| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Android 8.1.0 Release 73 (6107733)
* tag 'android-8.1.0_r73':
Don't leak input events to dumpsys on user builds
Resize object capacity when shrinking Parcel
Change-Id: I2c7ef27427de1fc92c088df28dd7cc41e39179d0
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove the details of KeyEvent and MotionEvent logs.
Bug: 139945049
Test: Tested on a device, the input functions work as expected and input
event logs are not leaked to dumpsys on user builds.
Change-Id: I98c9c375f18963177bf0c1d8829a217b4ad4acc6
Merged-In: I98c9c375f18963177bf0c1d8829a217b4ad4acc6
(cherry picked from commit c2ddb61f37b2f7a1067534fc3a950c7fe4677818)
|
| |
| |
| |
| |
| |
| |
| |
| | |
Bug: 140419401
Test: atest android.os.cts.ParcelTest
Change-Id: I04edee415e1984ba5fb97c5c1b09892a360cf221
(cherry picked from commit c67d9f33b36cbb95b121d058f51d6653f1ec4334)
(cherry picked from commit d9d10dbdf2f20af3dd01376d2130c71c052e42f3)
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Android 8.1.0 release 72
* tag 'android-8.1.0_r72':
Sensor: use FlattenableUtils::align
Fix race between SensorManager ctor and callback
Free mObjects if no objects left to realloc on resize
[RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets.
libbinder: readCString: no ubsan sub-overflow
Zero-initialize HIDL structs before passing
Sanitize InputMessage before sending
libui: add boundary check to GraphicBuffer::unflatten
Increment when attempting to read protected Parcel Data
Don't pad before calling writeInPlace().
Disallow reading object data from Parcels with non-object reads
Add bounds check to sensors direct channel creation
surfaceflinger: make vsync injection more robust
Change-Id: I615ab9998112f67f22d703baef992507990e319b
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since it memsets skipped over memory now.
Bug: 141890807
Test: boot, check buffer is zero'd here
Change-Id: Ieb3cd90215a3ccc1dc43365ecde251a50db08553
(cherry picked from commit d58cf5acb863eddbbeb9982439965e259045940e)
(cherry picked from commit dbd0eecfc7570231d5cbb76678b0358c43ee6d3c)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Avoids potential invalid memory access if system server crashes during
initialization.
Bug: 132927376
Test: confirm sensors initialize
Change-Id: If7421c452b5893ab2567323d265503a1ce304482
Merged-In: If7421c452b5893ab2567323d265503a1ce304482
(cherry picked from commit 231a12189b2b820843ebf5d002876a23e0890c09)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bug: 134168436
Bug: 133785589
Bug: 34175893
Test: atest CtsOsTestCases:ParcelTest#testObjectDoubleFree
Change-Id: I82e7e8c7b4206fb45b832a71d174df45edb62710
Merged-In: I82e7e8c7b4206fb45b832a71d174df45edb62710
(cherry picked from commit edd3e3d8f441131b02e5a78d18babf9d16ef9e6e)
|
| |
| |
| |
| |
| |
| |
| | |
Bug: 132650049
Test: fuzzer
Change-Id: Id230eae4316a444bc82b416b2049d5a5f589f89a
(cherry picked from commit 00d4358fcd2875b1e26ac50d620f2dec439ef3ee)
|
| |
| |
| |
| |
| |
| |
| |
| | |
Bug: 131859347
Test: fuzzer
Change-Id: I95a0f59684a172925f1eab97ff21e5d14bc79cc8
Merged-In: I95a0f59684a172925f1eab97ff21e5d14bc79cc8
(cherry picked from commit d0d4b584fc294d2c124385644099852918416344)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
(only existing failures/flakes)
Bug: 131267328
Bug: 131356202
Change-Id: I91e6e0c692d470f4d3a713068545cedf5ae925a7
Merged-In: I91e6e0c692d470f4d3a713068545cedf5ae925a7
(cherry picked from commit c4a5f5ec811b149428e0835b7aabc6c4c802e720)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The struct InputMessage has many fields, and is force-aligned to 8-byte
boundaries. There are also some padding fields that carry no
information.
This struct is typically allocated in the stack and populated with
various values before being sent across as a stream of bytes through the
socket.
Therefore, the "unused" data portions of the struct could contain
portions of the stack, since there aren't ever writes to those memory
locations.
To avoid this information leak, forcefully sanitize the struct. Create a
new struct that is explicitly set to zero. Next, only fill the
meaningful fields manually.
Bug: 115739809
Test: cts-tradefed run cts -m CtsSecurityBulletinHostTestCases -t android.security.cts.Poc18_12; adb shell monkey 100000
Change-Id: I7e44dacf1e8fa3156c8e4d2f7784ef0c53dab507
Merged-In: I7e44dacf1e8fa3156c8e4d2f7784ef0c53dab507
(cherry picked from commit e730f5aaa1c726ee9998a080e2d7f6284f4afec8)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Commit cb496acbe593326e8d5d563847067d02b2df40ec removed the boundary
check by accident.
Bug: 114223584
Test: manual
Change-Id: I057bc02d5807e438530d1a5327c2e02b9d154151
(cherry picked from commit bf8d7210c4bbbdc875e9695a301cdf9c3b544279)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make sure to increment the parcel data position even when trying to
improperly read from protected data
Bug: 29833520
Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtection
Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtectionIncrements
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtection
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtectionIncrements
Change-Id: Ie4aae6277fc5f5c924f603d9828c3a608998b986
Merged-In: Ie4aae6277fc5f5c924f603d9828c3a608998b986
(cherry picked from commit 6a825e8ad1a3928dd872bb7c3fbcd94784d77267)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
writeInplace() itself already pads securely, by masking off
the padded bytes. If the padding is done before calling
writeInplace(), no mask is applied, and heap data can leak.
Bug: 77237570
Test: builds
Change-Id: Ide27a0002d4ed4196530430760245b971f6a3f44
Merged-In: Ide27a0002d4ed4196530430760245b971f6a3f44
(cherry picked from commit f8542381b72a7bb2452a5278a00ca8c34edbf8a0)
(cherry picked from commit 732132b765cd7b667f16cf32f0fe4c852d7d44dd)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The check added to each non-object reads adds an overhead. If the
objects (binders and file descriptors) were written to the Parcel in
sequential order then check adds a small O(1) overhead to each read,
plus an O(N) overhead to the first read (to verify the N objects were
added in order).
If the objects were written out of order (as in by jumping around the Parcel
with setDataPosition and writing Binder, DON'T DO THIS!!) (writing non
objects out of order is fine), the first read is forced to sort the objects
in the internal bookkeeping. Based on the assumption non sequential writes
are infrequent and overall Parcels are probably mostly sorted, insertion
sort was used. Worst case sorts will add an O(N^2) overhead to the first
non object read from the Parcel.
Test: run cts -m CtsOsTestCases -t android.os.cts.ParcelTest
Bug: 29833520
Change-Id: I82de8eb5f5eb56f869542d5358e96884c24301b2
(cherry picked from commit c517681c66a1a387be657e0cf06da8d19659dd14)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Avoids attempting to read a 0-size array during input validation. Adds
SafetyNet logging when this is triggered.
Also, change the cast for the ashmem size check from int to int64_t to
avoid potential conversion to negative number on 32-bit systems.
Bug: 70986337
Test: run POC, confirm via logs that function bails early
Change-Id: I674285738983f18de3466f9e818d83dabe269b7d
(cherry picked from commit 0eb4624b33aeb375ae431a6b1e2b787c959968fe)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There are more issues than I expected :)
- no lock to synchronize enable/disable and injection
- Every time injection is diabled and enabled, a new EventThread is
created
- mCallback might be nullptr
- ENABLE_VSYNC_INJECTIONS/INJECT_VSYNC should require special
permission
- MessageQueue::setEventThread must be called from the main thread
- MessageQueue::setEventThread does not handle EventThread switch
well
Bug: 65483324
Test: manual
Merged-In: I7d7b98d1f57afc64af0f2065a9bc7c8ad004ca9f
Change-Id: I7d7b98d1f57afc64af0f2065a9bc7c8ad004ca9f
(cherry picked from commit 6200eacdc927776483d775562db11cce284cc7e0)
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We are currently using 2GB phone dalvik-heap configs for 4 and 6GB
phones.
Bug: 145823510
Test: mpts/greenday tests
Change-Id: Ia2b826c95643f935878335c2434deadf7f8401c4
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Avoids potential invalid memory access if system server crashes during
initialization.
Bug: 132927376
Test: confirm sensors initialize
Change-Id: If7421c452b5893ab2567323d265503a1ce304482
Merged-In: If7421c452b5893ab2567323d265503a1ce304482
(cherry picked from commit 231a12189b2b820843ebf5d002876a23e0890c09)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bug: 134168436
Bug: 133785589
Bug: 34175893
Test: atest CtsOsTestCases:ParcelTest#testObjectDoubleFree
Change-Id: I82e7e8c7b4206fb45b832a71d174df45edb62710
Merged-In: I82e7e8c7b4206fb45b832a71d174df45edb62710
(cherry picked from commit edd3e3d8f441131b02e5a78d18babf9d16ef9e6e)
|
| |
| |
| |
| |
| |
| |
| | |
Bug: 132650049
Test: fuzzer
Change-Id: Id230eae4316a444bc82b416b2049d5a5f589f89a
(cherry picked from commit 00d4358fcd2875b1e26ac50d620f2dec439ef3ee)
|
| |
| |
| |
| |
| |
| |
| |
| | |
Bug: 131859347
Test: fuzzer
Change-Id: I95a0f59684a172925f1eab97ff21e5d14bc79cc8
Merged-In: I95a0f59684a172925f1eab97ff21e5d14bc79cc8
(cherry picked from commit d0d4b584fc294d2c124385644099852918416344)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
(only existing failures/flakes)
Bug: 131267328
Bug: 131356202
Change-Id: I91e6e0c692d470f4d3a713068545cedf5ae925a7
Merged-In: I91e6e0c692d470f4d3a713068545cedf5ae925a7
(cherry picked from commit c4a5f5ec811b149428e0835b7aabc6c4c802e720)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The struct InputMessage has many fields, and is force-aligned to 8-byte
boundaries. There are also some padding fields that carry no
information.
This struct is typically allocated in the stack and populated with
various values before being sent across as a stream of bytes through the
socket.
Therefore, the "unused" data portions of the struct could contain
portions of the stack, since there aren't ever writes to those memory
locations.
To avoid this information leak, forcefully sanitize the struct. Create a
new struct that is explicitly set to zero. Next, only fill the
meaningful fields manually.
Bug: 115739809
Test: cts-tradefed run cts -m CtsSecurityBulletinHostTestCases -t android.security.cts.Poc18_12; adb shell monkey 100000
Change-Id: I7e44dacf1e8fa3156c8e4d2f7784ef0c53dab507
Merged-In: I7e44dacf1e8fa3156c8e4d2f7784ef0c53dab507
(cherry picked from commit e730f5aaa1c726ee9998a080e2d7f6284f4afec8)
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Android 8.1.0 release 52
* tag 'android-8.1.0_r52':
libui: add boundary check to GraphicBuffer::unflatten
Don't pad before calling writeInPlace().
Increment when attempting to read protected Parcel Data
Disallow reading object data from Parcels with non-object reads
Change-Id: I59cee11ce14f823170fbb5e29877b9472231a981
|
| |\ \
| | | |
| | | |
| | | |
| | | |
| | | | |
5313438, 5313284, 5313341, 5313379, 5313380, 5313319, 5313320, 5313321, 5313285, 5313286, 5313287, 5313497, 5313439] into oc-m7-release
Change-Id: I6fb2bf1fb11d79b60303b6c9525543c041e3a8d0
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Commit cb496acbe593326e8d5d563847067d02b2df40ec removed the boundary
check by accident.
Bug: 114223584
Test: manual
Change-Id: I057bc02d5807e438530d1a5327c2e02b9d154151
(cherry picked from commit bf8d7210c4bbbdc875e9695a301cdf9c3b544279)
|
| |\ \
| | | |
| | | |
| | | |
| | | |
| | | | |
4743082, 4743083, 4741262, 4741263, 4741264, 4741265, 4741266, 4741667, 4743084, 4741242, 4741243, 4741741, 4741742, 4741743, 4741744, 4741822, 4743085, 4741668, 4741338, 4743055, 4743056, 4743070, 4743073, 4743075, 4743076, 4743078, 4743079, 4743161, 4743162, 4743164, 4743165, 4743167, 4743168, 4743169, 4743170, 4741681, 4741682, 4741683, 4741684, 4741685, 4741686, 4741687, 4741688, 4741689, 4741690, 4741691, 4741692, 4741693, 4741694, 4741695, 4741696, 4741697, 4741698, 4741699, 4743240, 4743241, 4743242, 4743243, 4741745, 4741823, 4741824, 4741825, 4741267, 4741268, 4743244, 4743280, 4743281, 4743224, 4743203, 4743204, 4743205, 4741746, 4741747, 4743245, 4741826, 4741827, 4741828, 4741829, 4741748, 4741749, 4741750, 4743233, 4743282, 4741244, 4741245, 4741246, 4741247, 4743206, 4743207, 4743208, 4743209, 4743210, 4743211, 4743212, 4743213, 4743214, 4743215, 4743216, 4743217, 4743218, 4743219, 4743360, 4743361, 4743362, 4743363, 4743364, 4743365, 4743366, 4743367, 4743368, 4743369, 4743370, 4743371, 4743372, 4743373, 4743374, 4743375, 4743376, 4743377, 4743283, 4743284, 4741830, 4742501, 4743246, 4743086, 4743087, 4743378, 4743379, 4741751] into sparse-4749909-L04200000199131547
Change-Id: Iead43bb0deac18379a0a05dff4cadc3a86e59d1b
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
writeInplace() itself already pads securely, by masking off
the padded bytes. If the padding is done before calling
writeInplace(), no mask is applied, and heap data can leak.
Bug: 77237570
Test: builds
Change-Id: Ide27a0002d4ed4196530430760245b971f6a3f44
Merged-In: Ide27a0002d4ed4196530430760245b971f6a3f44
(cherry picked from commit f8542381b72a7bb2452a5278a00ca8c34edbf8a0)
(cherry picked from commit 732132b765cd7b667f16cf32f0fe4c852d7d44dd)
Change-Id: I59a088c75353786ca105a3735886af372592c759
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Make sure to increment the parcel data position even when trying to
improperly read from protected data
Bug: 29833520
Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtection
Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtectionIncrements
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtection
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtectionIncrements
Change-Id: Ie4aae6277fc5f5c924f603d9828c3a608998b986
Merged-In: Ie4aae6277fc5f5c924f603d9828c3a608998b986
(cherry picked from commit 6a825e8ad1a3928dd872bb7c3fbcd94784d77267)
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The check added to each non-object reads adds an overhead. If the
objects (binders and file descriptors) were written to the Parcel in
sequential order then check adds a small O(1) overhead to each read,
plus an O(N) overhead to the first read (to verify the N objects were
added in order).
If the objects were written out of order (as in by jumping around the Parcel
with setDataPosition and writing Binder, DON'T DO THIS!!) (writing non
objects out of order is fine), the first read is forced to sort the objects
in the internal bookkeeping. Based on the assumption non sequential writes
are infrequent and overall Parcels are probably mostly sorted, insertion
sort was used. Worst case sorts will add an O(N^2) overhead to the first
non object read from the Parcel.
Test: run cts -m CtsOsTestCases -t android.os.cts.ParcelTest
Bug: 29833520
Change-Id: I82de8eb5f5eb56f869542d5358e96884c24301b2
(cherry picked from commit c517681c66a1a387be657e0cf06da8d19659dd14)
|
| | |
| | |
| | |
| | |
| | |
| | | |
Bug: 66954030
Test: manual on taimen with artificially low thermal thresholds
Change-Id: I2a9275806b4cb710d115ba4cc4e4f161eefd1839
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Android 8.1.0 release 43
* tag 'android-8.1.0_r43':
Don't pad before calling writeInPlace().
Increment when attempting to read protected Parcel Data
Disallow reading object data from Parcels with non-object reads
Add bounds check to sensors direct channel creation
Change-Id: Ia60c5bc87bd7b38778d1ac12914b289c3adfad34
|
| |\ \ \
| | |/ /
| |/| |
| | | |
| | | |
| | | | |
4584368, 4584369, 4584370, 4587544, 4584705, 4586296, 4587545, 4587546, 4586297, 4586298, 4586299, 4586300, 4584371, 4586301, 4584706, 4586302, 4586303, 4587584, 4587585, 4587586, 4587587, 4587588, 4587589, 4587590, 4587591, 4587644, 4587645, 4587646, 4587647, 4587648, 4587649, 4587650, 4587651, 4587652, 4587653, 4587654, 4587655, 4587656, 4587657, 4587658, 4587659, 4587660, 4587661, 4587662, 4584536, 4587547, 4587548, 4587549, 4584707, 4584708, 4587550, 4587551, 4587593, 4586516, 4584372, 4584373, 4584374, 4587595, 4584375, 4584376, 4587552, 4587596, 4587597, 4587598, 4587599, 4584414, 4584415, 4584416, 4584417, 4584418, 4584419, 4584420, 4584421, 4584422, 4584423, 4587804, 4587805, 4587806, 4587807, 4587808, 4587809, 4587810, 4587811, 4587812, 4587813, 4587814, 4587815, 4587816, 4587817, 4587818, 4587884, 4587885, 4587600, 4587601, 4587819, 4584709] into sparse-4749909-L91900000192339903
Change-Id: I3a42d470f5586c016c07e0a8af44e8afc5ebedb0
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
writeInplace() itself already pads securely, by masking off
the padded bytes. If the padding is done before calling
writeInplace(), no mask is applied, and heap data can leak.
Bug: 77237570
Test: builds
Change-Id: Ide27a0002d4ed4196530430760245b971f6a3f44
Merged-In: Ide27a0002d4ed4196530430760245b971f6a3f44
(cherry picked from commit f8542381b72a7bb2452a5278a00ca8c34edbf8a0)
(cherry picked from commit 732132b765cd7b667f16cf32f0fe4c852d7d44dd)
Change-Id: Id4d309eadcb877ba393caa5410fde2ffc476f5df
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Make sure to increment the parcel data position even when trying to
improperly read from protected data
Bug: 29833520
Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtection
Test (M): cts-tradefed run cts -c android.os.cts.ParcelTest -m testBinderDataProtectionIncrements
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtection
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest#testBinderDataProtectionIncrements
Change-Id: Ie4aae6277fc5f5c924f603d9828c3a608998b986
Merged-In: Ie4aae6277fc5f5c924f603d9828c3a608998b986
(cherry picked from commit 6a825e8ad1a3928dd872bb7c3fbcd94784d77267)
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The check added to each non-object reads adds an overhead. If the
objects (binders and file descriptors) were written to the Parcel in
sequential order then check adds a small O(1) overhead to each read,
plus an O(N) overhead to the first read (to verify the N objects were
added in order).
If the objects were written out of order (as in by jumping around the Parcel
with setDataPosition and writing Binder, DON'T DO THIS!!) (writing non
objects out of order is fine), the first read is forced to sort the objects
in the internal bookkeeping. Based on the assumption non sequential writes
are infrequent and overall Parcels are probably mostly sorted, insertion
sort was used. Worst case sorts will add an O(N^2) overhead to the first
non object read from the Parcel.
Test: run cts -m CtsOsTestCases -t android.os.cts.ParcelTest
Bug: 29833520
Change-Id: I82de8eb5f5eb56f869542d5358e96884c24301b2
(cherry picked from commit c517681c66a1a387be657e0cf06da8d19659dd14)
|
| |\ \
| | | |
| | | |
| | | |
| | | |
| | | | |
3898959, 3898960, 3897790, 3898312, 3898313, 3898314, 3899155, 3899156, 3899157, 3898289, 3898290, 3899061, 3898291, 3898292, 3896951, 3899158, 3898961, 3898938, 3898246] into sparse-4657601-L30800000163316240
Change-Id: Ic0d6e84bbc01ff709ad9fc8eb646e4c53453ebe2
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Avoids attempting to read a 0-size array during input validation. Adds
SafetyNet logging when this is triggered.
Also, change the cast for the ashmem size check from int to int64_t to
avoid potential conversion to negative number on 32-bit systems.
Bug: 70986337
Test: run POC, confirm via logs that function bails early
Change-Id: I674285738983f18de3466f9e818d83dabe269b7d
(cherry picked from commit 0eb4624b33aeb375ae431a6b1e2b787c959968fe)
|
| | |
| | |
| | |
| | |
| | | |
Change-Id: Ib3a2c88e68db96c80db636addbf038ec9f6b7c35
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
|
| | |
| | |
| | |
| | |
| | | |
Change-Id: If75420059c6d4f10cce0d180d67e67d23910af44
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When device uses landscape LCM, the nature of the screen shows that
the device is a portrait device. In this case, we find GPU filter
function is opened by mistake when capturing screen and CTS case
fails because image pixel value is changed.
The solution is to correct the GPU filter by hworientation.
Bug: 69691076
Test:
1. Capture screen
2. android.uirendering.cts.testclasses.SurfaceViewTests#testMovingWhiteSurfaceView
Change-Id: I67b75fc8fab188d24f1d5febff20d9bd10c15204
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When device uses landscape LCM, the nature of the screen shows that
the device is a portrait device. After we flash with GSI, there is
vendor solution for landscape LCM used at portrait device. As the
result, the screen displays landscape layout and orientation while
device is at portrait orientation. In addition, the sensor coordinate
system mismatches with android coordinate system.
We suggest Google can add config to handle the case "portrait device
uses landscape LCM or landscape device uses portrait LCM".
Bug: 69691076
Test: We verified following test cases for this patch.
1. Make sure homescreen is normal
2. Rotate device and make sure screen is normal
3. Grab screen shot and check if screen shot is normal
4. Connect to Wi-Fi display and make sure WFD screen is normal
Change-Id: I6675e2a39b03c99ae9fab145fde3cd4eda639564
(cherry picked from 8686db3b5f5b6107a65abba2ab1e1bc4b7e1fe8d)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* This reverts commit a9fa1c9c19d6ac00aa0073ef23b7a1d95f8e0a90.
Our current implementation is being replaced in the next patch
by the upstream one, which is currently on the oreo-mr1-dev AOSP
branch and will be included in a future release tag.
Change-Id: Icb9eb3e733f6a40acf6233adb11216914f5a3db5
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* This reverts commit 8c36832b66e9ae793cf79820d83628d136bfd117, because
"fixing" screenshots in DisplayDevice.cpp actually works by rotating the
DisplaySurface in the opposite direction by the same ro.sf.hwrotation
angle. This introduces 2 regressions:
- ro.sf.hwrotation now needs to be set to 270 whereas the same
hardware needed 90 prior to this patch.
- Activity preview thumbnails (in the recents menu) are no longer
displayed correctly. The activities which were started in portrait
mode now have 90-degree-rotated thumbnails, and the activities
which were started in landscape mode now have
vertically-stretched-to-half thumbnails.
Change-Id: I779e3979df8cdcc3dd9775221d337c02f918bc00
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When large magnetic fields values get filtered out by the Sensor
Fusion algorithm the fused sensors (rotation vector, gravity, linear
acceleration etc) do not produce any output. As a result the CTS tests
fail if the compass is uncalibrated on some devices.
This change allows the magnetic field filter to be tweaked on a
per-device basis to allow the fused sensors to operate even when the
compass in uncalibrated.
Change-Id: I608b307e8b7712e806315a6181c19130ec17c847
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* In Android 8.1 and later, only the ro.zygote.disable_gl_preload
property still applies. All other properties have been removed.
Reference: https://source.android.com/devices/graphics/renderer
Change-Id: Id791029a85bd2ae3ed1c8f38257ea123ac25e61c
Signed-off-by: Abhay Ruparel <abhayruparel2000@gmail.com>
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Android 8.1.0 Release 36 (OPM2.171026.006.H1)
* tag 'android-8.1.0_r36':
Don't pad before calling writeInPlace().
Increment when attempting to read protected Parcel Data
Disallow reading object data from Parcels with non-object reads
Fix resampling for multiple pointers
Add bounds check to sensors direct channel creation
Change-Id: I2abbe999c42a29c1a312fc8b81adee74593ccee8
|
| |\ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
4314464, 4314465, 4314466, 4314643, 4314644, 4314185, 4314467, 4314468, 4315341, 4315342, 4315343, 4315344, 4315345, 4314469, 4314283, 4314186, 4314187, 4314188, 4314189, 4314190, 4314191, 4314192, 4315082, 4315083, 4315084, 4315085, 4315086, 4315087, 4315088, 4315089, 4315090, 4315091, 4315092, 4314170, 4314284, 4314285, 4314286, 4314287, 4314171, 4314172, 4315346, 4314288, 4315381, 4315401, 4315402, 4314289, 4314290, 4314291, 4314292, 4314293, 4314294, 4314295, 4314296, 4314297, 4314298, 4314299, 4314300, 4315421, 4315422, 4314034, 4314229, 4315347, 4315423, 4315424, 4315314, 4315348, 4315349, 4314470, 4315425, 4315426, 4315427, 4315428, 4315429] into sparse-4732990-L02900000181396755
Change-Id: I873d5471d689a25b5171fed6cedcd86fe676600a
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
writeInplace() itself already pads securely, by masking off
the padded bytes. If the padding is done before calling
writeInplace(), no mask is applied, and heap data can leak.
Bug: 77237570
Test: builds
Change-Id: Ide27a0002d4ed4196530430760245b971f6a3f44
Merged-In: Ide27a0002d4ed4196530430760245b971f6a3f44
(cherry picked from commit f8542381b72a7bb2452a5278a00ca8c34edbf8a0)
(cherry picked from commit 732132b765cd7b667f16cf32f0fe4c852d7d44dd)
Change-Id: I4cf6539e3f39f2e2fa1f30e01bddeb7d3ac8992b
|