Merge tag 'android-8.1.0_r46' into staging/lineage-15.1_merge-android…

…-8.1.0_r46 Android 8.1.0 Release 46 (OPM6.171019.030.K1) * tag 'android-8.1.0_r46': (23 commits) Fix TrackInfo parcel write vpn: allow IPSec traffic through Always-on VPN Resolve inconsistent parcel read in NanoAppFilter Backport Prevent shortcut info package name spoofing Fix DynamicRefTable::load security bug ResStringPool: Prevenet boot loop from se fix Make safe label more safe WM: Prevent secondary display focus while keyguard is up DO NOT MERGE: Add unit tests to ensure VPN meteredness DO NOT MERGE: Fix ConnectivityController meteredness checks clearCallingIdentity before calling into getPackageUidAsUser Nullcheck to fix Autofill CTS Osu: fixed Mismatch between createFromParcel and writeToParcel DO NOT MERGE Truncate newline and tab characters in BluetoothDevice name Fix broken check for TelephonyManager#getForbiddenPlmns DO NOT MERGE (O) Revoke permision when group changed ResStringPool: Fix security vulnerability RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to oc-mr1-dev) Use concrete CREATOR instance for parceling lists Rework thumbnail cleanup ... Change-Id: I1376977831bf2ab308765234b9ae4f3f7da3ee8b
lin15-microG · Sep 9, 2018 · 5464c81 · 5464c81
2 parents 4d1735f + 3c2c834
commit 5464c81
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 5 deletions.
diff --git a/core/java/android/hardware/location/NanoAppFilter.java b/core/java/android/hardware/location/NanoAppFilter.java
@@ -83,15 +83,14 @@ private NanoAppFilter(Parcel in) {
         mAppId = in.readLong();
         mAppVersion = in.readInt();
         mVersionRestrictionMask = in.readInt();
-        mAppIdVendorMask = in.readInt();
+        mAppIdVendorMask = in.readLong();
     }
 
     public int describeContents() {
         return 0;
     }
 
     public void writeToParcel(Parcel out, int flags) {
-
         out.writeLong(mAppId);
         out.writeInt(mAppVersion);
         out.writeInt(mVersionRestrictionMask);

diff --git a/media/java/android/media/MediaPlayer.java b/media/java/android/media/MediaPlayer.java
@@ -2363,10 +2363,10 @@ public int describeContents() {
         @Override
         public void writeToParcel(Parcel dest, int flags) {
             dest.writeInt(mTrackType);
+            dest.writeString(mFormat.getString(MediaFormat.KEY_MIME));
             dest.writeString(getLanguage());
 
             if (mTrackType == MEDIA_TRACK_TYPE_SUBTITLE) {
-                dest.writeString(mFormat.getString(MediaFormat.KEY_MIME));
                 dest.writeInt(mFormat.getInteger(MediaFormat.KEY_IS_AUTOSELECT));
                 dest.writeInt(mFormat.getInteger(MediaFormat.KEY_IS_DEFAULT));
                 dest.writeInt(mFormat.getInteger(MediaFormat.KEY_IS_FORCED_SUBTITLE));

diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -94,8 +94,6 @@
 import com.android.server.LocalServices;
 import com.android.server.net.BaseNetworkObserver;
 
-import libcore.io.IoUtils;
-
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -114,6 +112,8 @@
 import java.util.TreeSet;
 import java.util.concurrent.atomic.AtomicInteger;
 
+import libcore.io.IoUtils;
+
 /**
  * @hide
  */
@@ -1184,6 +1184,18 @@ private void setVpnForcedWithExemptionsLocked(boolean enforce,
                     /* allowedApplications */ null,
                     /* disallowedApplications */ exemptedPackages);
 
+            // The UID range of the first user (0-99999) would block the IPSec traffic, which comes
+            // directly from the kernel and is marked as uid=0. So we adjust the range to allow
+            // it through (b/69873852).
+            for (UidRange range : addedRanges) {
+                if (range.start == 0) {
+                    addedRanges.remove(range);
+                    if (range.stop != 0) {
+                        addedRanges.add(new UidRange(1, range.stop));
+                    }
+                }
+            }
+
             removedRanges.removeAll(addedRanges);
             addedRanges.removeAll(mBlockedUsers);
         }

diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
@@ -131,6 +131,7 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Objects;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
@@ -1534,6 +1535,24 @@ private void verifyCaller(@NonNull String packageName, @UserIdInt int userId) {
                 "Ephemeral apps can't use ShortcutManager");
     }
 
+    private void verifyShortcutInfoPackage(String callerPackage, ShortcutInfo si) {
+        if (si == null) {
+            return;
+        }
+        if (!Objects.equals(callerPackage, si.getPackage())) {
+            android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, "");
+            throw new SecurityException("Shortcut package name mismatch");
+        }
+    }
+
+    private void verifyShortcutInfoPackages(
+            String callerPackage, List<ShortcutInfo> list) {
+        final int size = list.size();
+        for (int i = 0; i < size; i++) {
+            verifyShortcutInfoPackage(callerPackage, list.get(i));
+        }
+    }
+
     // Overridden in unit tests to execute r synchronously.
     void injectPostToHandler(Runnable r) {
         mHandler.post(r);
@@ -1681,6 +1700,7 @@ public boolean setDynamicShortcuts(String packageName, ParceledListSlice shortcu
         verifyCaller(packageName, userId);
 
         final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
+        verifyShortcutInfoPackages(packageName, newShortcuts);
         final int size = newShortcuts.size();
 
         synchronized (mLock) {
@@ -1732,6 +1752,7 @@ public boolean updateShortcuts(String packageName, ParceledListSlice shortcutInf
         verifyCaller(packageName, userId);
 
         final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
+        verifyShortcutInfoPackages(packageName, newShortcuts);
         final int size = newShortcuts.size();
 
         synchronized (mLock) {
@@ -1812,6 +1833,7 @@ public boolean addDynamicShortcuts(String packageName, ParceledListSlice shortcu
         verifyCaller(packageName, userId);
 
         final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
+        verifyShortcutInfoPackages(packageName, newShortcuts);
         final int size = newShortcuts.size();
 
         synchronized (mLock) {
@@ -1871,6 +1893,7 @@ public Intent createShortcutResultIntent(String packageName, ShortcutInfo shortc
         Preconditions.checkNotNull(shortcut);
         Preconditions.checkArgument(shortcut.isEnabled(), "Shortcut must be enabled");
         verifyCaller(packageName, userId);
+        verifyShortcutInfoPackage(packageName, shortcut);
 
         final Intent ret;
         synchronized (mLock) {
@@ -1892,6 +1915,7 @@ public Intent createShortcutResultIntent(String packageName, ShortcutInfo shortc
     private boolean requestPinItem(String packageName, int userId, ShortcutInfo shortcut,
             AppWidgetProviderInfo appWidget, Bundle extras, IntentSender resultIntent) {
         verifyCaller(packageName, userId);
+        verifyShortcutInfoPackage(packageName, shortcut);
 
         final boolean ret;
         synchronized (mLock) {