From 9f533c9b7ca92a2f5a1442a9491f7486fc82391e Mon Sep 17 00:00:00 2001 From: Paul Scovanner Date: Mon, 10 Feb 2020 13:49:38 -0800 Subject: [PATCH 1/9] Update Wahoo SVN to 41 Bug:149240442 --- device.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device.mk b/device.mk index dca0a558..a244e6ec 100755 --- a/device.mk +++ b/device.mk @@ -47,7 +47,7 @@ PRODUCT_COPY_FILES += \ # Set the SVN for the targeted MR release PRODUCT_PROPERTY_OVERRIDES += \ - ro.vendor.build.svn=40 + ro.vendor.build.svn=41 # Enforce privapp-permissions whitelist PRODUCT_PROPERTY_OVERRIDES += \ From f20a9df793bcf9ad8800a4b44d71e663ef07aa11 Mon Sep 17 00:00:00 2001 From: Paul Scovanner Date: Tue, 17 Mar 2020 20:32:17 +0000 Subject: [PATCH 2/9] Update wahoo SVN to 42 Bug: 151752725 Change-Id: I9588b9237f3a8b6d26c5fa5202040b1e32df2ba0 --- device.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device.mk b/device.mk index a244e6ec..5bb34bd9 100755 --- a/device.mk +++ b/device.mk @@ -47,7 +47,7 @@ PRODUCT_COPY_FILES += \ # Set the SVN for the targeted MR release PRODUCT_PROPERTY_OVERRIDES += \ - ro.vendor.build.svn=41 + ro.vendor.build.svn=42 # Enforce privapp-permissions whitelist PRODUCT_PROPERTY_OVERRIDES += \ From ad7825fc2a4a994886865cdf65032adb48c502eb Mon Sep 17 00:00:00 2001 From: Paul Scovanner Date: Sat, 28 Mar 2020 00:45:00 +0000 Subject: [PATCH 3/9] Update wahoo SVN to 43 Bug: 151752725 Change-Id: Iff06deadea687ad2fc7fe5faccce7494f91c2272 --- device.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device.mk b/device.mk index 5bb34bd9..3a583643 100755 --- a/device.mk +++ b/device.mk @@ -47,7 +47,7 @@ PRODUCT_COPY_FILES += \ # Set the SVN for the targeted MR release PRODUCT_PROPERTY_OVERRIDES += \ - ro.vendor.build.svn=42 + ro.vendor.build.svn=43 # Enforce privapp-permissions whitelist PRODUCT_PROPERTY_OVERRIDES += \ From 34ae8052e33a994bd010cc62e7403e410c3d7b73 Mon Sep 17 00:00:00 2001 From: Andrew Lehmer Date: Mon, 30 Mar 2020 14:12:15 -0700 Subject: [PATCH 4/9] folio_daemon: Avoid UAF with stale sensor handle It is possible for sensor handles retrieved using ASensorManager_getDefaultSensor() to become stale if the underlying binder connection to the sensor service gets reset. This can be triggered by ASensorManager_createEventQueue(), so any sensor handle retrieved prior to this call may become stale, resulting in a use-after- free when the handle is eventually registered with the queue. To avoid this, the event queue is created before retrieving or registering the sensor. Bug: 150225255 Test: No longer crashes with proof-of-concept on Pixel 2 XL. Change-Id: I243f6c68c734af3eb5488855d965a894b5fb99e5 --- folio_daemon/main.cpp | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/folio_daemon/main.cpp b/folio_daemon/main.cpp index 1cda1ce5..6bc70279 100644 --- a/folio_daemon/main.cpp +++ b/folio_daemon/main.cpp @@ -45,6 +45,7 @@ int main(void) { ASensorRef hallSensor; ALooper *looper; ASensorEventQueue *eventQueue = nullptr; + int32_t hallMinDelay = 0; time_t lastWarn = 0; int attemptCount = 0; @@ -87,6 +88,14 @@ int main(void) { // Get Hall-effect sensor events from the NDK sensorManager = ASensorManager_getInstanceForPackage(nullptr); + looper = ALooper_forThread(); + if (looper == nullptr) { + looper = ALooper_prepare(ALOOPER_PREPARE_ALLOW_NON_CALLBACKS); + } + + eventQueue = ASensorManager_createEventQueue(sensorManager, looper, 0, NULL, + NULL); + /* * As long as we are unable to get the sensor handle, periodically retry * and emit an error message at a low frequency to prevent high CPU usage @@ -98,6 +107,7 @@ int main(void) { hallSensor = ASensorManager_getDefaultSensor(sensorManager, SENSOR_TYPE); if (hallSensor != nullptr) { + hallMinDelay = ASensor_getMinDelay(hallSensor); break; } @@ -112,16 +122,8 @@ int main(void) { sleep(RETRY_PERIOD); } - looper = ALooper_forThread(); - if (looper == nullptr) { - looper = ALooper_prepare(ALOOPER_PREPARE_ALLOW_NON_CALLBACKS); - } - - eventQueue = ASensorManager_createEventQueue(sensorManager, looper, 0, NULL, - NULL); err = ASensorEventQueue_registerSensor(eventQueue, hallSensor, - ASensor_getMinDelay(hallSensor), - 10000); + hallMinDelay, 10000); if (err < 0) { ALOGE("Unable to register for Hall-effect sensor events"); goto out; From 948ad9c58cdf4621928723f30802f7fb489eee16 Mon Sep 17 00:00:00 2001 From: Andrew Lehmer Date: Mon, 30 Mar 2020 14:12:15 -0700 Subject: [PATCH 5/9] folio_daemon: Avoid UAF with stale sensor handle It is possible for sensor handles retrieved using ASensorManager_getDefaultSensor() to become stale if the underlying binder connection to the sensor service gets reset. This can be triggered by ASensorManager_createEventQueue(), so any sensor handle retrieved prior to this call may become stale, resulting in a use-after- free when the handle is eventually registered with the queue. To avoid this, the event queue is created before retrieving or registering the sensor. Bug: 150225255 Test: No longer crashes with proof-of-concept on Pixel 2 XL. Change-Id: I243f6c68c734af3eb5488855d965a894b5fb99e5 --- folio_daemon/main.cpp | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/folio_daemon/main.cpp b/folio_daemon/main.cpp index 1cda1ce5..6bc70279 100644 --- a/folio_daemon/main.cpp +++ b/folio_daemon/main.cpp @@ -45,6 +45,7 @@ int main(void) { ASensorRef hallSensor; ALooper *looper; ASensorEventQueue *eventQueue = nullptr; + int32_t hallMinDelay = 0; time_t lastWarn = 0; int attemptCount = 0; @@ -87,6 +88,14 @@ int main(void) { // Get Hall-effect sensor events from the NDK sensorManager = ASensorManager_getInstanceForPackage(nullptr); + looper = ALooper_forThread(); + if (looper == nullptr) { + looper = ALooper_prepare(ALOOPER_PREPARE_ALLOW_NON_CALLBACKS); + } + + eventQueue = ASensorManager_createEventQueue(sensorManager, looper, 0, NULL, + NULL); + /* * As long as we are unable to get the sensor handle, periodically retry * and emit an error message at a low frequency to prevent high CPU usage @@ -98,6 +107,7 @@ int main(void) { hallSensor = ASensorManager_getDefaultSensor(sensorManager, SENSOR_TYPE); if (hallSensor != nullptr) { + hallMinDelay = ASensor_getMinDelay(hallSensor); break; } @@ -112,16 +122,8 @@ int main(void) { sleep(RETRY_PERIOD); } - looper = ALooper_forThread(); - if (looper == nullptr) { - looper = ALooper_prepare(ALOOPER_PREPARE_ALLOW_NON_CALLBACKS); - } - - eventQueue = ASensorManager_createEventQueue(sensorManager, looper, 0, NULL, - NULL); err = ASensorEventQueue_registerSensor(eventQueue, hallSensor, - ASensor_getMinDelay(hallSensor), - 10000); + hallMinDelay, 10000); if (err < 0) { ALOGE("Unable to register for Hall-effect sensor events"); goto out; From 1e9c510d4960269486aa6df9ef9ac53f8fff50f3 Mon Sep 17 00:00:00 2001 From: Andrew Lehmer Date: Mon, 30 Mar 2020 14:12:15 -0700 Subject: [PATCH 6/9] folio_daemon: Avoid UAF with stale sensor handle It is possible for sensor handles retrieved using ASensorManager_getDefaultSensor() to become stale if the underlying binder connection to the sensor service gets reset. This can be triggered by ASensorManager_createEventQueue(), so any sensor handle retrieved prior to this call may become stale, resulting in a use-after- free when the handle is eventually registered with the queue. To avoid this, the event queue is created before retrieving or registering the sensor. Bug: 150225255 Test: No longer crashes with proof-of-concept on Pixel 2 XL. Change-Id: I243f6c68c734af3eb5488855d965a894b5fb99e5 --- folio_daemon/main.cpp | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/folio_daemon/main.cpp b/folio_daemon/main.cpp index 992b4a59..b3a9aa13 100644 --- a/folio_daemon/main.cpp +++ b/folio_daemon/main.cpp @@ -43,6 +43,7 @@ int main(void) { ASensorRef hallSensor; ALooper *looper; ASensorEventQueue *eventQueue = nullptr; + int32_t hallMinDelay = 0; time_t lastWarn = 0; int attemptCount = 0; @@ -85,6 +86,14 @@ int main(void) { // Get Hall-effect sensor events from the NDK sensorManager = ASensorManager_getInstanceForPackage(nullptr); + looper = ALooper_forThread(); + if (looper == nullptr) { + looper = ALooper_prepare(ALOOPER_PREPARE_ALLOW_NON_CALLBACKS); + } + + eventQueue = ASensorManager_createEventQueue(sensorManager, looper, 0, NULL, + NULL); + /* * As long as we are unable to get the sensor handle, periodically retry * and emit an error message at a low frequency to prevent high CPU usage @@ -96,6 +105,7 @@ int main(void) { hallSensor = ASensorManager_getDefaultSensor(sensorManager, SENSOR_TYPE); if (hallSensor != nullptr) { + hallMinDelay = ASensor_getMinDelay(hallSensor); break; } @@ -110,16 +120,8 @@ int main(void) { sleep(RETRY_PERIOD); } - looper = ALooper_forThread(); - if (looper == nullptr) { - looper = ALooper_prepare(ALOOPER_PREPARE_ALLOW_NON_CALLBACKS); - } - - eventQueue = ASensorManager_createEventQueue(sensorManager, looper, 0, NULL, - NULL); err = ASensorEventQueue_registerSensor(eventQueue, hallSensor, - ASensor_getMinDelay(hallSensor), - 10000); + hallMinDelay, 10000); if (err < 0) { ALOGE("Unable to register for Hall-effect sensor events"); goto out; From 8461c0a1d18dfab1905c43ac16777d65864def56 Mon Sep 17 00:00:00 2001 From: Andrew Lehmer Date: Mon, 30 Mar 2020 14:12:15 -0700 Subject: [PATCH 7/9] folio_daemon: Avoid UAF with stale sensor handle [DO NOT MERGE] It is possible for sensor handles retrieved using ASensorManager_getDefaultSensor() to become stale if the underlying binder connection to the sensor service gets reset. This can be triggered by ASensorManager_createEventQueue(), so any sensor handle retrieved prior to this call may become stale, resulting in a use-after- free when the handle is eventually registered with the queue. To avoid this, the event queue is created before retrieving or registering the sensor. Bug: 150225255 Test: No longer crashes with proof-of-concept on Pixel 2 XL. Change-Id: I243f6c68c734af3eb5488855d965a894b5fb99e5 --- folio_daemon/main.cpp | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/folio_daemon/main.cpp b/folio_daemon/main.cpp index 1cda1ce5..6bc70279 100644 --- a/folio_daemon/main.cpp +++ b/folio_daemon/main.cpp @@ -45,6 +45,7 @@ int main(void) { ASensorRef hallSensor; ALooper *looper; ASensorEventQueue *eventQueue = nullptr; + int32_t hallMinDelay = 0; time_t lastWarn = 0; int attemptCount = 0; @@ -87,6 +88,14 @@ int main(void) { // Get Hall-effect sensor events from the NDK sensorManager = ASensorManager_getInstanceForPackage(nullptr); + looper = ALooper_forThread(); + if (looper == nullptr) { + looper = ALooper_prepare(ALOOPER_PREPARE_ALLOW_NON_CALLBACKS); + } + + eventQueue = ASensorManager_createEventQueue(sensorManager, looper, 0, NULL, + NULL); + /* * As long as we are unable to get the sensor handle, periodically retry * and emit an error message at a low frequency to prevent high CPU usage @@ -98,6 +107,7 @@ int main(void) { hallSensor = ASensorManager_getDefaultSensor(sensorManager, SENSOR_TYPE); if (hallSensor != nullptr) { + hallMinDelay = ASensor_getMinDelay(hallSensor); break; } @@ -112,16 +122,8 @@ int main(void) { sleep(RETRY_PERIOD); } - looper = ALooper_forThread(); - if (looper == nullptr) { - looper = ALooper_prepare(ALOOPER_PREPARE_ALLOW_NON_CALLBACKS); - } - - eventQueue = ASensorManager_createEventQueue(sensorManager, looper, 0, NULL, - NULL); err = ASensorEventQueue_registerSensor(eventQueue, hallSensor, - ASensor_getMinDelay(hallSensor), - 10000); + hallMinDelay, 10000); if (err < 0) { ALOGE("Unable to register for Hall-effect sensor events"); goto out; From 3672858e17be5904c9be942a5e5699d9336e73cf Mon Sep 17 00:00:00 2001 From: Jimmy Chen Date: Mon, 16 Mar 2020 18:08:14 +0800 Subject: [PATCH 8/9] Wifi: enable P2P MAC randomization Bug: 146398159 Test: enter Wi-Fi Direct and check p2p interface address is randomized. Change-Id: I5f03f907174d6eec2a739c9112fc2e8fad5ef0ae --- overlay/frameworks/base/core/res/res/values/config.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/overlay/frameworks/base/core/res/res/values/config.xml b/overlay/frameworks/base/core/res/res/values/config.xml index 11112fdd..26487652 100755 --- a/overlay/frameworks/base/core/res/res/values/config.xml +++ b/overlay/frameworks/base/core/res/res/values/config.xml @@ -371,4 +371,7 @@ true + + + true From 3210464b20a11736bc6b4c6433677fdd1ba09c34 Mon Sep 17 00:00:00 2001 From: Paul Scovanner Date: Mon, 13 Apr 2020 18:45:53 +0000 Subject: [PATCH 9/9] Update Wahoo SVN to 44 Bug: 153882927 Change-Id: I426d08a4353d7ad1c25954a2b32cb9aae5ffb886 (cherry picked from commit b2d32df8226ad4db459fa0f8feddc4c7e7c4c306) --- device.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device.mk b/device.mk index 3a583643..a8043196 100755 --- a/device.mk +++ b/device.mk @@ -47,7 +47,7 @@ PRODUCT_COPY_FILES += \ # Set the SVN for the targeted MR release PRODUCT_PROPERTY_OVERRIDES += \ - ro.vendor.build.svn=43 + ro.vendor.build.svn=44 # Enforce privapp-permissions whitelist PRODUCT_PROPERTY_OVERRIDES += \