Mitigate the security vulnerability by sanitizing the transaction flags. (3ea58dbc) · Commits · e / devices / smdk4412 / android_frameworks_native

libs/gui/LayerState.cpp

+21 −0

Original line number	Diff line number	Diff line
		@@ -381,6 +381,27 @@ void DisplayState::merge(const DisplayState& other) {
		}
		}

		void DisplayState::sanitize(int32_t permissions) {
		if (what & DisplayState::eLayerStackChanged) {
		if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) {
		what &= ~DisplayState::eLayerStackChanged;
		ALOGE("Stripped attempt to set eLayerStackChanged in sanitize");
		}
		}
		if (what & DisplayState::eDisplayProjectionChanged) {
		if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) {
		what &= ~DisplayState::eDisplayProjectionChanged;
		ALOGE("Stripped attempt to set eDisplayProjectionChanged in sanitize");
		}
		}
		if (what & DisplayState::eSurfaceChanged) {
		if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) {
		what &= ~DisplayState::eSurfaceChanged;
		ALOGE("Stripped attempt to set eSurfaceChanged in sanitize");
		}
		}
		}

		void layer_state_t::sanitize(int32_t permissions) {
		// TODO: b/109894387
		//

libs/gui/include/gui/LayerState.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -276,6 +276,7 @@ struct DisplayState {

		DisplayState();
		void merge(const DisplayState& other);
		void sanitize(int32_t permissions);

		uint32_t what;
		sp<IBinder> token;

services/surfaceflinger/SurfaceFlinger.cpp

+5 −4

Original line number	Diff line number	Diff line
		@@ -3460,7 +3460,7 @@ void SurfaceFlinger::flushTransactionQueues() {
		// to prevent onHandleDestroyed from being called while the lock is held,
		// we must keep a copy of the transactions (specifically the composer
		// states) around outside the scope of the lock
		std::vector<const TransactionState> transactions;
		std::vector<TransactionState> transactions;
		// Layer handles that have transactions with buffers that are ready to be applied.
		std::unordered_set<sp<IBinder>, ISurfaceComposer::SpHash<IBinder>> bufferLayersReadyToPresent;
		{
		@@ -3524,7 +3524,7 @@ void SurfaceFlinger::flushTransactionQueues() {
		}

		// Now apply all transactions.
		for (const auto& transaction : transactions) {
		for (auto& transaction : transactions) {
		applyTransactionState(transaction.frameTimelineInfo, transaction.states,
		transaction.displays, transaction.flags,
		transaction.inputWindowCommands, transaction.desiredPresentTime,
		@@ -3744,7 +3744,7 @@ status_t SurfaceFlinger::setTransactionState(

		void SurfaceFlinger::applyTransactionState(const FrameTimelineInfo& frameTimelineInfo,
		const Vector<ComposerState>& states,
		const Vector<DisplayState>& displays, uint32_t flags,
		Vector<DisplayState>& displays, uint32_t flags,
		const InputWindowCommands& inputWindowCommands,
		const int64_t desiredPresentTime, bool isAutoTimestamp,
		const client_cache_t& uncacheBuffer,
		@@ -3753,7 +3753,8 @@ void SurfaceFlinger::applyTransactionState(const FrameTimelineInfo& frameTimelin
		const std::vector<ListenerCallbacks>& listenerCallbacks,
		int originPid, int originUid, uint64_t transactionId) {
		uint32_t transactionFlags = 0;
		for (const DisplayState& display : displays) {
		for (DisplayState& display : displays) {
		display.sanitize(permissions);
		transactionFlags \|= setDisplayStateLocked(display);
		}

services/surfaceflinger/SurfaceFlinger.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -829,7 +829,7 @@ private:
		* Transactions
		*/
		void applyTransactionState(const FrameTimelineInfo& info, const Vector<ComposerState>& state,
		const Vector<DisplayState>& displays, uint32_t flags,
		Vector<DisplayState>& displays, uint32_t flags,
		const InputWindowCommands& inputWindowCommands,
		const int64_t desiredPresentTime, bool isAutoTimestamp,
		const client_cache_t& uncacheBuffer, const int64_t postTime,