Do not allocate protected AHardwareBuffers with CPU access. Depending on the gralloc implementation, allocating AHardwareBuffers with PROTECTED_CONTENT usage and nonzero CPU read or write mask may succeed, but the buffer won't be accessible by the CPU - either because the lock() call will fail, or there will be memory violation when trying to access the memory. Prevent allocating such buffers. Bug: 77461051 Test: Builds and passes CtsNativeHardwareTestCases on Pixel XL. Change-Id: I822c9fb2d8ce24cd0c0fc0ac765b7a71fd372199

commit: 00bf64278b0d2c13a6f1a2f8616736881414597b [log] [tgz]
author: Krzysztof Kosiński <krzysio@google.com> Mon Apr 02 09:49:07 2018 -0700
committer: Krzysztof Kosiński <krzysio@google.com> Mon Apr 02 10:15:22 2018 -0700
tree: a7a4a08325c48db2c8f0aeeff9bb66ab4cb86ab4
parent: b62346a3ed0d8e4a9144aa90d68b10425b5b8afa [diff] [blame]
diff --git a/libs/nativewindow/AHardwareBuffer.cpp b/libs/nativewindow/AHardwareBuffer.cpp
index f37ef28..49ffc8f 100644
--- a/libs/nativewindow/AHardwareBuffer.cpp
+++ b/libs/nativewindow/AHardwareBuffer.cpp

@@ -60,6 +60,13 @@
         return BAD_VALUE;
     }
 
+    if ((desc->usage & (AHARDWAREBUFFER_USAGE_CPU_READ_MASK | AHARDWAREBUFFER_USAGE_CPU_WRITE_MASK)) &&
+        (desc->usage & AHARDWAREBUFFER_USAGE_PROTECTED_CONTENT)) {
+        ALOGE("AHARDWAREBUFFER_USAGE_PROTECTED_CONTENT requires AHARDWAREBUFFER_USAGE_CPU_READ_NEVER "
+              "and AHARDWAREBUFFER_USAGE_CPU_WRITE_NEVER");
+        return BAD_VALUE;
+    }
+
     uint64_t usage =  AHardwareBuffer_convertToGrallocUsageBits(desc->usage);
     sp<GraphicBuffer> gbuffer(new GraphicBuffer(
             desc->width, desc->height, format, desc->layers, usage,
commit	00bf64278b0d2c13a6f1a2f8616736881414597b	[log] [tgz]
author	Krzysztof Kosiński <krzysio@google.com>	Mon Apr 02 09:49:07 2018 -0700
committer	Krzysztof Kosiński <krzysio@google.com>	Mon Apr 02 10:15:22 2018 -0700
tree	a7a4a08325c48db2c8f0aeeff9bb66ab4cb86ab4
parent	b62346a3ed0d8e4a9144aa90d68b10425b5b8afa [diff] [blame]