Merge "Check for COW space before writing to COW"
diff --git a/debuggerd/crasher/Android.bp b/debuggerd/crasher/Android.bp
index effd480..3af806b 100644
--- a/debuggerd/crasher/Android.bp
+++ b/debuggerd/crasher/Android.bp
@@ -19,10 +19,6 @@
arch: {
arm: {
srcs: ["arm/crashglue.S"],
-
- neon: {
- asflags: ["-DHAS_VFP_D32"],
- },
},
arm64: {
srcs: ["arm64/crashglue.S"],
diff --git a/debuggerd/crasher/arm/crashglue.S b/debuggerd/crasher/arm/crashglue.S
index 4fbfd6e..8649056 100644
--- a/debuggerd/crasher/arm/crashglue.S
+++ b/debuggerd/crasher/arm/crashglue.S
@@ -32,7 +32,6 @@
fconstd d13, #13
fconstd d14, #14
fconstd d15, #15
-#if defined(HAS_VFP_D32)
fconstd d16, #16
fconstd d17, #17
fconstd d18, #18
@@ -49,7 +48,6 @@
fconstd d29, #29
fconstd d30, #30
fconstd d31, #31
-#endif
mov lr, #0
ldr lr, [lr]
diff --git a/debuggerd/debuggerd_test.cpp b/debuggerd/debuggerd_test.cpp
index c08721b..9c1b136 100644
--- a/debuggerd/debuggerd_test.cpp
+++ b/debuggerd/debuggerd_test.cpp
@@ -445,6 +445,8 @@
ASSERT_MATCH(result, "memory near x0 \\(\\[anon:");
#elif defined(__arm__)
ASSERT_MATCH(result, "memory near r0 \\(\\[anon:");
+#elif defined(__riscv)
+ ASSERT_MATCH(result, "memory near a0 \\(\\[anon:");
#elif defined(__x86_64__)
ASSERT_MATCH(result, "memory near rdi \\(\\[anon:");
#else
diff --git a/debuggerd/libdebuggerd/tombstone.cpp b/debuggerd/libdebuggerd/tombstone.cpp
index e5b4d74..375ed8a 100644
--- a/debuggerd/libdebuggerd/tombstone.cpp
+++ b/debuggerd/libdebuggerd/tombstone.cpp
@@ -77,9 +77,9 @@
.registers = std::move(regs), .uid = uid, .tid = target_tid,
.thread_name = std::move(thread_name), .pid = pid, .command_line = std::move(command_line),
.selinux_label = std::move(selinux_label), .siginfo = siginfo,
-#if defined(__aarch64__)
// Only supported on aarch64 for now.
- .tagged_addr_ctrl = prctl(PR_GET_TAGGED_ADDR_CTRL, 0, 0, 0, 0),
+#if defined(__aarch64__)
+ .tagged_addr_ctrl = prctl(PR_GET_TAGGED_ADDR_CTRL, 0, 0, 0, 0),
.pac_enabled_keys = prctl(PR_PAC_GET_ENABLED_KEYS, 0, 0, 0, 0),
#endif
};
@@ -88,7 +88,6 @@
if (target_tid == tid) {
return;
}
- async_safe_format_log(ANDROID_LOG_ERROR, LOG_TAG, "Adding thread %d", tid);
threads[tid] = ThreadInfo{
.uid = thread.uid,
.tid = tid,
diff --git a/fs_mgr/fs_mgr_overlayfs.cpp b/fs_mgr/fs_mgr_overlayfs.cpp
index 6290057..bb24abf 100644
--- a/fs_mgr/fs_mgr_overlayfs.cpp
+++ b/fs_mgr/fs_mgr_overlayfs.cpp
@@ -69,6 +69,7 @@
namespace {
constexpr char kDataScratchSizeMbProp[] = "fs_mgr.overlayfs.data_scratch_size_mb";
+constexpr char kPreferCacheBackingStorageProp[] = "fs_mgr.overlayfs.prefer_cache_backing_storage";
bool fs_mgr_access(const std::string& path) {
return access(path.c_str(), F_OK) == 0;
@@ -101,6 +102,10 @@
const auto kScratchMountPoint = "/mnt/scratch"s;
const auto kCacheMountPoint = "/cache"s;
+bool IsABDevice() {
+ return !android::base::GetProperty("ro.boot.slot_suffix", "").empty();
+}
+
std::vector<const std::string> OverlayMountPoints() {
// Never fallback to legacy cache mount point if within a DSU system,
// because running a DSU system implies the device supports dynamic
@@ -108,6 +113,15 @@
if (fs_mgr_is_dsu_running()) {
return {kScratchMountPoint};
}
+
+ // For non-A/B devices prefer cache backing storage if
+ // kPreferCacheBackingStorageProp property set.
+ if (!IsABDevice() &&
+ android::base::GetBoolProperty(kPreferCacheBackingStorageProp, false) &&
+ android::base::GetIntProperty("ro.vendor.api_level", -1) < __ANDROID_API_T__) {
+ return {kCacheMountPoint, kScratchMountPoint};
+ }
+
return {kScratchMountPoint, kCacheMountPoint};
}
@@ -462,6 +476,28 @@
return true;
}
+OverlayfsTeardownResult TeardownDataScratch(IImageManager* images,
+ const std::string& partition_name, bool was_mounted) {
+ if (!images) {
+ return OverlayfsTeardownResult::Error;
+ }
+ if (!images->DisableImage(partition_name)) {
+ return OverlayfsTeardownResult::Error;
+ }
+ if (was_mounted) {
+ // If overlayfs was mounted, don't bother trying to unmap since
+ // it'll fail and create error spam.
+ return OverlayfsTeardownResult::Busy;
+ }
+ if (!images->UnmapImageIfExists(partition_name)) {
+ return OverlayfsTeardownResult::Busy;
+ }
+ if (!images->DeleteBackingImage(partition_name)) {
+ return OverlayfsTeardownResult::Busy;
+ }
+ return OverlayfsTeardownResult::Ok;
+}
+
OverlayfsTeardownResult fs_mgr_overlayfs_teardown_scratch(const std::string& overlay,
bool* change) {
// umount and delete kScratchMountPoint storage if we have logical partitions
@@ -484,24 +520,9 @@
auto images = IImageManager::Open("remount", 10s);
if (images && images->BackingImageExists(partition_name)) {
- if (!images->DisableImage(partition_name)) {
- return OverlayfsTeardownResult::Error;
- }
- if (was_mounted) {
- // If overlayfs was mounted, don't bother trying to unmap since
- // it'll fail and create error spam.
- return OverlayfsTeardownResult::Busy;
- }
- if (!images->UnmapImageIfExists(partition_name)) {
- return OverlayfsTeardownResult::Busy;
- }
- if (!images->DeleteBackingImage(partition_name)) {
- return OverlayfsTeardownResult::Busy;
- }
-
// No need to check super partition, if we knew we had a scratch device
// in /data.
- return OverlayfsTeardownResult::Ok;
+ return TeardownDataScratch(images.get(), partition_name, was_mounted);
}
auto slot_number = fs_mgr_overlayfs_slot_number();
@@ -1103,6 +1124,8 @@
}
if (!images->MapImageDevice(partition_name, 10s, scratch_device)) {
LERROR << "could not map scratch image";
+ // If we cannot use this image, then remove it.
+ TeardownDataScratch(images.get(), partition_name, false /* was_mounted */);
return false;
}
return true;
@@ -1136,6 +1159,7 @@
if (CreateScratchOnData(scratch_device, partition_exists)) {
return true;
}
+ LOG(WARNING) << "Failed to allocate scratch on /data, fallback to use free space on super";
}
// If that fails, see if we can land on super.
if (CanUseSuperPartition(fstab)) {
diff --git a/init/init.cpp b/init/init.cpp
index 57397b5..540e2ca 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -513,7 +513,7 @@
}
static Result<void> DoLoadApex(const std::string& apex_name) {
- if(auto result = ParseApexConfigs(apex_name); !result.ok()) {
+ if (auto result = ParseApexConfigs(apex_name); !result.ok()) {
return result.error();
}
diff --git a/init/service.cpp b/init/service.cpp
index caa9095..c260c07 100644
--- a/init/service.cpp
+++ b/init/service.cpp
@@ -506,8 +506,7 @@
}
// Enters namespaces, sets environment variables, writes PID files and runs the service executable.
-void Service::RunService(const std::vector<Descriptor>& descriptors,
- InterprocessFifo cgroups_activated, InterprocessFifo setsid_finished) {
+void Service::RunService(const std::vector<Descriptor>& descriptors, InterprocessFifo fifo) {
if (auto result = EnterNamespaces(namespaces_, name_, mount_namespace_); !result.ok()) {
LOG(FATAL) << "Service '" << name_ << "' failed to set up namespaces: " << result.error();
}
@@ -529,11 +528,11 @@
// Wait until the cgroups have been created and until the cgroup controllers have been
// activated.
- Result<uint8_t> byte = cgroups_activated.Read();
+ Result<uint8_t> byte = fifo.Read();
if (!byte.ok()) {
LOG(ERROR) << name_ << ": failed to read from notification channel: " << byte.error();
}
- cgroups_activated.Close();
+ fifo.Close();
if (!*byte) {
LOG(FATAL) << "Service '" << name_ << "' failed to start due to a fatal error";
_exit(EXIT_FAILURE);
@@ -557,12 +556,6 @@
// priority. Aborts on failure.
SetProcessAttributesAndCaps();
- // If SetProcessAttributes() called setsid(), report this to the parent.
- if (!proc_attr_.console.empty()) {
- setsid_finished.Write(2);
- }
- setsid_finished.Close();
-
if (!ExpandArgsAndExecv(args_, sigstop_)) {
PLOG(ERROR) << "cannot execv('" << args_[0]
<< "'). See the 'Debugging init' section of init's README.md for tips";
@@ -604,23 +597,13 @@
return {};
}
- InterprocessFifo cgroups_activated, setsid_finished;
-
- if (Result<void> result = cgroups_activated.Initialize(); !result.ok()) {
- return result;
- }
+ InterprocessFifo fifo;
+ OR_RETURN(fifo.Initialize());
if (Result<void> result = CheckConsole(); !result.ok()) {
return result;
}
- // Only check proc_attr_.console after the CheckConsole() call.
- if (!proc_attr_.console.empty()) {
- if (Result<void> result = setsid_finished.Initialize(); !result.ok()) {
- return result;
- }
- }
-
struct stat sb;
if (stat(args_[0].c_str(), &sb) == -1) {
flags_ |= SVC_DISABLED;
@@ -673,13 +656,11 @@
if (pid == 0) {
umask(077);
- cgroups_activated.CloseWriteFd();
- setsid_finished.CloseReadFd();
- RunService(descriptors, std::move(cgroups_activated), std::move(setsid_finished));
+ fifo.CloseWriteFd();
+ RunService(descriptors, std::move(fifo));
_exit(127);
} else {
- cgroups_activated.CloseReadFd();
- setsid_finished.CloseWriteFd();
+ fifo.CloseReadFd();
}
if (pid < 0) {
@@ -708,7 +689,7 @@
limit_percent_ != -1 || !limit_property_.empty();
errno = -createProcessGroup(proc_attr_.uid, pid_, use_memcg);
if (errno != 0) {
- Result<void> result = cgroups_activated.Write(0);
+ Result<void> result = fifo.Write(0);
if (!result.ok()) {
return Error() << "Sending notification failed: " << result.error();
}
@@ -732,27 +713,10 @@
LmkdRegister(name_, proc_attr_.uid, pid_, oom_score_adjust_);
}
- if (Result<void> result = cgroups_activated.Write(1); !result.ok()) {
+ if (Result<void> result = fifo.Write(1); !result.ok()) {
return Error() << "Sending cgroups activated notification failed: " << result.error();
}
- // Call setpgid() from the parent process to make sure that this call has
- // finished before the parent process calls kill(-pgid, ...).
- if (proc_attr_.console.empty()) {
- if (setpgid(pid, pid) == -1) {
- return ErrnoError() << "setpgid failed";
- }
- } else {
- // The Read() call below will return an error if the child is killed.
- if (Result<uint8_t> result = setsid_finished.Read(); !result.ok() || *result != 2) {
- if (!result.ok()) {
- return Error() << "Waiting for setsid() failed: " << result.error();
- } else {
- return Error() << "Waiting for setsid() failed: " << *result << " <> 2";
- }
- }
- }
-
NotifyStateChange("running");
reboot_on_failure.Disable();
return {};
diff --git a/init/service.h b/init/service.h
index 10a0790..b2c9909 100644
--- a/init/service.h
+++ b/init/service.h
@@ -155,8 +155,7 @@
void ResetFlagsForStart();
Result<void> CheckConsole();
void ConfigureMemcg();
- void RunService(const std::vector<Descriptor>& descriptors, InterprocessFifo cgroups_activated,
- InterprocessFifo setsid_finished);
+ void RunService(const std::vector<Descriptor>& descriptors, InterprocessFifo cgroups_activated);
void SetMountNamespace();
static unsigned long next_start_order_;
static bool is_exec_service_running_;
diff --git a/init/service_utils.cpp b/init/service_utils.cpp
index 56a80b5..a14969e 100644
--- a/init/service_utils.cpp
+++ b/init/service_utils.cpp
@@ -244,11 +244,7 @@
setsid();
OpenConsole(attr.console);
} else {
- // Without PID namespaces, this call duplicates the setpgid() call from
- // the parent process. With PID namespaces, this setpgid() call sets the
- // process group ID for a child of the init process in the PID
- // namespace.
- if (setpgid(0, 0) == -1) {
+ if (setpgid(0, getpid()) == -1) {
return ErrnoError() << "setpgid failed";
}
SetupStdio(attr.stdio_to_kmsg);
diff --git a/rootdir/etc/linker.config.json b/rootdir/etc/linker.config.json
index c88c7ff..3a98fdb 100644
--- a/rootdir/etc/linker.config.json
+++ b/rootdir/etc/linker.config.json
@@ -27,6 +27,8 @@
// statsd
"libstatspull.so",
"libstatssocket.so",
+ // tethering LLNDK
+ "libcom.android.tethering.connectivity_native.so",
// adbd
"libadb_pairing_auth.so",
"libadb_pairing_connection.so",
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 123148e..1eec061 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -1223,7 +1223,7 @@
# controlling access. On older kernels, the paranoid value is the only means of
# controlling access. It is normally 3 (allow only root), but the shell user
# can lower it to 1 (allowing thread-scoped pofiling) via security.perf_harden.
-on property:sys.init.perf_lsm_hooks=1
+on load_bpf_programs && property:sys.init.perf_lsm_hooks=1
write /proc/sys/kernel/perf_event_paranoid -1
on property:security.perf_harden=0 && property:sys.init.perf_lsm_hooks=""
write /proc/sys/kernel/perf_event_paranoid 1
diff --git a/trusty/confirmationui/Android.bp b/trusty/confirmationui/Android.bp
index 29ef3c0..c5c5012 100644
--- a/trusty/confirmationui/Android.bp
+++ b/trusty/confirmationui/Android.bp
@@ -53,6 +53,24 @@
],
}
+cc_fuzz {
+ name: "android.hardware.confirmationui-service.trusty_fuzzer",
+ defaults: ["service_fuzzer_defaults"],
+ vendor: true,
+ shared_libs: [
+ "android.hardware.confirmationui-V1-ndk",
+ "android.hardware.confirmationui.not-so-secure-input",
+ "android.hardware.confirmationui-lib.trusty",
+ "liblog",
+ ],
+ srcs: ["fuzzer.cpp"],
+ fuzz_config: {
+ cc: [
+ "nyamagoud@google.com",
+ ],
+ },
+}
+
cc_library {
name: "android.hardware.confirmationui-lib.trusty",
defaults: [
diff --git a/trusty/confirmationui/fuzzer.cpp b/trusty/confirmationui/fuzzer.cpp
new file mode 100644
index 0000000..4446b79
--- /dev/null
+++ b/trusty/confirmationui/fuzzer.cpp
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <TrustyConfirmationuiHal.h>
+#include <android-base/logging.h>
+#include <fuzzbinder/libbinder_ndk_driver.h>
+#include <fuzzer/FuzzedDataProvider.h>
+
+using aidl::android::hardware::confirmationui::createTrustyConfirmationUI;
+using aidl::android::hardware::confirmationui::IConfirmationUI;
+using android::fuzzService;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ auto confirmationui = createTrustyConfirmationUI();
+
+ fuzzService(confirmationui->asBinder().get(), FuzzedDataProvider(data, size));
+
+ return 0;
+}
diff --git a/trusty/storage/proxy/rpmb.c b/trusty/storage/proxy/rpmb.c
index f059935..b1b8232 100644
--- a/trusty/storage/proxy/rpmb.c
+++ b/trusty/storage/proxy/rpmb.c
@@ -322,9 +322,9 @@
}
static int send_mmc_rpmb_req(int mmc_fd, const struct storage_rpmb_send_req* req) {
- struct {
+ union {
struct mmc_ioc_multi_cmd multi;
- struct mmc_ioc_cmd cmd_buf[3];
+ uint8_t raw[sizeof(struct mmc_ioc_multi_cmd) + sizeof(struct mmc_ioc_cmd) * 3];
} mmc = {};
struct mmc_ioc_cmd* cmd = mmc.multi.cmds;
int rc;