Mitigate the security vulnerability by sanitizing the transaction flags. am: 03d4458ea0 (eecb9da5) · Commits · e / os / android_frameworks_native

libs/gui/LayerState.cpp

+21 −0

Original line number	Original line	Diff line number	Diff line
	@@ -276,6 +276,27 @@ void DisplayState::merge(const DisplayState& other) {
	}		}
	}		}

			void DisplayState::sanitize(bool privileged) {
			if (what & DisplayState::eLayerStackChanged) {
			if (!privileged) {
			what &= ~DisplayState::eLayerStackChanged;
			ALOGE("Stripped attempt to set eLayerStackChanged in sanitize");
			}
			}
			if (what & DisplayState::eDisplayProjectionChanged) {
			if (!privileged) {
			what &= ~DisplayState::eDisplayProjectionChanged;
			ALOGE("Stripped attempt to set eDisplayProjectionChanged in sanitize");
			}
			}
			if (what & DisplayState::eSurfaceChanged) {
			if (!privileged) {
			what &= ~DisplayState::eSurfaceChanged;
			ALOGE("Stripped attempt to set eSurfaceChanged in sanitize");
			}
			}
			}

	void layer_state_t::merge(const layer_state_t& other) {		void layer_state_t::merge(const layer_state_t& other) {
	if (other.what & ePositionChanged) {		if (other.what & ePositionChanged) {
	what \|= ePositionChanged;		what \|= ePositionChanged;

libs/gui/include/gui/LayerState.h

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -267,6 +267,7 @@ struct DisplayState {

	DisplayState();		DisplayState();
	void merge(const DisplayState& other);		void merge(const DisplayState& other);
			void sanitize(bool privileged);

	uint32_t what;		uint32_t what;
	sp<IBinder> token;		sp<IBinder> token;

services/surfaceflinger/SurfaceFlinger.cpp

+10 −4

Original line number	Original line	Diff line number	Diff line
	@@ -3274,7 +3274,7 @@ bool SurfaceFlinger::flushTransactionQueues() {
	auto& [applyToken, transactionQueue] = *it;		auto& [applyToken, transactionQueue] = *it;

	while (!transactionQueue.empty()) {		while (!transactionQueue.empty()) {
	const auto& transaction = transactionQueue.front();		auto& transaction = transactionQueue.front();
	if (!transactionIsReadyToBeApplied(transaction.desiredPresentTime,		if (!transactionIsReadyToBeApplied(transaction.desiredPresentTime,
	transaction.states)) {		transaction.states)) {
	setTransactionFlags(eTransactionFlushNeeded);		setTransactionFlags(eTransactionFlushNeeded);
	@@ -3373,13 +3373,18 @@ void SurfaceFlinger::setTransactionState(
	return;		return;
	}		}

	applyTransactionState(states, displays, flags, inputWindowCommands, desiredPresentTime,		Vector<DisplayState> displaysList;
			for (auto& d : displays) {
			displaysList.add(d);
			}

			applyTransactionState(states, displaysList, flags, inputWindowCommands, desiredPresentTime,
	uncacheBuffer, postTime, privileged, hasListenerCallbacks,		uncacheBuffer, postTime, privileged, hasListenerCallbacks,
	listenerCallbacks);		listenerCallbacks);
	}		}

	void SurfaceFlinger::applyTransactionState(		void SurfaceFlinger::applyTransactionState(
	const Vector<ComposerState>& states, const Vector<DisplayState>& displays, uint32_t flags,		const Vector<ComposerState>& states, Vector<DisplayState>& displays, uint32_t flags,
	const InputWindowCommands& inputWindowCommands, const int64_t desiredPresentTime,		const InputWindowCommands& inputWindowCommands, const int64_t desiredPresentTime,
	const client_cache_t& uncacheBuffer, const int64_t postTime, bool privileged,		const client_cache_t& uncacheBuffer, const int64_t postTime, bool privileged,
	bool hasListenerCallbacks, const std::vector<ListenerCallbacks>& listenerCallbacks,		bool hasListenerCallbacks, const std::vector<ListenerCallbacks>& listenerCallbacks,
	@@ -3402,7 +3407,8 @@ void SurfaceFlinger::applyTransactionState(
	}		}
	}		}

	for (const DisplayState& display : displays) {		for (DisplayState& display : displays) {
			display.sanitize(privileged);
	transactionFlags \|= setDisplayStateLocked(display);		transactionFlags \|= setDisplayStateLocked(display);
	}		}

services/surfaceflinger/SurfaceFlinger.h

+2 −3

Original line number	Original line	Diff line number	Diff line
	@@ -618,9 +618,8 @@ private:
	/* ------------------------------------------------------------------------		/* ------------------------------------------------------------------------
	* Transactions		* Transactions
	*/		*/
	void applyTransactionState(const Vector<ComposerState>& state,		void applyTransactionState(const Vector<ComposerState>& state, Vector<DisplayState>& displays,
	const Vector<DisplayState>& displays, uint32_t flags,		uint32_t flags, const InputWindowCommands& inputWindowCommands,
	const InputWindowCommands& inputWindowCommands,
	const int64_t desiredPresentTime,		const int64_t desiredPresentTime,
	const client_cache_t& uncacheBuffer, const int64_t postTime,		const client_cache_t& uncacheBuffer, const int64_t postTime,
	bool privileged, bool hasListenerCallbacks,		bool privileged, bool hasListenerCallbacks,