Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c710617a authored by Sally Qi's avatar Sally Qi Committed by Android Build Coastguard Worker
Browse files

Mitigate the security vulnerability by sanitizing the transaction flags. 

- This is part of fix of commit
  Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df for backporting.

Bug: 248031255
Test: test using displaytoken app manually on the phone, test shell
screenrecord during using displaytoken; atest
android.hardware.camera2.cts.FastBasicsTest

Change-Id: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df
Merged-In: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df
(cherry picked from commit 5d1b2352)
Merged-In: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df
parent d1735f8e

libs/gui/LayerState.cpp

+21 −0
Original line number Diff line number Diff line
@@ -353,6 +353,27 @@ void DisplayState::merge(const DisplayState& other) { 
    }

}



void DisplayState::sanitize(int32_t permissions) {

    if (what & DisplayState::eLayerStackChanged) {

        if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) {

            what &= ~DisplayState::eLayerStackChanged;

            ALOGE("Stripped attempt to set eLayerStackChanged in sanitize");

        }

    }

    if (what & DisplayState::eDisplayProjectionChanged) {

        if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) {

            what &= ~DisplayState::eDisplayProjectionChanged;

            ALOGE("Stripped attempt to set eDisplayProjectionChanged in sanitize");

        }

    }

    if (what & DisplayState::eSurfaceChanged) {

        if (!(permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER)) {

            what &= ~DisplayState::eSurfaceChanged;

            ALOGE("Stripped attempt to set eSurfaceChanged in sanitize");

        }

    }

}



void layer_state_t::sanitize(int32_t permissions) {

    // TODO: b/109894387

    //

libs/gui/include/gui/LayerState.h

+1 −0
Original line number Diff line number Diff line
@@ -320,6 +320,7 @@ struct DisplayState { 


    DisplayState();

    void merge(const DisplayState& other);

    void sanitize(int32_t permissions);



    uint32_t what = 0;

    uint32_t flags = 0;

services/surfaceflinger/SurfaceFlinger.cpp

+3 −2
Original line number Diff line number Diff line
@@ -4196,7 +4196,7 @@ status_t SurfaceFlinger::setTransactionState( 


bool SurfaceFlinger::applyTransactionState(const FrameTimelineInfo& frameTimelineInfo,

                                           Vector<ComposerState>& states,

                                           const Vector<DisplayState>& displays, uint32_t flags,

                                           Vector<DisplayState>& displays, uint32_t flags,

                                           const InputWindowCommands& inputWindowCommands,

                                           const int64_t desiredPresentTime, bool isAutoTimestamp,

                                           const client_cache_t& uncacheBuffer,
@@ -4205,7 +4205,8 @@ bool SurfaceFlinger::applyTransactionState(const FrameTimelineInfo& frameTimelin 
                                           const std::vector<ListenerCallbacks>& listenerCallbacks,

                                           int originPid, int originUid, uint64_t transactionId) {

    uint32_t transactionFlags = 0;

    for (const DisplayState& display : displays) {

    for (DisplayState& display : displays) {

        display.sanitize(permissions);

        transactionFlags |= setDisplayStateLocked(display);

    }

services/surfaceflinger/SurfaceFlinger.h

+1 −1
Original line number Diff line number Diff line
@@ -763,7 +763,7 @@ private: 
     * Transactions

     */

    bool applyTransactionState(const FrameTimelineInfo& info, Vector<ComposerState>& state,

                               const Vector<DisplayState>& displays, uint32_t flags,

                               Vector<DisplayState>& displays, uint32_t flags,

                               const InputWindowCommands& inputWindowCommands,

                               const int64_t desiredPresentTime, bool isAutoTimestamp,

                               const client_cache_t& uncacheBuffer, const int64_t postTime,

services/surfaceflinger/tests/DisplayConfigs_test.cpp

+1 −1

File changed.

Contains only whitespace changes.