Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8b172cef authored by Sally Qi's avatar Sally Qi Committed by Automerger Merge Worker
Browse files

Mitigate the security vulnerability by sanitizing the transaction flags. am: 3ea58dbc 

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/native/+/20886664



Change-Id: Ib704fa0d4a35234e247eb6cc1f596defb4d7d23f
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 8b1dd38b 3ea58dbc

libs/gui/LayerState.cpp

+21 −0
Original line number Diff line number Diff line
@@ -381,6 +381,27 @@ void DisplayState::merge(const DisplayState& other) { 
    }

}



void DisplayState::sanitize(int32_t permissions) {

    if (what & DisplayState::eLayerStackChanged) {

        if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) {

            what &= ~DisplayState::eLayerStackChanged;

            ALOGE("Stripped attempt to set eLayerStackChanged in sanitize");

        }

    }

    if (what & DisplayState::eDisplayProjectionChanged) {

        if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) {

            what &= ~DisplayState::eDisplayProjectionChanged;

            ALOGE("Stripped attempt to set eDisplayProjectionChanged in sanitize");

        }

    }

    if (what & DisplayState::eSurfaceChanged) {

        if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) {

            what &= ~DisplayState::eSurfaceChanged;

            ALOGE("Stripped attempt to set eSurfaceChanged in sanitize");

        }

    }

}



void layer_state_t::sanitize(int32_t permissions) {

    // TODO: b/109894387

    //

libs/gui/include/gui/LayerState.h

+1 −0
Original line number Diff line number Diff line
@@ -276,6 +276,7 @@ struct DisplayState { 


    DisplayState();

    void merge(const DisplayState& other);

    void sanitize(int32_t permissions);



    uint32_t what;

    sp<IBinder> token;

services/surfaceflinger/SurfaceFlinger.cpp

+5 −4
Original line number Diff line number Diff line
@@ -3460,7 +3460,7 @@ void SurfaceFlinger::flushTransactionQueues() { 
    // to prevent onHandleDestroyed from being called while the lock is held,

    // we must keep a copy of the transactions (specifically the composer

    // states) around outside the scope of the lock

    std::vector<const TransactionState> transactions;

    std::vector<TransactionState> transactions;

    // Layer handles that have transactions with buffers that are ready to be applied.

    std::unordered_set<sp<IBinder>, ISurfaceComposer::SpHash<IBinder>> bufferLayersReadyToPresent;

    {
@@ -3524,7 +3524,7 @@ void SurfaceFlinger::flushTransactionQueues() { 
        }



        // Now apply all transactions.

        for (const auto& transaction : transactions) {

        for (auto& transaction : transactions) {

            applyTransactionState(transaction.frameTimelineInfo, transaction.states,

                                  transaction.displays, transaction.flags,

                                  transaction.inputWindowCommands, transaction.desiredPresentTime,
@@ -3744,7 +3744,7 @@ status_t SurfaceFlinger::setTransactionState( 


void SurfaceFlinger::applyTransactionState(const FrameTimelineInfo& frameTimelineInfo,

                                           const Vector<ComposerState>& states,

                                           const Vector<DisplayState>& displays, uint32_t flags,

                                           Vector<DisplayState>& displays, uint32_t flags,

                                           const InputWindowCommands& inputWindowCommands,

                                           const int64_t desiredPresentTime, bool isAutoTimestamp,

                                           const client_cache_t& uncacheBuffer,
@@ -3753,7 +3753,8 @@ void SurfaceFlinger::applyTransactionState(const FrameTimelineInfo& frameTimelin 
                                           const std::vector<ListenerCallbacks>& listenerCallbacks,

                                           int originPid, int originUid, uint64_t transactionId) {

    uint32_t transactionFlags = 0;

    for (const DisplayState& display : displays) {

    for (DisplayState& display : displays) {

        display.sanitize(permissions);

        transactionFlags |= setDisplayStateLocked(display);

    }

services/surfaceflinger/SurfaceFlinger.h

+1 −1
Original line number Diff line number Diff line
@@ -828,7 +828,7 @@ private: 
     * Transactions

     */

    void applyTransactionState(const FrameTimelineInfo& info, const Vector<ComposerState>& state,

                               const Vector<DisplayState>& displays, uint32_t flags,

                               Vector<DisplayState>& displays, uint32_t flags,

                               const InputWindowCommands& inputWindowCommands,

                               const int64_t desiredPresentTime, bool isAutoTimestamp,

                               const client_cache_t& uncacheBuffer, const int64_t postTime,