Include color layers in input list to fix tapjacking vulnerability
We can use this to compute occlusion more accurately in inputdispatcher.
Bug: 277076451
Test: app-debug.apk in the bug
Test: go/wm-smoke
Flag: EXEMPT bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1f0301b3f1061cb89d9628bbb1d2b4594f4f29dc)
Merged-In: I1e155bcf4a6a7ff1b49338ec21bb0e9ee05a54c8
Change-Id: I1e155bcf4a6a7ff1b49338ec21bb0e9ee05a54c8
diff --git a/services/surfaceflinger/FrontEnd/LayerSnapshotBuilder.cpp b/services/surfaceflinger/FrontEnd/LayerSnapshotBuilder.cpp
index 4d9a9ca..34b1307 100644
--- a/services/surfaceflinger/FrontEnd/LayerSnapshotBuilder.cpp
+++ b/services/surfaceflinger/FrontEnd/LayerSnapshotBuilder.cpp
@@ -1162,7 +1162,7 @@
auto displayInfo = displayInfoOpt.value_or(sDefaultInfo);
if (!requested.hasInputInfo()) {
- snapshot.inputInfo.inputConfig = InputConfig::NO_INPUT_CHANNEL;
+ snapshot.inputInfo.inputConfig |= InputConfig::NO_INPUT_CHANNEL;
}
fillInputFrameInfo(snapshot.inputInfo, displayInfo.transform, snapshot);
diff --git a/services/surfaceflinger/FrontEnd/RequestedLayerState.cpp b/services/surfaceflinger/FrontEnd/RequestedLayerState.cpp
index ee9302b..8892419 100644
--- a/services/surfaceflinger/FrontEnd/RequestedLayerState.cpp
+++ b/services/surfaceflinger/FrontEnd/RequestedLayerState.cpp
@@ -561,7 +561,7 @@
return false;
}
- if ((sidebandStream != nullptr) || (externalTexture != nullptr)) {
+ if (hasBufferOrSidebandStream() || fillsColor()) {
return true;
}
@@ -574,6 +574,15 @@
windowInfo->inputConfig.test(gui::WindowInfo::InputConfig::NO_INPUT_CHANNEL);
}
+bool RequestedLayerState::hasBufferOrSidebandStream() const {
+ return ((sidebandStream != nullptr) || (externalTexture != nullptr));
+}
+
+bool RequestedLayerState::fillsColor() const {
+ return !hasBufferOrSidebandStream() && color.r >= 0.0_hf && color.g >= 0.0_hf &&
+ color.b >= 0.0_hf;
+}
+
bool RequestedLayerState::hasBlur() const {
return backgroundBlurRadius > 0 || blurRegions.size() > 0;
}
diff --git a/services/surfaceflinger/FrontEnd/RequestedLayerState.h b/services/surfaceflinger/FrontEnd/RequestedLayerState.h
index 7ddd7ba..f974ed3 100644
--- a/services/surfaceflinger/FrontEnd/RequestedLayerState.h
+++ b/services/surfaceflinger/FrontEnd/RequestedLayerState.h
@@ -88,6 +88,8 @@
bool hasValidRelativeParent() const;
bool hasInputInfo() const;
bool needsInputInfo() const;
+ bool hasBufferOrSidebandStream() const;
+ bool fillsColor() const;
bool hasBlur() const;
bool hasFrameUpdate() const;
bool hasReadyFrame() const;
diff --git a/services/surfaceflinger/tests/unittests/LayerLifecycleManagerTest.cpp b/services/surfaceflinger/tests/unittests/LayerLifecycleManagerTest.cpp
index c7cc21c..119e182 100644
--- a/services/surfaceflinger/tests/unittests/LayerLifecycleManagerTest.cpp
+++ b/services/surfaceflinger/tests/unittests/LayerLifecycleManagerTest.cpp
@@ -619,14 +619,32 @@
}
}
-TEST_F(LayerLifecycleManagerTest, testInputInfoOfRequestedLayerState) {
- // By default the layer has no buffer, so it doesn't need an input info
- EXPECT_FALSE(getRequestedLayerState(mLifecycleManager, 111)->needsInputInfo());
-
- setBuffer(111);
+TEST_F(LayerLifecycleManagerTest, layerWithBufferNeedsInputInfo) {
+ // If a layer has no buffer or no color, it doesn't have an input info
+ LayerHierarchyTestBase::createRootLayer(3);
+ setColor(3, {-1._hf, -1._hf, -1._hf});
mLifecycleManager.commitChanges();
- EXPECT_TRUE(getRequestedLayerState(mLifecycleManager, 111)->needsInputInfo());
+ EXPECT_FALSE(getRequestedLayerState(mLifecycleManager, 3)->needsInputInfo());
+
+ setBuffer(3);
+ mLifecycleManager.commitChanges();
+
+ EXPECT_TRUE(getRequestedLayerState(mLifecycleManager, 3)->needsInputInfo());
+}
+
+TEST_F(LayerLifecycleManagerTest, layerWithColorNeedsInputInfo) {
+ // If a layer has no buffer or no color, it doesn't have an input info
+ LayerHierarchyTestBase::createRootLayer(4);
+ setColor(4, {-1._hf, -1._hf, -1._hf});
+ mLifecycleManager.commitChanges();
+
+ EXPECT_FALSE(getRequestedLayerState(mLifecycleManager, 4)->needsInputInfo());
+
+ setColor(4, {1._hf, 0._hf, 0._hf});
+ mLifecycleManager.commitChanges();
+
+ EXPECT_TRUE(getRequestedLayerState(mLifecycleManager, 4)->needsInputInfo());
}
} // namespace android::surfaceflinger::frontend
diff --git a/services/surfaceflinger/tests/unittests/LayerSnapshotTest.cpp b/services/surfaceflinger/tests/unittests/LayerSnapshotTest.cpp
index 8c53eef..bb54138 100644
--- a/services/surfaceflinger/tests/unittests/LayerSnapshotTest.cpp
+++ b/services/surfaceflinger/tests/unittests/LayerSnapshotTest.cpp
@@ -1957,17 +1957,17 @@
}
TEST_F(LayerSnapshotTest, shouldUpdateInputWhenNoInputInfo) {
- // By default the layer has no buffer, so we don't expect it to have an input info
+ // If a layer has no buffer or no color, it doesn't have an input info
+ setColor(111, {-1._hf, -1._hf, -1._hf});
+ UPDATE_AND_VERIFY(mSnapshotBuilder, {1, 11, 12, 121, 122, 1221, 13, 2});
EXPECT_FALSE(getSnapshot(111)->hasInputInfo());
setBuffer(111);
-
UPDATE_AND_VERIFY(mSnapshotBuilder, STARTING_ZORDER);
EXPECT_TRUE(getSnapshot(111)->hasInputInfo());
EXPECT_TRUE(getSnapshot(111)->inputInfo.inputConfig.test(
gui::WindowInfo::InputConfig::NO_INPUT_CHANNEL));
- EXPECT_FALSE(getSnapshot(2)->hasInputInfo());
}
// content dirty test