Security Patches :D #2
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
outputFrameSize, calOutSize and outSize are calculated at 8bit level However, the library expects outputFrameSize in int16 samples. One of the initialization of outputFrameSize was in bytes. This is now corrected. Test: clusterfuzz generated poc in bug Test: atest android.mediav2.cts.CodecDecoderTest Test: atest VtsHalMediaC2V1_0TargetAudioDecTest Bug: 193363621 Change-Id: Iac62c4e9d77e7f95f2c692f5ea236e7a5c536dcb (cherry picked from commit dc32721)
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/15747591 Bug: 201632451 Bug: 188893559 Change-Id: Ie775311a46cb1ddddd30e8cfa882d549b9ddfd05 Merged-In: I31f2b9a4f1b561c4466c76ea2af8dd532622102a (cherry picked from commit 3c5de13)
doRead() doesn't handle situations when received byte do not fit into input buffer in case of vorbis audio compression. It results in OOB write in heap memory right after the allocated input buffer. Added code to copy kKeyValidSamples only if there was enough space. Otherwise, print a warning log. Bug: 194105348 Test: post-submit media cts tests Change-Id: I2b27580deff9ad937b68703a1e7c3ff2a6dccc60 (cherry picked from commit a625b40) (cherry picked from commit f3590a1) Merged-In:I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
Bug: 204445255 Test: poc from original bug Change-Id: I569477d0771e1c03318df9ef271cf3201d472c99 (cherry picked from commit 94e58d6) Merged-In:I569477d0771e1c03318df9ef271cf3201d472c99
Use mutex to prevent multiple threads accessing same member of mMappings list at the same time. Bug: 193790350 Test: adb shell UBSAN_OPTIONS=print_stacktrace=1 /data/local/tmp/C2FuzzerMp3Dec -rss_limit_mb=2560 -timeout=90 -runs=100 /data/local/tmp/clusterfuzz-testcase-minimized-C2FuzzerMp3Dec-5713156165206016 Change-Id: I24e53629d5a6dfad22b84dd2278eb1a288c9ab35 Merged-In: I24e53629d5a6dfad22b84dd2278eb1a288c9ab35 (cherry picked from commit 9d2295f) (cherry picked from commit 416da6e) Merged-In:I24e53629d5a6dfad22b84dd2278eb1a288c9ab35
Fixing vulnerability in extract3GGPGlobalDescriptions() in TextDescriptions.cpp Bug: 233735886 Test: Run related PoC. See bug. Change-Id: I87955b911d0a40390755321d332a11ecc9b20354 (cherry picked from commit b63d4e7) Merged-In: I87955b911d0a40390755321d332a11ecc9b20354
When starting MMAP input stream, APM will check if the client is allowed to capture at that moment or not and call setRecordSilenced if the client is not allowed. However, the client is not active when starting the MMAP input stream. In that case, the client silenced state will be lost and the client will be able to capture even though it is not allowed. In this CL, when setRecordSilenced is called, it will cache the client silenced state so that it can apply when the client is active. Test: atest AAudioTests Test: repo steps from the bug Bug: 235850634 Change-Id: I49b5a0f08d1747053f868db6e88c0f677256fc3c Merged-In: I49b5a0f08d1747053f868db6e88c0f677256fc3c (cherry picked from commit 0960903) (cherry picked from commit a2f00f9) Merged-In: I49b5a0f08d1747053f868db6e88c0f677256fc3c
Potential race condition in clearkey setSecurityLevel. POC test in http://go/ag/19083795 Test: sts-tradefed run sts-dynamic-develop -m StsHostTestCases -t android.security.sts.CVE_2022_2209#testPocCVE_2022_2209 Bug: 235601882 Change-Id: I6447fb539ef0cb395772c61e6f3e1504ccde331b Merged-In: I2e2084e85fe45d7d7f958c59b0063a477c7d24bf (cherry picked from commit d37b692) Merged-In: I6447fb539ef0cb395772c61e6f3e1504ccde331b
consolidate to avoid concurrency/mutex problems. Bug: 256087846 Bug: 245860753 Test: atest CtsMediaV2TestCases Test: atest CtsMediaCodecTestCases Merged-In: Ie77f0028cab8091edd97d3a60ad4c80da3092cfe Merged-In: I56eceb6b12ce14348d3f9f2944968e70c6086aa8 Merged-In: I94b0a2ac029dc0b90a93e9ed844768e9da5259b9 Change-Id: I739248436a4801a4b9a96395f481640f2956cedf (cherry picked from commit 49e842e) Merged-In: I739248436a4801a4b9a96395f481640f2956cedf
readSampleData() did not initialize buffer before filling it, leading to OOB memory references. Correct and clarify the book keeping around output buffer management. Bug: 275418191 Test: CtsMediaExtractorTestCases w/debug messages (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:943fc12219b21d2a98f0ddc070b9b316a6f5d412) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:84c69bca81175feb2fd97ebb22e432ee41572786) Merged-In: Ie744f118526f100d82a312c64f7c6fcf20773b6d Change-Id: Ie744f118526f100d82a312c64f7c6fcf20773b6d
The error is thrown when the destructor tries to free pointer memory. This is happening for cases where the pointer was not initialized. Initializing it to a default value fixes the error. Bug: 245135112 Test: Build mtp_host_property_fuzzer and run on the target device (cherry picked from commit 3afa6e8) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d44311374e41a26b28db56794c9a7890a13a6972) Merged-In: I255cd68b7641e96ac47ab81479b9b46b78c15580 Change-Id: I255cd68b7641e96ac47ab81479b9b46b78c15580
OOB write occurs when a value is assigned to a buffer index which is greater than the buffer size. Adding a check on buffer bounds fixes the issue. Similar checks have been added wherever applicable on other such methods of the class. Bug: 243463593 Test: Build mtp_packet_fuzzer and run on the target device (cherry picked from commit a669e34) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1401a723899766632363129265b30d433ac69c44) Merged-In: Icd0f2307803a1a35e655bc08d9d4cca5e2b58a9b Change-Id: Icd0f2307803a1a35e655bc08d9d4cca5e2b58a9b
A data member of class MtpFfsHandle is being accessed after the class object has been freed in the fuzzer. The method accessing the data member is running in a separate thread that gets detached from its parent. Using a conditional variable with an atomic int predicate in the close() function to ensure the detached thread's execution has completed before freeing the object fixes the issue without blocking the processing mid-way. Bug: 243381410 Test: Build mtp_handle_fuzzer and run on the target device (cherry picked from commit 50bf46a) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:73d89318a658ece5f337c5f9c1ec1149c52eb722) Merged-In: I41dde165a5eba151c958b81417d9e1065af1b411 Change-Id: I41dde165a5eba151c958b81417d9e1065af1b411
Implement a mutex to ensure secure multi-threaded access to the KeyedVector in MetaDataBase. Concurrent access by different threads can lead to accessing the wrong memory location due to potential changes in the vector Bug: 298057702 Test: HTTP Live Streaming test (cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9) Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a
Use the passed capability field in the to prevent clients from recording in the background. To work around existing issues in the implementation, the approach is - if we don't hold the capability, simulate an onUidIdle. - if we hold the capability, to simulate an onUidActive and then the existing behavior (update the AM state). Only update behavior for apps targetSdk > 34. Bug: 268724205 Test: OboeTester recording silenced in background for all paths Test: OboeTester recording permitted after returning to foreground Test: AGSA works Test: atest AudioRecordTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7aa76cedc006500e4db1e5084c77b6183d8bac35) Merged-In: Ida37fec306417b40006dfac5b5ed04f17418b7c8 Change-Id: Ida37fec306417b40006dfac5b5ed04f17418b7c8
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.