Age | Commit message (Collapse) | Author |
|
2420266, 2420284, 2420308, 2420342, 2420177, 2420195, 2420344, 2420345, 2420179, 2420324, 2420251, 2420269, 2420271, 2420325, 2420310, 2420220, 2420348, 2420291, 2420328, 2420330, 2420383, 2420331, 2420255, 2420296, 2420278, 2420229, 2420335] into nyc-mr1-volantis-release
Change-Id: Id96a57cd611bbf4b646783c10c130830f82212a9
|
|
Backported from 12a0ccd6f7201bac706d903ac3f436c4358fe203.
Bug: 33004354
Test: manual
Change-Id: I9b38ee644b02268c9b995a330db758aa2e568399
(cherry picked from commit 59485525a6047453e6ba16c03989381e2a0d56ec)
|
|
2337423, 2337481, 2337412, 2337521, 2337413, 2337426, 2337414, 2337415, 2337523, 2337502, 2337503, 2337524, 2337463, 2337483, 2337417, 2337427, 2337561, 2337464, 2337581, 2337484, 2337525, 2337526, 2337527, 2337394, 2337562, 2337528, 2337504, 2337563, 2337565, 2337584, 2337602, 2337530, 2337585, 2337532, 2337487, 2337396, 2337505, 2337432, 2337603, 2337604, 2337534, 2337536, 2337508, 2337606] into nyc-mr1-volantis-release
Change-Id: I7b3418078c92672d361ec160a0a3ac8956929dff
|
|
Bug: 37478824
Test: manual
Change-Id: I369337d53539bf7f7e3d925bccdae4045da1b404
(cherry picked from commit c79a29689c1046f1f0301c75df9b9a67cba8bf04)
|
|
Checks that the slot number received from mGraphicBufferProducer in
Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to
protect against a malicious BnGraphicBufferProducer.
Bug: 36991414
Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa
(cherry picked from commit 90ce2a9c1d3af422c66b4061805831cb208263d8)
|
|
Differs slightly from mnc+ patch: GetFlattenedSize was fixed in mnc.
Test: Boot device, run poc from bug, observe no longer crashes
Bug: 37285689
Change-Id: Id8b851733b088cce0d07493fbf76e7e24f9299ad
(cherry picked from commit 9809602ac32dcb7bceaa5bc34df5b7fb68aacd38)
|
|
Change-Id: I4c9ea3a3177131fa29d2561da71ef18bec3af108
Test: angler, marlin
Bug: 32628763
(cherry picked from commit 45b202513ba7440beaefbf9928f73fb6683dcfbd)
|
|
BufferQueueCore features a variable mLastQueuedSlot which is not
initialized in its constructor resulting in security vulnerability
Bug: 31960359
Change-Id: If892f59f6288d8b81b1e312995832a20c8341494
Tests: Manually on Angler
(cherry picked from commit dffa078205f6b6c17e24214928f642393423e081)
|
|
Because of lack of mutex lock when get mConsumerName, if one thread
getConsumerName, another thread setConsumerName frequently, an UAF will
be triggered.
Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65
Test: Marling with poc provided in bug report.
Bug: 32706020
(cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436)
|
|
Fix merge conflict into nyc-mr1-security-a-release
Bug 31929765
Change-Id: Ie27b9945f1de056624668869bdf9a5578abff467
|
|
Because of lack of mutex lock when get mSidebandStream, if one thread
getSidebandStream, another thread setSidebandStream frequently, an UAF
will be triggered.
Bug: 32660278
Test: Marlin device with poc
Change-Id: Idbcf0976ce2db682d0f13455105c45a5c7481a45
(cherry picked from commit 2d8a2432e04234d9edbb3b099f9bbbaa36ad4843)
|
|
Passing a size to std::vector that is too big causes it to silently
under-allocate when exceptions are disabled, leaving us open to an OOB
write. We check the bounds and the resulting size now to verify
allocation succeeds.
Test: Verified reproducer attached to bug no longer crashes Camera
service.
Bug: 31677614
Change-Id: I064b1442838032d93658f8bf63b7aa6d021c99b7
(cherry picked from commit 65a8f07e57a492289798ca709a311650b5bd5af1)
|
|
To speed up boot times, we recently relaxed SELinux restorecon logic
to only consider relabeling app storage when the top level SELinux
label changed.
However, if an app manually deletes either their cache or code_cache
directories, installd will helpfully recreate those directories at
the next boot, but they'll be stuck with incorrect SELinux labels
which an app can't fix. (Our historically aggressive restorecons had
relabeled them, which is why we didn't observe until now.)
This change checks the labels of the cache/code_cache directories,
and runs a restorecon if needed, fixing the issue above.
Test: delete cache and verify recreated with correct label
Bug: 32504081
Change-Id: I0114ae4129223e5909b1075d56a9b1145ebc5ef4
(cherry picked from commit 397ec266753a675e6891c479971e6506491b1b44)
|
|
|
|
|
|
This reverts commit 1d3df546d5ee4dcc9e7cae6f8b8b790f741539af.
Original patch may have caused a stability issue caught in monkey testing.
Bug: 32312240
Change-Id: Ie8d291679590e624b8b90c4786b1c25c76cb2c9f
(cherry picked from commit 598f6d5429b290f33107ef678328914b99c8312e)
|
|
|
|
This reverts commit 1d3df546d5ee4dcc9e7cae6f8b8b790f741539af.
Original patch may have caused a stability issue caught in monkey testing.
Bug: 32312240
Change-Id: Ie8d291679590e624b8b90c4786b1c25c76cb2c9f
|
|
report time."" into nyc-mr1-dev
|
|
This reverts commit f87959e00732d7d737527f1248a71adea99ae29d.
BUG: 32402587
Fixes: 32365477
Change-Id: Ic4daec37efbaef1906450bf6609d5588d5c9a835
|
|
Bug: 31959453
Change-Id: I6fef6781e14f3c1239197798b79cc9239d34d53d
|
|
|
|
BUG: 32219165
Fixes: 32335112
Change-Id: I2bc630f9c840ccd3a2e0474ed16a766e8a405ad8
|
|
|
|
Move layer removal to the main thread, while the display is on.
Bug: 30281222
Change-Id: Id9f956c1e626819734868340e7fa12abf257b702
|
|
|
|
sysfs should be ready on ealier stage than boot
Bug: 32025203
Test: take systrace
Change-Id: Id73b6959f3075dc793d93551963193a211060da8
|
|
|
|
BUG: 31828706
BUG: 30832947
Change-Id: I0a4b1fcce91caa96ccbc4e890d9968e3033487de
(cherry picked from commit f87959e00732d7d737527f1248a71adea99ae29d)
|
|
|
|
|
|
Bug: 31522731
Change-Id: I84d82e55aba5b58dfdbcac9e208c36767fbedfd1
(cherry picked from commit d6e9946cdd57a92c9bc86ba97a4ca42078153008)
|
|
Bug: 31522731
Change-Id: I84d82e55aba5b58dfdbcac9e208c36767fbedfd1
|
|
Bug: 30869013
Change-Id: I1f0e5d820f0153484c38ecb0f9c764fca02d786c
|
|
|
|
Bug: 23113288
Change-Id: I6304425f968fcb22c75c3f6e64bf7992e34e0889
|
|
|
|
|
|
PackageManager has been pretty aggressive about asking installd to
restorecon over app data when it thinks something might have
changed. However, in the vast majority of cases these are no-op
requests, and we waste a bunch of time recursively walking all
private data, easily costing 60+ seconds on dogfooder devices.
This change updates the initial "create_app_data" command to kick off
a recursive restorecon if it detects that the top-level SELinux label
on the app private data directory changes. The "create_app_data"
command is designed to ensure that an app's storage is ready, so
PackageManager always calls it at least once per boot before apps
can run. (This change means that PackageManager no longer needs to
make separate "restorecon_app_data" calls.)
Test: booted, verified that a label change triggered restorecon
Bug: 30768146
Change-Id: I0c8d4018cf8ff888d0ae07a82adc3d61a6002aad
|
|
|
|
Even though SolidColor layers map cleanly to HWC_BACKGROUND composition
in HWC1, SurfaceFlinger never used HWC_BACKGROUND, so we can't trust
that HWC1 devices implemented it correctly. To preserve backwards
compatibility, this changes the behavior to fall back to client
composition to minimize incompatibilities with existing devices.
Bug: 30479781
Change-Id: I638339062e03f2c057b3e1624e7157587ddee7ec
|
|
Add a new method forceScopedDisconnect to Surface. This will
be used by the framework to force disconnection at times where
the underlying GraphicBufferProducer may be about to be reused.
This is scoped by PID to avoid conflicting with remote producers.
Bug: 30236166
Change-Id: I857216483c0b550f240b3baea41977cbc58a67ed
|
|
|
|
|
|
|
|
The NPOT version already has 3 as the threshold and at least one
platform seems to have diff of 3 in one of the internal pixels for POW2
variant.
Bug: 21306103
Bug: 30920650
Change-Id: I7882a6ff43ffc862d95fea32c8ee8e7f19fb759d
Cherry-pick from master (e3747fd25918c943caef4d9c7158a668c786c55d)
|
|
|
|
Add a command to delete odex files.
Bug: 31347757
Change-Id: I29bca8751bcee8d6981c682fbbc816c73b78ac68
|
|
am: 8211047138 -s ours
am: 7b265d8ab5 -s ours
Change-Id: I555ef520067d4300450ef3b0e91f127d06e55b66
|
|
am: 8211047138 -s ours
Change-Id: If827f77c9c8cb36ad3a8f2eaeb6157bc59258a7a
|