after reset to nyc-mr1-devgitbuildkicker
2016-10-11Move atrace init into on fs triggerWei Wang
sysfs should be ready on ealier stage than boot Bug: 32025203 Test: take systrace Change-Id: Id73b6959f3075dc793d93551963193a211060da8
2016-10-05merge in nyc-mr1-release history after reset to nyc-mr1-devgitbuildkicker
2016-10-03Dumpstate should hold a wakelock to save bug report time. DO NOT MERGE.Wei Liu
BUG: 31828706 BUG: 30832947 Change-Id: I0a4b1fcce91caa96ccbc4e890d9968e3033487de (cherry picked from commit f87959e00732d7d737527f1248a71adea99ae29d)
2016-10-02merge in nyc-mr1-release history after reset to nyc-mr1-devgitbuildkicker
2016-09-30Merge "Add "ip xfrm policy" to dumpstate output" into nyc-mr1-devTreeHugger Robot
2016-09-28EGL: check that display is still validJesse Hall
Bug: 31522731 Change-Id: I84d82e55aba5b58dfdbcac9e208c36767fbedfd1 (cherry picked from commit d6e9946cdd57a92c9bc86ba97a4ca42078153008)
2016-09-28EGL: check that display is still validJesse Hall
Bug: 31522731 Change-Id: I84d82e55aba5b58dfdbcac9e208c36767fbedfd1
2016-09-28Add "ip xfrm policy" to dumpstate outputErik Kline
Bug: 30869013 Change-Id: I1f0e5d820f0153484c38ecb0f9c764fca02d786c
2016-09-28merge in nyc-mr1-release history after reset to nyc-mr1-devgitbuildkicker
2016-09-26Add socket dumps via ss to bugreports.Lorenzo Colitti
Bug: 23113288 Change-Id: I6304425f968fcb22c75c3f6e64bf7992e34e0889
2016-09-25merge in nyc-mr1-release history after reset to nyc-mr1-devgitbuildkicker
2016-09-22Merge "Surface: Add force disconnection method." into nyc-mr1-devRob Carr
2016-09-22Recursively restorecon when SELinux label changes.Jeff Sharkey
PackageManager has been pretty aggressive about asking installd to restorecon over app data when it thinks something might have changed. However, in the vast majority of cases these are no-op requests, and we waste a bunch of time recursively walking all private data, easily costing 60+ seconds on dogfooder devices. This change updates the initial "create_app_data" command to kick off a recursive restorecon if it detects that the top-level SELinux label on the app private data directory changes. The "create_app_data" command is designed to ensure that an app's storage is ready, so PackageManager always calls it at least once per boot before apps can run. (This change means that PackageManager no longer needs to make separate "restorecon_app_data" calls.) Test: booted, verified that a label change triggered restorecon Bug: 30768146 Change-Id: I0c8d4018cf8ff888d0ae07a82adc3d61a6002aad
2016-09-18merge in nyc-mr1-release history after reset to nyc-mr1-devgitbuildkicker
2016-09-15HWC2On1: Fall back to GLES for SolidColorDan Stoza
Even though SolidColor layers map cleanly to HWC_BACKGROUND composition in HWC1, SurfaceFlinger never used HWC_BACKGROUND, so we can't trust that HWC1 devices implemented it correctly. To preserve backwards compatibility, this changes the behavior to fall back to client composition to minimize incompatibilities with existing devices. Bug: 30479781 Change-Id: I638339062e03f2c057b3e1624e7157587ddee7ec
2016-09-14Surface: Add force disconnection method.Robert Carr
Add a new method forceScopedDisconnect to Surface. This will be used by the framework to force disconnection at times where the underlying GraphicBufferProducer may be about to be reused. This is scoped by PID to avoid conflicting with remote producers. Bug: 30236166 Change-Id: I857216483c0b550f240b3baea41977cbc58a67ed
2016-09-14merge in nyc-mr1-release history after reset to nyc-mr1-devgitbuildkicker
2016-09-13Merge "Increase YV12BufferPow2 test threshold" into nyc-mr1-devTreeHugger Robot
2016-09-13Merge "Installd: Add a delete_odex command" into nyc-mr1-devAndreas Gampe
2016-09-13Increase YV12BufferPow2 test thresholdKalle Raita
The NPOT version already has 3 as the threshold and at least one platform seems to have diff of 3 in one of the internal pixels for POW2 variant. Bug: 21306103 Bug: 30920650 Change-Id: I7882a6ff43ffc862d95fea32c8ee8e7f19fb759d Cherry-pick from master (e3747fd25918c943caef4d9c7158a668c786c55d)
2016-09-13merge in nyc-mr1-release history after reset to nyc-mr1-devgitbuildkicker
2016-09-12Installd: Add a delete_odex commandAndreas Gampe
Add a command to delete odex files. Bug: 31347757 Change-Id: I29bca8751bcee8d6981c682fbbc816c73b78ac68
2016-09-12DO NOT MERGE ANYWHERE: BufferQueue consumers: Add discardFreeBuffer method ↵Eino-Ville Talvala
am: 8211047138 -s ours am: 7b265d8ab5 -s ours Change-Id: I555ef520067d4300450ef3b0e91f127d06e55b66
2016-09-12DO NOT MERGE ANYWHERE: BufferQueue consumers: Add discardFreeBuffer methodEino-Ville Talvala
am: 8211047138 -s ours Change-Id: If827f77c9c8cb36ad3a8f2eaeb6157bc59258a7a