Mitigate the security vulnerability by sanitizing the transaction flags. am: 03d4458ea0 (eecb9da5) · Commits · e / os / platform_frameworks_native

libs/gui/LayerState.cpp

+21 −0

Original line number	Diff line number	Diff line
		@@ -276,6 +276,27 @@ void DisplayState::merge(const DisplayState& other) {
		}
		}

		void DisplayState::sanitize(bool privileged) {
		if (what & DisplayState::eLayerStackChanged) {
		if (!privileged) {
		what &= ~DisplayState::eLayerStackChanged;
		ALOGE("Stripped attempt to set eLayerStackChanged in sanitize");
		}
		}
		if (what & DisplayState::eDisplayProjectionChanged) {
		if (!privileged) {
		what &= ~DisplayState::eDisplayProjectionChanged;
		ALOGE("Stripped attempt to set eDisplayProjectionChanged in sanitize");
		}
		}
		if (what & DisplayState::eSurfaceChanged) {
		if (!privileged) {
		what &= ~DisplayState::eSurfaceChanged;
		ALOGE("Stripped attempt to set eSurfaceChanged in sanitize");
		}
		}
		}

		void layer_state_t::merge(const layer_state_t& other) {
		if (other.what & ePositionChanged) {
		what \|= ePositionChanged;

libs/gui/include/gui/LayerState.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -267,6 +267,7 @@ struct DisplayState {

		DisplayState();
		void merge(const DisplayState& other);
		void sanitize(bool privileged);

		uint32_t what;
		sp<IBinder> token;

services/surfaceflinger/SurfaceFlinger.cpp

+10 −4

Original line number	Diff line number	Diff line
		@@ -3274,7 +3274,7 @@ bool SurfaceFlinger::flushTransactionQueues() {
		auto& [applyToken, transactionQueue] = *it;

		while (!transactionQueue.empty()) {
		const auto& transaction = transactionQueue.front();
		auto& transaction = transactionQueue.front();
		if (!transactionIsReadyToBeApplied(transaction.desiredPresentTime,
		transaction.states)) {
		setTransactionFlags(eTransactionFlushNeeded);
		@@ -3373,13 +3373,18 @@ void SurfaceFlinger::setTransactionState(
		return;
		}

		applyTransactionState(states, displays, flags, inputWindowCommands, desiredPresentTime,
		Vector<DisplayState> displaysList;
		for (auto& d : displays) {
		displaysList.add(d);
		}

		applyTransactionState(states, displaysList, flags, inputWindowCommands, desiredPresentTime,
		uncacheBuffer, postTime, privileged, hasListenerCallbacks,
		listenerCallbacks);
		}

		void SurfaceFlinger::applyTransactionState(
		const Vector<ComposerState>& states, const Vector<DisplayState>& displays, uint32_t flags,
		const Vector<ComposerState>& states, Vector<DisplayState>& displays, uint32_t flags,
		const InputWindowCommands& inputWindowCommands, const int64_t desiredPresentTime,
		const client_cache_t& uncacheBuffer, const int64_t postTime, bool privileged,
		bool hasListenerCallbacks, const std::vector<ListenerCallbacks>& listenerCallbacks,
		@@ -3402,7 +3407,8 @@ void SurfaceFlinger::applyTransactionState(
		}
		}

		for (const DisplayState& display : displays) {
		for (DisplayState& display : displays) {
		display.sanitize(privileged);
		transactionFlags \|= setDisplayStateLocked(display);
		}

services/surfaceflinger/SurfaceFlinger.h

+2 −3

Original line number	Diff line number	Diff line
		@@ -618,9 +618,8 @@ private:
		/* ------------------------------------------------------------------------
		* Transactions
		*/
		void applyTransactionState(const Vector<ComposerState>& state,
		const Vector<DisplayState>& displays, uint32_t flags,
		const InputWindowCommands& inputWindowCommands,
		void applyTransactionState(const Vector<ComposerState>& state, Vector<DisplayState>& displays,
		uint32_t flags, const InputWindowCommands& inputWindowCommands,
		const int64_t desiredPresentTime,
		const client_cache_t& uncacheBuffer, const int64_t postTime,
		bool privileged, bool hasListenerCallbacks,