Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1f0301b3 authored by Wenhui Yang's avatar Wenhui Yang
Browse files

Include color layers in input list to fix tapjacking vulnerability 

We can use this to compute occlusion more accurately in inputdispatcher.

Bug: 277076451
Test: app-debug.apk in the bug
Test: go/wm-smoke
Flag: EXEMPT bugfix
Change-Id: I1e155bcf4a6a7ff1b49338ec21bb0e9ee05a54c8
parent 7051e5bc

services/surfaceflinger/FrontEnd/LayerSnapshotBuilder.cpp

+1 −1
Original line number Diff line number Diff line
@@ -1162,7 +1162,7 @@ void LayerSnapshotBuilder::updateInput(LayerSnapshot& snapshot, 
    auto displayInfo = displayInfoOpt.value_or(sDefaultInfo);



    if (!requested.hasInputInfo()) {

        snapshot.inputInfo.inputConfig = InputConfig::NO_INPUT_CHANNEL;

        snapshot.inputInfo.inputConfig |= InputConfig::NO_INPUT_CHANNEL;

    }

    fillInputFrameInfo(snapshot.inputInfo, displayInfo.transform, snapshot);

services/surfaceflinger/FrontEnd/RequestedLayerState.cpp

+10 −1
Original line number Diff line number Diff line
@@ -561,7 +561,7 @@ bool RequestedLayerState::needsInputInfo() const { 
        return false;

    }



    if ((sidebandStream != nullptr) || (externalTexture != nullptr)) {

    if (hasBufferOrSidebandStream() || fillsColor()) {

        return true;

    }
@@ -574,6 +574,15 @@ bool RequestedLayerState::needsInputInfo() const { 
            windowInfo->inputConfig.test(gui::WindowInfo::InputConfig::NO_INPUT_CHANNEL);

}



bool RequestedLayerState::hasBufferOrSidebandStream() const {

    return ((sidebandStream != nullptr) || (externalTexture != nullptr));

}



bool RequestedLayerState::fillsColor() const {

    return !hasBufferOrSidebandStream() && color.r >= 0.0_hf && color.g >= 0.0_hf &&

            color.b >= 0.0_hf;

}



bool RequestedLayerState::hasBlur() const {

    return backgroundBlurRadius > 0 || blurRegions.size() > 0;

}

services/surfaceflinger/FrontEnd/RequestedLayerState.h

+2 −0
Original line number Diff line number Diff line
@@ -88,6 +88,8 @@ struct RequestedLayerState : layer_state_t { 
    bool hasValidRelativeParent() const;

    bool hasInputInfo() const;

    bool needsInputInfo() const;

    bool hasBufferOrSidebandStream() const;

    bool fillsColor() const;

    bool hasBlur() const;

    bool hasFrameUpdate() const;

    bool hasReadyFrame() const;

services/surfaceflinger/tests/unittests/LayerLifecycleManagerTest.cpp

+23 −5
Original line number Diff line number Diff line
@@ -619,14 +619,32 @@ TEST_F(LayerLifecycleManagerTest, isSimpleBufferUpdate) { 
    }

}



TEST_F(LayerLifecycleManagerTest, testInputInfoOfRequestedLayerState) {

    // By default the layer has no buffer, so it doesn't need an input info

    EXPECT_FALSE(getRequestedLayerState(mLifecycleManager, 111)->needsInputInfo());

TEST_F(LayerLifecycleManagerTest, layerWithBufferNeedsInputInfo) {

    // If a layer has no buffer or no color, it doesn't have an input info

    LayerHierarchyTestBase::createRootLayer(3);

    setColor(3, {-1._hf, -1._hf, -1._hf});

    mLifecycleManager.commitChanges();



    EXPECT_FALSE(getRequestedLayerState(mLifecycleManager, 3)->needsInputInfo());



    setBuffer(3);

    mLifecycleManager.commitChanges();



    EXPECT_TRUE(getRequestedLayerState(mLifecycleManager, 3)->needsInputInfo());

}



TEST_F(LayerLifecycleManagerTest, layerWithColorNeedsInputInfo) {

    // If a layer has no buffer or no color, it doesn't have an input info

    LayerHierarchyTestBase::createRootLayer(4);

    setColor(4, {-1._hf, -1._hf, -1._hf});

    mLifecycleManager.commitChanges();



    EXPECT_FALSE(getRequestedLayerState(mLifecycleManager, 4)->needsInputInfo());



    setBuffer(111);

    setColor(4, {1._hf, 0._hf, 0._hf});

    mLifecycleManager.commitChanges();



    EXPECT_TRUE(getRequestedLayerState(mLifecycleManager, 111)->needsInputInfo());

    EXPECT_TRUE(getRequestedLayerState(mLifecycleManager, 4)->needsInputInfo());

}



} // namespace android::surfaceflinger::frontend

services/surfaceflinger/tests/unittests/LayerSnapshotTest.cpp

+3 −3
Original line number Diff line number Diff line
@@ -1957,17 +1957,17 @@ TEST_F(LayerSnapshotTest, multipleEdgeExtensionIncreaseBoundSizeWithinCrop) { 
}



TEST_F(LayerSnapshotTest, shouldUpdateInputWhenNoInputInfo) {

    // By default the layer has no buffer, so we don't expect it to have an input info

    // If a layer has no buffer or no color, it doesn't have an input info

    setColor(111, {-1._hf, -1._hf, -1._hf});

    UPDATE_AND_VERIFY(mSnapshotBuilder, {1, 11, 12, 121, 122, 1221, 13, 2});

    EXPECT_FALSE(getSnapshot(111)->hasInputInfo());



    setBuffer(111);



    UPDATE_AND_VERIFY(mSnapshotBuilder, STARTING_ZORDER);



    EXPECT_TRUE(getSnapshot(111)->hasInputInfo());

    EXPECT_TRUE(getSnapshot(111)->inputInfo.inputConfig.test(

            gui::WindowInfo::InputConfig::NO_INPUT_CHANNEL));

    EXPECT_FALSE(getSnapshot(2)->hasInputInfo());

}



// content dirty test