diff options
author | Dan Pasanen <dan.pasanen@gmail.com> | 2017-05-01 18:26:25 -0500 |
---|---|---|
committer | Dan Pasanen <dan.pasanen@gmail.com> | 2017-05-01 18:26:25 -0500 |
commit | abe50aacbd7826006e1b2a8486a05c720e66ddb4 (patch) | |
tree | 61f26b0b2df92ddc23d9d9fb7176a4bb49ff2dea | |
parent | c3b68eef55866a19fcc87b5b7dace86cd6fb6c9a (diff) | |
parent | ceda4a98bcb08f311ba5744ee95e8754b3b5f219 (diff) | |
download | android_frameworks_base-staging/cm-14.1_android-7.1.2_r8.tar.gz android_frameworks_base-staging/cm-14.1_android-7.1.2_r8.tar.bz2 android_frameworks_base-staging/cm-14.1_android-7.1.2_r8.zip |
Merge tag 'android-7.1.2_r8' into cm-14.1staging/cm-14.1_android-7.1.2_r8
Android 7.1.2 release 8
# gpg: Signature made Mon 01 May 2017 10:38:47 AM CDT
# gpg: using DSA key E8AD3F819AB10E78
# gpg: Can't check signature: No public key
-rw-r--r-- | core/jni/android_database_CursorWindow.cpp | 8 | ||||
-rw-r--r-- | core/res/AndroidManifest.xml | 2 | ||||
-rw-r--r-- | include/androidfw/CursorWindow.h | 17 | ||||
-rw-r--r-- | libs/androidfw/CursorWindow.cpp | 5 | ||||
-rw-r--r-- | services/core/java/com/android/server/pm/PackageManagerService.java | 14 |
5 files changed, 43 insertions, 3 deletions
diff --git a/core/jni/android_database_CursorWindow.cpp b/core/jni/android_database_CursorWindow.cpp index e96613b7d45..0d65a180603 100644 --- a/core/jni/android_database_CursorWindow.cpp +++ b/core/jni/android_database_CursorWindow.cpp @@ -205,6 +205,10 @@ static jbyteArray nativeGetBlob(JNIEnv* env, jclass clazz, jlong windowPtr, if (type == CursorWindow::FIELD_TYPE_BLOB || type == CursorWindow::FIELD_TYPE_STRING) { size_t size; const void* value = window->getFieldSlotValueBlob(fieldSlot, &size); + if (!value) { + throw_sqlite3_exception(env, "Native could not read blob slot"); + return NULL; + } jbyteArray byteArray = env->NewByteArray(size); if (!byteArray) { env->ExceptionClear(); @@ -240,6 +244,10 @@ static jstring nativeGetString(JNIEnv* env, jclass clazz, jlong windowPtr, if (type == CursorWindow::FIELD_TYPE_STRING) { size_t sizeIncludingNull; const char* value = window->getFieldSlotValueString(fieldSlot, &sizeIncludingNull); + if (!value) { + throw_sqlite3_exception(env, "Native could not read string slot"); + return NULL; + } if (sizeIncludingNull <= 1) { return gEmptyString; } diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml index e15a0b8c895..a52480f3a3f 100644 --- a/core/res/AndroidManifest.xml +++ b/core/res/AndroidManifest.xml @@ -202,6 +202,8 @@ <protected-broadcast android:name="android.btopp.intent.action.OPEN_INBOUND" /> <protected-broadcast android:name="android.btopp.intent.action.TRANSFER_COMPLETE" /> <protected-broadcast android:name="com.android.bluetooth.gatt.REFRESH_BATCHED_SCAN" /> + <protected-broadcast android:name="android.btopp.intent.action.ACCEPT" /> + <protected-broadcast android:name="android.btopp.intent.action.DECLINE" /> <protected-broadcast android:name="com.android.bluetooth.pbap.authchall" /> <protected-broadcast android:name="com.android.bluetooth.pbap.userconfirmtimeout" /> <protected-broadcast android:name="com.android.bluetooth.pbap.authresponse" /> diff --git a/include/androidfw/CursorWindow.h b/include/androidfw/CursorWindow.h index 8a2979a3756..2eb349f5716 100644 --- a/include/androidfw/CursorWindow.h +++ b/include/androidfw/CursorWindow.h @@ -18,6 +18,7 @@ #define _ANDROID__DATABASE_WINDOW_H #include <cutils/log.h> +#include <inttypes.h> #include <stddef.h> #include <stdint.h> @@ -128,12 +129,13 @@ public: inline const char* getFieldSlotValueString(FieldSlot* fieldSlot, size_t* outSizeIncludingNull) { *outSizeIncludingNull = fieldSlot->data.buffer.size; - return static_cast<char*>(offsetToPtr(fieldSlot->data.buffer.offset)); + return static_cast<char*>(offsetToPtr( + fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size)); } inline const void* getFieldSlotValueBlob(FieldSlot* fieldSlot, size_t* outSize) { *outSize = fieldSlot->data.buffer.size; - return offsetToPtr(fieldSlot->data.buffer.offset); + return offsetToPtr(fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size); } private: @@ -166,7 +168,16 @@ private: bool mReadOnly; Header* mHeader; - inline void* offsetToPtr(uint32_t offset) { + inline void* offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) { + if (offset >= mSize) { + ALOGE("Offset %" PRIu32 " out of bounds, max value %zu", offset, mSize); + return NULL; + } + if (offset + bufferSize > mSize) { + ALOGE("End offset %" PRIu32 " out of bounds, max value %zu", + offset + bufferSize, mSize); + return NULL; + } return static_cast<uint8_t*>(mData) + offset; } diff --git a/libs/androidfw/CursorWindow.cpp b/libs/androidfw/CursorWindow.cpp index 166863c0d91..5694115f61a 100644 --- a/libs/androidfw/CursorWindow.cpp +++ b/libs/androidfw/CursorWindow.cpp @@ -98,9 +98,14 @@ status_t CursorWindow::createFromParcel(Parcel* parcel, CursorWindow** outCursor if (dupAshmemFd < 0) { result = -errno; } else { + // the size of the ashmem descriptor can be modified between ashmem_get_size_region + // call and mmap, so we'll check again immediately after memory is mapped void* data = ::mmap(NULL, size, PROT_READ, MAP_SHARED, dupAshmemFd, 0); if (data == MAP_FAILED) { result = -errno; + } else if (ashmem_get_size_region(dupAshmemFd) != size) { + ::munmap(data, size); + result = BAD_VALUE; } else { CursorWindow* window = new CursorWindow(name, dupAshmemFd, data, size, true /*readOnly*/); diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index 9e899afe3a3..1505cc0a63b 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -15389,6 +15389,20 @@ public class PackageManagerService extends IPackageManager.Stub { + perm.info.name + "; ignoring new declaration"); pkg.permissions.remove(i); } + } else if (!PLATFORM_PACKAGE_NAME.equals(pkg.packageName)) { + // Prevent apps to change protection level to dangerous from any other + // type as this would allow a privilege escalation where an app adds a + // normal/signature permission in other app's group and later redefines + // it as dangerous leading to the group auto-grant. + if ((perm.info.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE) + == PermissionInfo.PROTECTION_DANGEROUS) { + if (bp != null && !bp.isRuntime()) { + Slog.w(TAG, "Package " + pkg.packageName + " trying to change a " + + "non-runtime permission " + perm.info.name + + " to runtime; keeping old protection level"); + perm.info.protectionLevel = bp.protectionLevel; + } + } } } } |