From 9ebf233e8d1c6a6be6e75c71c5be0a3531008b94 Mon Sep 17 00:00:00 2001 From: Luke Huang Date: Sat, 20 Jun 2020 13:01:33 +0800 Subject: Backport: Update the documentation of ANDROID_RESOLV_NO_CACHE_STORE Make it up-to-date. Test: N/A Bug: 150371903 Change-Id: Ia1402a18d6d466ffbb0357127d7d45cf6c722550 (cherry picked from commit f1cf6a632da354cff3d8aed54913e1ee2909908e) --- include/android/multinetwork.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/android/multinetwork.h b/include/android/multinetwork.h index d31d1f122f..f7294a9ea5 100644 --- a/include/android/multinetwork.h +++ b/include/android/multinetwork.h @@ -123,8 +123,8 @@ enum ResNsendFlags : uint32_t { ANDROID_RESOLV_NO_RETRY = 1 << 0, /** - * Do not cache the result of the lookup. The lookup may return a result that is already - * in the cache, unless the ANDROID_RESOLV_NO_CACHE_LOOKUP flag is also specified. + * Don't lookup this request in the cache, and don't cache the result of the lookup. + * This flag implies {@link #ANDROID_RESOLV_NO_CACHE_LOOKUP}. */ ANDROID_RESOLV_NO_CACHE_STORE = 1 << 1, -- cgit v1.2.3 From 09052cc6655ab2756c4c484b958cdaf29325e652 Mon Sep 17 00:00:00 2001 From: Arthur Ishiguro Date: Tue, 22 Sep 2020 13:05:15 -0700 Subject: Prevent mEventCache UAF in SensorEventConnection Since there is no check to see if SensorEventConnection has been destroyed, the mEventCache pointer can still be used even after it was freed. Bug: 168211968 Test: Run test code that attempts to enable a sensor after destroying the SensorEventConnection, and verify no system_server crash occurs. Change-Id: Ia9275b7cc574df371cdb2e1b80c6699df193b580 Merged-In: Ia9275b7cc574df371cdb2e1b80c6699df193b580 --- services/sensorservice/SensorEventConnection.cpp | 28 +++++++++++++++--------- services/sensorservice/SensorEventConnection.h | 5 +++-- 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/services/sensorservice/SensorEventConnection.cpp b/services/sensorservice/SensorEventConnection.cpp index 0a05dd1b18..15ca7ac3cb 100644 --- a/services/sensorservice/SensorEventConnection.cpp +++ b/services/sensorservice/SensorEventConnection.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include #include #include @@ -44,20 +45,13 @@ SensorService::SensorEventConnection::SensorEventConnection( SensorService::SensorEventConnection::~SensorEventConnection() { ALOGD_IF(DEBUG_CONNECTIONS, "~SensorEventConnection(%p)", this); destroy(); -} - -void SensorService::SensorEventConnection::destroy() { - Mutex::Autolock _l(mDestroyLock); - - // destroy once only - if (mDestroyed) { - return; - } - mService->cleanupConnection(this); if (mEventCache != NULL) { delete mEventCache; } +} + +void SensorService::SensorEventConnection::destroy() { mDestroyed = true; } @@ -525,6 +519,11 @@ status_t SensorService::SensorEventConnection::enableDisable( int handle, bool enabled, nsecs_t samplingPeriodNs, nsecs_t maxBatchReportLatencyNs, int reservedFlags) { + if (mDestroyed) { + android_errorWriteLog(0x534e4554, "168211968"); + return DEAD_OBJECT; + } + status_t err; if (enabled) { err = mService->enable(this, handle, samplingPeriodNs, maxBatchReportLatencyNs, @@ -539,10 +538,19 @@ status_t SensorService::SensorEventConnection::enableDisable( status_t SensorService::SensorEventConnection::setEventRate( int handle, nsecs_t samplingPeriodNs) { + if (mDestroyed) { + android_errorWriteLog(0x534e4554, "168211968"); + return DEAD_OBJECT; + } + return mService->setEventRate(this, handle, samplingPeriodNs, mOpPackageName); } status_t SensorService::SensorEventConnection::flush() { + if (mDestroyed) { + return DEAD_OBJECT; + } + return mService->flushSensor(this, mOpPackageName); } diff --git a/services/sensorservice/SensorEventConnection.h b/services/sensorservice/SensorEventConnection.h index 6f282cdc60..bd1b3bbef7 100644 --- a/services/sensorservice/SensorEventConnection.h +++ b/services/sensorservice/SensorEventConnection.h @@ -17,6 +17,7 @@ #ifndef ANDROID_SENSOR_EVENT_CONNECTION_H #define ANDROID_SENSOR_EVENT_CONNECTION_H +#include #include #include @@ -165,8 +166,8 @@ private: int mTotalAcksNeeded, mTotalAcksReceived; #endif - mutable Mutex mDestroyLock; - bool mDestroyed; + // Used to track if this object was inappropriately used after destroy(). + std::atomic_bool mDestroyed; }; } // namepsace android -- cgit v1.2.3 From 3b27b3b3bb36274171a9abb31f3e3f6b53036cf0 Mon Sep 17 00:00:00 2001 From: Arthur Ishiguro Date: Tue, 22 Sep 2020 13:05:15 -0700 Subject: Prevent mEventCache UAF in SensorEventConnection Since there is no check to see if SensorEventConnection has been destroyed, the mEventCache pointer can still be used even after it was freed. Bug: 168211968 Test: Run test code that attempts to enable a sensor after destroying the SensorEventConnection, and verify no system_server crash occurs. Change-Id: Ia9275b7cc574df371cdb2e1b80c6699df193b580 Merged-In: Ia9275b7cc574df371cdb2e1b80c6699df193b580 --- services/sensorservice/SensorEventConnection.cpp | 28 +++++++++++++++--------- services/sensorservice/SensorEventConnection.h | 6 +++-- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/services/sensorservice/SensorEventConnection.cpp b/services/sensorservice/SensorEventConnection.cpp index 956844f426..a9e8321dcf 100644 --- a/services/sensorservice/SensorEventConnection.cpp +++ b/services/sensorservice/SensorEventConnection.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include #include #include @@ -44,20 +45,13 @@ SensorService::SensorEventConnection::SensorEventConnection( SensorService::SensorEventConnection::~SensorEventConnection() { ALOGD_IF(DEBUG_CONNECTIONS, "~SensorEventConnection(%p)", this); destroy(); -} - -void SensorService::SensorEventConnection::destroy() { - Mutex::Autolock _l(mDestroyLock); - - // destroy once only - if (mDestroyed) { - return; - } - mService->cleanupConnection(this); if (mEventCache != NULL) { delete mEventCache; } +} + +void SensorService::SensorEventConnection::destroy() { mDestroyed = true; } @@ -555,6 +549,11 @@ status_t SensorService::SensorEventConnection::enableDisable( int handle, bool enabled, nsecs_t samplingPeriodNs, nsecs_t maxBatchReportLatencyNs, int reservedFlags) { + if (mDestroyed) { + android_errorWriteLog(0x534e4554, "168211968"); + return DEAD_OBJECT; + } + status_t err; if (enabled) { err = mService->enable(this, handle, samplingPeriodNs, maxBatchReportLatencyNs, @@ -569,10 +568,19 @@ status_t SensorService::SensorEventConnection::enableDisable( status_t SensorService::SensorEventConnection::setEventRate( int handle, nsecs_t samplingPeriodNs) { + if (mDestroyed) { + android_errorWriteLog(0x534e4554, "168211968"); + return DEAD_OBJECT; + } + return mService->setEventRate(this, handle, samplingPeriodNs, mOpPackageName); } status_t SensorService::SensorEventConnection::flush() { + if (mDestroyed) { + return DEAD_OBJECT; + } + return mService->flushSensor(this, mOpPackageName); } diff --git a/services/sensorservice/SensorEventConnection.h b/services/sensorservice/SensorEventConnection.h index 032721ea39..84b4d86879 100644 --- a/services/sensorservice/SensorEventConnection.h +++ b/services/sensorservice/SensorEventConnection.h @@ -17,6 +17,7 @@ #ifndef ANDROID_SENSOR_EVENT_CONNECTION_H #define ANDROID_SENSOR_EVENT_CONNECTION_H +#include #include #include @@ -168,8 +169,9 @@ private: int mTotalAcksNeeded, mTotalAcksReceived; #endif - mutable Mutex mDestroyLock; - bool mDestroyed; + // Used to track if this object was inappropriately used after destroy(). + std::atomic_bool mDestroyed; + bool mHasSensorAccess; }; -- cgit v1.2.3 From bbf3b377482aeac64c23556bcb2a129d944629ed Mon Sep 17 00:00:00 2001 From: Arthur Ishiguro Date: Tue, 22 Sep 2020 13:05:15 -0700 Subject: Prevent mEventCache UAF in SensorEventConnection Since there is no check to see if SensorEventConnection has been destroyed, the mEventCache pointer can still be used even after it was freed. Bug: 168211968 Test: Run test code that attempts to enable a sensor after destroying the SensorEventConnection, and verify no system_server crash occurs. Change-Id: Ia9275b7cc574df371cdb2e1b80c6699df193b580 Merged-In: Ia9275b7cc574df371cdb2e1b80c6699df193b580 --- services/sensorservice/SensorEventConnection.cpp | 28 +++++++++++++++--------- services/sensorservice/SensorEventConnection.h | 6 +++-- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/services/sensorservice/SensorEventConnection.cpp b/services/sensorservice/SensorEventConnection.cpp index 0e409409f2..1811716af9 100644 --- a/services/sensorservice/SensorEventConnection.cpp +++ b/services/sensorservice/SensorEventConnection.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include #include #include @@ -45,20 +46,13 @@ SensorService::SensorEventConnection::SensorEventConnection( SensorService::SensorEventConnection::~SensorEventConnection() { ALOGD_IF(DEBUG_CONNECTIONS, "~SensorEventConnection(%p)", this); destroy(); -} - -void SensorService::SensorEventConnection::destroy() { - Mutex::Autolock _l(mDestroyLock); - - // destroy once only - if (mDestroyed) { - return; - } - mService->cleanupConnection(this); if (mEventCache != nullptr) { delete[] mEventCache; } +} + +void SensorService::SensorEventConnection::destroy() { mDestroyed = true; } @@ -603,6 +597,11 @@ status_t SensorService::SensorEventConnection::enableDisable( int handle, bool enabled, nsecs_t samplingPeriodNs, nsecs_t maxBatchReportLatencyNs, int reservedFlags) { + if (mDestroyed) { + android_errorWriteLog(0x534e4554, "168211968"); + return DEAD_OBJECT; + } + status_t err; if (enabled) { err = mService->enable(this, handle, samplingPeriodNs, maxBatchReportLatencyNs, @@ -617,10 +616,19 @@ status_t SensorService::SensorEventConnection::enableDisable( status_t SensorService::SensorEventConnection::setEventRate( int handle, nsecs_t samplingPeriodNs) { + if (mDestroyed) { + android_errorWriteLog(0x534e4554, "168211968"); + return DEAD_OBJECT; + } + return mService->setEventRate(this, handle, samplingPeriodNs, mOpPackageName); } status_t SensorService::SensorEventConnection::flush() { + if (mDestroyed) { + return DEAD_OBJECT; + } + return mService->flushSensor(this, mOpPackageName); } diff --git a/services/sensorservice/SensorEventConnection.h b/services/sensorservice/SensorEventConnection.h index fd881cbc0b..d3528551bb 100644 --- a/services/sensorservice/SensorEventConnection.h +++ b/services/sensorservice/SensorEventConnection.h @@ -17,6 +17,7 @@ #ifndef ANDROID_SENSOR_EVENT_CONNECTION_H #define ANDROID_SENSOR_EVENT_CONNECTION_H +#include #include #include #include @@ -182,8 +183,9 @@ private: int mTotalAcksNeeded, mTotalAcksReceived; #endif - mutable Mutex mDestroyLock; - bool mDestroyed; + // Used to track if this object was inappropriately used after destroy(). + std::atomic_bool mDestroyed; + bool mHasSensorAccess; // Store a mapping of sensor handles to required AppOp for a sensor. This map only contains a -- cgit v1.2.3 From 9fb3ea9c93b98a77e7899299019542e333da21fb Mon Sep 17 00:00:00 2001 From: Arthur Ishiguro Date: Tue, 22 Sep 2020 13:05:15 -0700 Subject: Prevent mEventCache UAF in SensorEventConnection Since there is no check to see if SensorEventConnection has been destroyed, the mEventCache pointer can still be used even after it was freed. Bug: 168211968 Test: Run test code that attempts to enable a sensor after destroying the SensorEventConnection, and verify no system_server crash occurs. Change-Id: Ia9275b7cc574df371cdb2e1b80c6699df193b580 Merged-In: Ia9275b7cc574df371cdb2e1b80c6699df193b580 --- services/sensorservice/SensorEventConnection.cpp | 28 +++++++++++++++--------- services/sensorservice/SensorEventConnection.h | 6 +++-- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/services/sensorservice/SensorEventConnection.cpp b/services/sensorservice/SensorEventConnection.cpp index 0e409409f2..1811716af9 100644 --- a/services/sensorservice/SensorEventConnection.cpp +++ b/services/sensorservice/SensorEventConnection.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include #include #include @@ -45,20 +46,13 @@ SensorService::SensorEventConnection::SensorEventConnection( SensorService::SensorEventConnection::~SensorEventConnection() { ALOGD_IF(DEBUG_CONNECTIONS, "~SensorEventConnection(%p)", this); destroy(); -} - -void SensorService::SensorEventConnection::destroy() { - Mutex::Autolock _l(mDestroyLock); - - // destroy once only - if (mDestroyed) { - return; - } - mService->cleanupConnection(this); if (mEventCache != nullptr) { delete[] mEventCache; } +} + +void SensorService::SensorEventConnection::destroy() { mDestroyed = true; } @@ -603,6 +597,11 @@ status_t SensorService::SensorEventConnection::enableDisable( int handle, bool enabled, nsecs_t samplingPeriodNs, nsecs_t maxBatchReportLatencyNs, int reservedFlags) { + if (mDestroyed) { + android_errorWriteLog(0x534e4554, "168211968"); + return DEAD_OBJECT; + } + status_t err; if (enabled) { err = mService->enable(this, handle, samplingPeriodNs, maxBatchReportLatencyNs, @@ -617,10 +616,19 @@ status_t SensorService::SensorEventConnection::enableDisable( status_t SensorService::SensorEventConnection::setEventRate( int handle, nsecs_t samplingPeriodNs) { + if (mDestroyed) { + android_errorWriteLog(0x534e4554, "168211968"); + return DEAD_OBJECT; + } + return mService->setEventRate(this, handle, samplingPeriodNs, mOpPackageName); } status_t SensorService::SensorEventConnection::flush() { + if (mDestroyed) { + return DEAD_OBJECT; + } + return mService->flushSensor(this, mOpPackageName); } diff --git a/services/sensorservice/SensorEventConnection.h b/services/sensorservice/SensorEventConnection.h index fd881cbc0b..d3528551bb 100644 --- a/services/sensorservice/SensorEventConnection.h +++ b/services/sensorservice/SensorEventConnection.h @@ -17,6 +17,7 @@ #ifndef ANDROID_SENSOR_EVENT_CONNECTION_H #define ANDROID_SENSOR_EVENT_CONNECTION_H +#include #include #include #include @@ -182,8 +183,9 @@ private: int mTotalAcksNeeded, mTotalAcksReceived; #endif - mutable Mutex mDestroyLock; - bool mDestroyed; + // Used to track if this object was inappropriately used after destroy(). + std::atomic_bool mDestroyed; + bool mHasSensorAccess; // Store a mapping of sensor handles to required AppOp for a sensor. This map only contains a -- cgit v1.2.3 From f1bf7dd095ac2f632442663cb16aeef4691b93e7 Mon Sep 17 00:00:00 2001 From: Arthur Ishiguro Date: Tue, 22 Sep 2020 13:05:15 -0700 Subject: Prevent mEventCache UAF in SensorEventConnection Since there is no check to see if SensorEventConnection has been destroyed, the mEventCache pointer can still be used even after it was freed. Bug: 168211968 Test: Run test code that attempts to enable a sensor after destroying the SensorEventConnection, and verify no system_server crash occurs. Change-Id: Ia9275b7cc574df371cdb2e1b80c6699df193b580 Merged-In: Ia9275b7cc574df371cdb2e1b80c6699df193b580 (cherry picked from commit 3e9afc163256db661b9039120d07501b3a8a7d99) --- services/sensorservice/SensorEventConnection.cpp | 28 +++++++++++++++--------- services/sensorservice/SensorEventConnection.h | 5 +++-- 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/services/sensorservice/SensorEventConnection.cpp b/services/sensorservice/SensorEventConnection.cpp index b4b5f98609..6c8671289d 100644 --- a/services/sensorservice/SensorEventConnection.cpp +++ b/services/sensorservice/SensorEventConnection.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include #include #include @@ -47,20 +48,13 @@ SensorService::SensorEventConnection::SensorEventConnection( SensorService::SensorEventConnection::~SensorEventConnection() { ALOGD_IF(DEBUG_CONNECTIONS, "~SensorEventConnection(%p)", this); destroy(); -} - -void SensorService::SensorEventConnection::destroy() { - Mutex::Autolock _l(mDestroyLock); - - // destroy once only - if (mDestroyed) { - return; - } - mService->cleanupConnection(this); if (mEventCache != nullptr) { delete[] mEventCache; } +} + +void SensorService::SensorEventConnection::destroy() { mDestroyed = true; } @@ -665,6 +659,11 @@ status_t SensorService::SensorEventConnection::enableDisable( int handle, bool enabled, nsecs_t samplingPeriodNs, nsecs_t maxBatchReportLatencyNs, int reservedFlags) { + if (mDestroyed) { + android_errorWriteLog(0x534e4554, "168211968"); + return DEAD_OBJECT; + } + status_t err; if (enabled) { err = mService->enable(this, handle, samplingPeriodNs, maxBatchReportLatencyNs, @@ -679,10 +678,19 @@ status_t SensorService::SensorEventConnection::enableDisable( status_t SensorService::SensorEventConnection::setEventRate( int handle, nsecs_t samplingPeriodNs) { + if (mDestroyed) { + android_errorWriteLog(0x534e4554, "168211968"); + return DEAD_OBJECT; + } + return mService->setEventRate(this, handle, samplingPeriodNs, mOpPackageName); } status_t SensorService::SensorEventConnection::flush() { + if (mDestroyed) { + return DEAD_OBJECT; + } + return mService->flushSensor(this, mOpPackageName); } diff --git a/services/sensorservice/SensorEventConnection.h b/services/sensorservice/SensorEventConnection.h index 8f2d5db28f..9487a39a92 100644 --- a/services/sensorservice/SensorEventConnection.h +++ b/services/sensorservice/SensorEventConnection.h @@ -17,6 +17,7 @@ #ifndef ANDROID_SENSOR_EVENT_CONNECTION_H #define ANDROID_SENSOR_EVENT_CONNECTION_H +#include #include #include #include @@ -182,8 +183,8 @@ private: int mTotalAcksNeeded, mTotalAcksReceived; #endif - mutable Mutex mDestroyLock; - bool mDestroyed; + // Used to track if this object was inappropriately used after destroy(). + std::atomic_bool mDestroyed; // Store a mapping of sensor handles to required AppOp for a sensor. This map only contains a // valid mapping for sensors that require a permission in order to reduce the lookup time. -- cgit v1.2.3