14.1: cherrypicks

This commit is contained in:
Tad 2019-11-24 20:14:23 -05:00
parent f90b62982b
commit a8cc390c3d
6 changed files with 3 additions and 294 deletions

View File

@ -1,134 +0,0 @@
From 5479a23bdb9fd2cbd92d7a1f35e5ecf193515d72 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Thu, 30 Mar 2017 02:50:09 +0900
Subject: [PATCH] Really always allow networking on loopback.
https://android-review.googlesource.com/#/c/294359/ attempted to
allow networking on loopback, but actually does not do anything
because no packet has both -i lo and -o lo: loopback packets have
-i lo in INPUT and -o lo in OUTPUT.
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: loopback traffic is matched by new "-i lo" and "-o lo" rules
Test: originated and received traffic is not matched by new rules
Bug: 34444781
Change-Id: I090cbeafce5bbdcf36a7aecaafbf832feddc06e1
---
server/FirewallController.cpp | 3 ++-
server/FirewallControllerTest.cpp | 15 ++++++++++-----
tests/binder_test.cpp | 16 ++++++++--------
3 files changed, 20 insertions(+), 14 deletions(-)
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index 826cf758..ffc99e16 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp
@@ -301,7 +301,8 @@ std::string FirewallController::makeUidRules(IptablesTarget target, const char *
StringAppendF(&commands, "*filter\n:%s -\n", name);
// Always allow networking on loopback.
- StringAppendF(&commands, "-A %s -i lo -o lo -j RETURN\n", name);
+ StringAppendF(&commands, "-A %s -i lo -j RETURN\n", name);
+ StringAppendF(&commands, "-A %s -o lo -j RETURN\n", name);
// Allow TCP RSTs so we can cleanly close TCP connections of apps that no longer have network
// access. Both incoming and outgoing RSTs are allowed.
diff --git a/server/FirewallControllerTest.cpp b/server/FirewallControllerTest.cpp
index 7d96c61c..ba449db0 100644
--- a/server/FirewallControllerTest.cpp
+++ b/server/FirewallControllerTest.cpp
@@ -56,7 +56,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
std::vector<std::string> expectedRestore4 = {
"*filter",
":fw_whitelist -",
- "-A fw_whitelist -i lo -o lo -j RETURN",
+ "-A fw_whitelist -i lo -j RETURN",
+ "-A fw_whitelist -o lo -j RETURN",
"-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
"-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
"-A fw_whitelist -j DROP",
@@ -65,7 +66,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
std::vector<std::string> expectedRestore6 = {
"*filter",
":fw_whitelist -",
- "-A fw_whitelist -i lo -o lo -j RETURN",
+ "-A fw_whitelist -i lo -j RETURN",
+ "-A fw_whitelist -o lo -j RETURN",
"-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
"-A fw_whitelist -p icmpv6 --icmpv6-type packet-too-big -j RETURN",
"-A fw_whitelist -p icmpv6 --icmpv6-type router-solicitation -j RETURN",
@@ -95,7 +97,8 @@ TEST_F(FirewallControllerTest, TestCreateBlacklistChain) {
std::vector<std::string> expectedRestore = {
"*filter",
":fw_blacklist -",
- "-A fw_blacklist -i lo -o lo -j RETURN",
+ "-A fw_blacklist -i lo -j RETURN",
+ "-A fw_blacklist -o lo -j RETURN",
"-A fw_blacklist -p tcp --tcp-flags RST RST -j RETURN",
"COMMIT\n\x04"
};
@@ -141,7 +144,8 @@ TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) {
std::string expected =
"*filter\n"
":FW_whitechain -\n"
- "-A FW_whitechain -i lo -o lo -j RETURN\n"
+ "-A FW_whitechain -i lo -j RETURN\n"
+ "-A FW_whitechain -o lo -j RETURN\n"
"-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n"
"-A FW_whitechain -p icmpv6 --icmpv6-type packet-too-big -j RETURN\n"
"-A FW_whitechain -p icmpv6 --icmpv6-type router-solicitation -j RETURN\n"
@@ -168,7 +172,8 @@ TEST_F(FirewallControllerTest, TestReplaceBlacklistUidRule) {
std::string expected =
"*filter\n"
":FW_blackchain -\n"
- "-A FW_blackchain -i lo -o lo -j RETURN\n"
+ "-A FW_blackchain -i lo -j RETURN\n"
+ "-A FW_blackchain -o lo -j RETURN\n"
"-A FW_blackchain -p tcp --tcp-flags RST RST -j RETURN\n"
"-A FW_blackchain -m owner --uid-owner 10023 -j DROP\n"
"-A FW_blackchain -m owner --uid-owner 10059 -j DROP\n"
diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index 5395f1d2..dcaf2302 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -176,31 +176,31 @@ TEST_F(BinderTest, TestFirewallReplaceUidChain) {
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), true, uids, &ret);
}
EXPECT_EQ(true, ret);
- EXPECT_EQ((int) uids.size() + 6, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
- EXPECT_EQ((int) uids.size() + 12, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ EXPECT_EQ((int) uids.size() + 7, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+ EXPECT_EQ((int) uids.size() + 13, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
{
TimedOperation op("Clearing whitelist chain");
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
}
EXPECT_EQ(true, ret);
- EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
- EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+ EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
{
TimedOperation op(StringPrintf("Programming %d-UID blacklist chain", kNumUids));
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, uids, &ret);
}
EXPECT_EQ(true, ret);
- EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
- EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+ EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
{
TimedOperation op("Clearing blacklist chain");
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
}
EXPECT_EQ(true, ret);
- EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
- EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+ EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
// Check that the call fails if iptables returns an error.
std::string veryLongStringName = "netd_binder_test_UnacceptablyLongIptablesChainName";

View File

@ -1,52 +0,0 @@
From 77894c5bfbafb8cacdefe9b60cff121e5fb88e3c Mon Sep 17 00:00:00 2001
From: Joel Scherpelz <jscherpelz@google.com>
Date: Wed, 14 Jun 2017 10:27:47 +0900
Subject: [PATCH] BACKPORT: Avoid netlink socket address conflict
NetlinkManager previously bound all netlink sockets with nl_pid =
getpid(). Unfortunately only the first such socket is allowed to claim
nl_pid = getpid(). The kernel is happy to assign this value
automatically if nl_pid = 0. For more information on nl_pid see "man 7
netlink".
When NFLogListener was added, it created a socket with a kernel assigned
nl_pid, unfortunately the kernel assigns getpid() to the first such
socket and listener was initialized earlier in the startup process than
NetlinkManager.
This change alters NetlinkManager to request a kernel assigned nl_pid and
defensively moves the initialization of NFLogListener later in the
startup sequence to favor proper operation of existing code in
NetlinkManager. Error logging is also slightly improved.
Test: as follows
- built
- flashed
- booted
- "runtest -x .../netd_unit_test.cpp" passes
- "cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t
android.os.cts.StrictModeTest" passes
Bug: 62353125
[syphyr: Removed NFLogListener changes]
Signed-off-by: L.W. Reek <syphyr@gmail.com>
Change-Id: I9c1c76e5769de75ff624bf43634ac4061c447a72
---
server/NetlinkManager.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/server/NetlinkManager.cpp b/server/NetlinkManager.cpp
index 769a80ae..5e6eaba8 100644
--- a/server/NetlinkManager.cpp
+++ b/server/NetlinkManager.cpp
@@ -73,7 +73,8 @@ NetlinkHandler *NetlinkManager::setupSocket(int *sock, int netlinkFamily,
memset(&nladdr, 0, sizeof(nladdr));
nladdr.nl_family = AF_NETLINK;
- nladdr.nl_pid = getpid();
+ // Kernel will assign a unique nl_pid if set to zero.
+ nladdr.nl_pid = 0;
nladdr.nl_groups = groups;
if ((*sock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, netlinkFamily)) < 0) {

View File

@ -1,68 +0,0 @@
From d6f2d210fe3f1b8c2c798066bfb32e2c9ec96ef4 Mon Sep 17 00:00:00 2001
From: Sehee Park <sehee32.park@samsung.com>
Date: Wed, 26 Dec 2018 07:28:23 +0900
Subject: [PATCH] Fix fortify_fatal issue during DNSServiceProcessResult()
fd was checked at beginnig of DNSServiceProcessResult()
but fd was changed to -1. So, fortify_fatal was occured
when FD_SET() was called.
Abort message: 'FORTIFY: FD_SET: file descriptor -1 < 0'
Test: Build
Bug: 120910016
Bug: 121327565
Change-Id: Ib4c8dcc08223578fb53647637b44a20a4c221050
Merged-In: Ib4c8dcc08223578fb53647637b44a20a4c221050
Signed-off-by: Sehee Park <sehee32.park@samsung.com>
(cherry picked from commit 3eeb0e6b86ac8a7f00968d0a086381e7dcd8cc2b)
---
server/MDnsSdListener.cpp | 10 +++++++++-
server/MDnsSdListener.h | 1 +
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
index 883fe815..e3fd66a0 100644
--- a/server/MDnsSdListener.cpp
+++ b/server/MDnsSdListener.cpp
@@ -146,7 +146,7 @@ void MDnsSdListener::Handler::stop(SocketClient *cli, int argc, char **argv, con
return;
}
if (VDBG) ALOGD("Stopping %s with ref %p", str, ref);
- DNSServiceRefDeallocate(*ref);
+ mMonitor->deallocateServiceRef(ref);
mMonitor->freeServiceRef(requestId);
char *msg;
asprintf(&msg, "%s stopped", str);
@@ -617,7 +617,9 @@ void MDnsSdListener::Monitor::run() {
ALOGD("Monitor found [%d].revents = %d - calling ProcessResults",
i, mPollFds[i].revents);
}
+ pthread_mutex_lock(&mHeadMutex);
DNSServiceProcessResult(*(mPollRefs[i]));
+ pthread_mutex_unlock(&mHeadMutex);
mPollFds[i].revents = 0;
}
}
@@ -769,3 +771,9 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) {
}
pthread_mutex_unlock(&mHeadMutex);
}
+
+void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
+ pthread_mutex_lock(&mHeadMutex);
+ DNSServiceRefDeallocate(*ref);
+ pthread_mutex_unlock(&mHeadMutex);
+}
\ No newline at end of file
diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h
index e9c6066a..a107d3b8 100644
--- a/server/MDnsSdListener.h
+++ b/server/MDnsSdListener.h
@@ -76,6 +76,7 @@ class MDnsSdListener : public FrameworkListener {
static void *threadStart(void *handler);
int startService();
int stopService();
+ void deallocateServiceRef(DNSServiceRef* ref);
private:
void run();
int rescan(); // returns the number of elements in the poll

View File

@ -1,32 +0,0 @@
From 728b7617dc0ec0b017740f9a78e7dcefff1afc86 Mon Sep 17 00:00:00 2001
From: Ken Chen <cken@google.com>
Date: Sat, 26 Jan 2019 19:17:00 +0800
Subject: [PATCH] Clear Element.mRef immediately after deallocating it
DNSServiceRefDeallocate() and pointer dereferencing in request handler
thread are protected by two separate lock/unlock pairs on mHeadMutex.
If rescan() runs between these, it could dereference mRef, causing
a heap-use-after-free bug.
Solution: set mRef to null immediately after freeing it.
Bug: 121327565
Test: build
Change-Id: I56ace2ad8a2da528afa375aefb1b9420547658a7
(cherry picked from commit 9762bc1964a37ec56091ee2b6070e19c5206f615)
---
server/MDnsSdListener.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
index e3fd66a0..563e0207 100644
--- a/server/MDnsSdListener.cpp
+++ b/server/MDnsSdListener.cpp
@@ -775,5 +775,6 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) {
void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
pthread_mutex_lock(&mHeadMutex);
DNSServiceRefDeallocate(*ref);
+ *ref = nullptr;
pthread_mutex_unlock(&mHeadMutex);
}
\ No newline at end of file

View File

@ -116,6 +116,9 @@ patchWorkspace() {
#repopick 212799; #alt: 212827 flac extractor CVE-2017-0592
#repopick 214125; #spellchecker: enable more wordlists
repopick -it n_asb_09-2018-qcom;
repopick -it ibss-mode-nougat;
repopick -it n-unzip;
repopick -it n-netd;
export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails

View File

@ -176,14 +176,6 @@ git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
enterAndClear "system/netd";
#loopback fixes
patch -p1 < "$DOS_PATCHES/android_system_netd/244387.patch"; #Really always allow networking on loopback.
patch -p1 < "$DOS_PATCHES/android_system_netd/244388.patch"; #Avoid netlink socket address conflict
#CVE-2019-2033
patch -p1 < "$DOS_PATCHES/android_system_netd/245690.patch"; #Fix fortify_fatal issue during DNSServiceProcessResult()
patch -p1 < "$DOS_PATCHES/android_system_netd/245691.patch"; #Clear Element.mRef immediately after deallocating it
enterAndClear "system/sepolicy";
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/248600.patch"; #restrict access to timing information in /proc
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices