Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit b36f1b49 authored by Sally Qi's avatar Sally Qi Committed by Kevin F. Haggerty
Browse files

Mitigate the security vulnerability by sanitizing the transaction flags. 

- This is part of fix of commit
  Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df for backporting.

Bug: 248031255
Test: test using displaytoken app manually on the phone, test shell
screenrecord during using displaytoken; atest
android.hardware.camera2.cts.FastBasicsTest

Change-Id: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df
Merged-In: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df
(cherry picked from commit 3ea58dbc)
Merged-In: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df
parent 29cac78a

libs/gui/LayerState.cpp

+21 −0
Original line number Diff line number Diff line
@@ -391,6 +391,27 @@ void DisplayState::merge(const DisplayState& other) { 
    }

}



void DisplayState::sanitize(int32_t permissions) {

    if (what & DisplayState::eLayerStackChanged) {

        if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) {

            what &= ~DisplayState::eLayerStackChanged;

            ALOGE("Stripped attempt to set eLayerStackChanged in sanitize");

        }

    }

    if (what & DisplayState::eDisplayProjectionChanged) {

        if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) {

            what &= ~DisplayState::eDisplayProjectionChanged;

            ALOGE("Stripped attempt to set eDisplayProjectionChanged in sanitize");

        }

    }

    if (what & DisplayState::eSurfaceChanged) {

        if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) {

            what &= ~DisplayState::eSurfaceChanged;

            ALOGE("Stripped attempt to set eSurfaceChanged in sanitize");

        }

    }

}



void layer_state_t::sanitize(int32_t permissions) {

    // TODO: b/109894387

    //

libs/gui/include/gui/LayerState.h

+1 −0
Original line number Diff line number Diff line
@@ -278,6 +278,7 @@ struct DisplayState { 


    DisplayState();

    void merge(const DisplayState& other);

    void sanitize(int32_t permissions);



    uint32_t what;

    sp<IBinder> token;

services/surfaceflinger/SurfaceFlinger.cpp

+5 −4
Original line number Diff line number Diff line
@@ -3501,7 +3501,7 @@ void SurfaceFlinger::flushTransactionQueues() { 
    // to prevent onHandleDestroyed from being called while the lock is held,

    // we must keep a copy of the transactions (specifically the composer

    // states) around outside the scope of the lock

    std::vector<const TransactionState> transactions;

    std::vector<TransactionState> transactions;

    // Layer handles that have transactions with buffers that are ready to be applied.

    std::unordered_set<sp<IBinder>, ISurfaceComposer::SpHash<IBinder>> bufferLayersReadyToPresent;

    {
@@ -3565,7 +3565,7 @@ void SurfaceFlinger::flushTransactionQueues() { 
        }



        // Now apply all transactions.

        for (const auto& transaction : transactions) {

        for (auto& transaction : transactions) {

            applyTransactionState(transaction.frameTimelineInfo, transaction.states,

                                  transaction.displays, transaction.flags,

                                  transaction.inputWindowCommands, transaction.desiredPresentTime,
@@ -3785,7 +3785,7 @@ status_t SurfaceFlinger::setTransactionState( 


void SurfaceFlinger::applyTransactionState(const FrameTimelineInfo& frameTimelineInfo,

                                           const Vector<ComposerState>& states,

                                           const Vector<DisplayState>& displays, uint32_t flags,

                                           Vector<DisplayState>& displays, uint32_t flags,

                                           const InputWindowCommands& inputWindowCommands,

                                           const int64_t desiredPresentTime, bool isAutoTimestamp,

                                           const client_cache_t& uncacheBuffer,
@@ -3794,7 +3794,8 @@ void SurfaceFlinger::applyTransactionState(const FrameTimelineInfo& frameTimelin 
                                           const std::vector<ListenerCallbacks>& listenerCallbacks,

                                           int originPid, int originUid, uint64_t transactionId) {

    uint32_t transactionFlags = 0;

    for (const DisplayState& display : displays) {

    for (DisplayState& display : displays) {

        display.sanitize(permissions);

        transactionFlags |= setDisplayStateLocked(display);

    }

services/surfaceflinger/SurfaceFlinger.h

+1 −1
Original line number Diff line number Diff line
@@ -832,7 +832,7 @@ private: 
     * Transactions

     */

    void applyTransactionState(const FrameTimelineInfo& info, const Vector<ComposerState>& state,

                               const Vector<DisplayState>& displays, uint32_t flags,

                               Vector<DisplayState>& displays, uint32_t flags,

                               const InputWindowCommands& inputWindowCommands,

                               const int64_t desiredPresentTime, bool isAutoTimestamp,

                               const client_cache_t& uncacheBuffer, const int64_t postTime,