Merge tag 'android-6.0.1_r72' into HEAD

Jessica Wagantall · Jessica Wagantall · commit b3616bc68be2 · 2016-10-06T11:50:23.000-07:00
Android 6.0.1 Release 72 (M4B30X)

# gpg: Signature made Tue 04 Oct 2016 09:47:40 AM PDT using DSA key ID 9AB10E78
# gpg: Can't check signature: public key not found
diff --git a/core/java/android/hardware/fingerprint/FingerprintManager.java b/core/java/android/hardware/fingerprint/FingerprintManager.java
@@ -258,6 +258,7 @@ public long getOpId() {
     public static class AuthenticationResult {
         private Fingerprint mFingerprint;
         private CryptoObject mCryptoObject;
+        private int mUserId;
 
         /**
          * Authentication result
@@ -266,9 +267,10 @@ public static class AuthenticationResult {
          * @param fingerprint the recognized fingerprint data, if allowed.
          * @hide
          */
-        public AuthenticationResult(CryptoObject crypto, Fingerprint fingerprint) {
+        public AuthenticationResult(CryptoObject crypto, Fingerprint fingerprint, int userId) {
             mCryptoObject = crypto;
             mFingerprint = fingerprint;
+            mUserId = userId;
         }
 
         /**
@@ -285,6 +287,12 @@ public AuthenticationResult(CryptoObject crypto, Fingerprint fingerprint) {
          * @hide
          */
         public Fingerprint getFingerprint() { return mFingerprint; }
+
+        /**
+         * Obtain the userId for which this fingerprint was authenticated.
+         * @hide
+         */
+        public int getUserId() { return mUserId; }
     };
 
     /**
@@ -754,7 +762,7 @@ public void handleMessage(android.os.Message msg) {
                     sendAcquiredResult((Long) msg.obj /* deviceId */, msg.arg1 /* acquire info */);
                     break;
                 case MSG_AUTHENTICATION_SUCCEEDED:
-                    sendAuthenticatedSucceeded((Fingerprint) msg.obj);
+                    sendAuthenticatedSucceeded((Fingerprint) msg.obj, msg.arg1 /* userId */);
                     break;
                 case MSG_AUTHENTICATION_FAILED:
                     sendAuthenticatedFailed();
@@ -799,9 +807,10 @@ private void sendEnrollResult(Fingerprint fp, int remaining) {
             }
         }
 
-        private void sendAuthenticatedSucceeded(Fingerprint fp) {
+        private void sendAuthenticatedSucceeded(Fingerprint fp, int userId) {
             if (mAuthenticationCallback != null) {
-                final AuthenticationResult result = new AuthenticationResult(mCryptoObject, fp);
+                final AuthenticationResult result =
+                        new AuthenticationResult(mCryptoObject, fp, userId);
                 mAuthenticationCallback.onAuthenticationSucceeded(result);
             }
         }
@@ -941,8 +950,8 @@ public void onAcquired(long deviceId, int acquireInfo) {
         }
 
         @Override // binder call
-        public void onAuthenticationSucceeded(long deviceId, Fingerprint fp) {
-            mHandler.obtainMessage(MSG_AUTHENTICATION_SUCCEEDED, fp).sendToTarget();
+        public void onAuthenticationSucceeded(long deviceId, Fingerprint fp, int userId) {
+            mHandler.obtainMessage(MSG_AUTHENTICATION_SUCCEEDED, userId, 0, fp).sendToTarget();
         }
 
         @Override // binder call
diff --git a/core/java/android/hardware/fingerprint/IFingerprintServiceReceiver.aidl b/core/java/android/hardware/fingerprint/IFingerprintServiceReceiver.aidl
@@ -26,7 +26,7 @@ import android.os.UserHandle;
 oneway interface IFingerprintServiceReceiver {
     void onEnrollResult(long deviceId, int fingerId, int groupId, int remaining);
     void onAcquired(long deviceId, int acquiredInfo);
-    void onAuthenticationSucceeded(long deviceId, in Fingerprint fp);
+    void onAuthenticationSucceeded(long deviceId, in Fingerprint fp, int userId);
     void onAuthenticationFailed(long deviceId);
     void onError(long deviceId, int error);
     void onRemoved(long deviceId, int fingerId, int groupId);
diff --git a/core/java/android/os/Process.java b/core/java/android/os/Process.java
@@ -539,6 +539,15 @@ private static ProcessStartResult zygoteSendArgsAndGetResult(
             ZygoteState zygoteState, ArrayList<String> args)
             throws ZygoteStartFailedEx {
         try {
+            // Throw early if any of the arguments are malformed. This means we can
+            // avoid writing a partial response to the zygote.
+            int sz = args.size();
+            for (int i = 0; i < sz; i++) {
+                if (args.get(i).indexOf('\n') >= 0) {
+                    throw new ZygoteStartFailedEx("embedded newlines not allowed");
+                }
+            }
+
             /**
              * See com.android.internal.os.ZygoteInit.readArgumentList()
              * Presently the wire format to the zygote process is:
@@ -555,13 +564,8 @@ private static ProcessStartResult zygoteSendArgsAndGetResult(
             writer.write(Integer.toString(args.size()));
             writer.newLine();
 
-            int sz = args.size();
             for (int i = 0; i < sz; i++) {
                 String arg = args.get(i);
-                if (arg.indexOf('\n') >= 0) {
-                    throw new ZygoteStartFailedEx(
-                            "embedded newlines not allowed");
-                }
                 writer.write(arg);
                 writer.newLine();
             }
@@ -570,11 +574,16 @@ private static ProcessStartResult zygoteSendArgsAndGetResult(
 
             // Should there be a timeout on this?
             ProcessStartResult result = new ProcessStartResult();
+
+            // Always read the entire result from the input stream to avoid leaving
+            // bytes in the stream for future process starts to accidentally stumble
+            // upon.
             result.pid = inputStream.readInt();
+            result.usingWrapper = inputStream.readBoolean();
+
             if (result.pid < 0) {
                 throw new ZygoteStartFailedEx("fork() failed");
             }
-            result.usingWrapper = inputStream.readBoolean();
             return result;
         } catch (IOException ex) {
             zygoteState.close();
diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java
@@ -301,7 +301,7 @@ public boolean checkPattern(List<LockPatternView.Cell> pattern, int userId)
                 return false;
             }
         } catch (RemoteException re) {
-            return true;
+            return false;
         }
     }
 
@@ -350,7 +350,7 @@ public boolean checkPassword(String password, int userId) throws RequestThrottle
                 return false;
             }
         } catch (RemoteException re) {
-            return true;
+            return false;
         }
     }
 
diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardUpdateMonitor.java b/packages/Keyguard/src/com/android/keyguard/KeyguardUpdateMonitor.java
@@ -462,7 +462,8 @@ private void handleFingerprintAcquired(int acquireInfo) {
         }
     }
 
-    private void handleFingerprintAuthenticated() {
+
+    private void handleFingerprintAuthenticated(int authUserId) {
         try {
             final int userId;
             try {
@@ -471,6 +472,10 @@ private void handleFingerprintAuthenticated() {
                 Log.e(TAG, "Failed to get current user id: ", e);
                 return;
             }
+            if (userId != authUserId) {
+                Log.d(TAG, "Fingerprint authenticated for wrong user: " + authUserId);
+                return;
+            }
             if (isFingerprintDisabled(userId)) {
                 Log.d(TAG, "Fingerprint disabled by DPM for userId: " + userId);
                 return;
@@ -737,7 +742,7 @@ public void onAuthenticationFailed() {
 
         @Override
         public void onAuthenticationSucceeded(AuthenticationResult result) {
-            handleFingerprintAuthenticated();
+            handleFingerprintAuthenticated(result.getUserId());
         }
 
         @Override
diff --git a/services/core/java/com/android/server/LockSettingsService.java b/services/core/java/com/android/server/LockSettingsService.java
@@ -565,6 +565,9 @@ public VerifyCredentialResponse verifyPattern(String pattern, long challenge, in
     private VerifyCredentialResponse doVerifyPattern(String pattern, boolean hasChallenge,
             long challenge, int userId) throws RemoteException {
        checkPasswordReadPermission(userId);
+       if (TextUtils.isEmpty(pattern)) {
+           throw new IllegalArgumentException("Pattern can't be null or empty");
+       }
        CredentialHash storedHash = mStorage.readPatternHash(userId);
        boolean shouldReEnrollBaseZero = storedHash != null && storedHash.isBaseZeroPattern;
 
@@ -628,6 +631,9 @@ public VerifyCredentialResponse verifyPassword(String password, long challenge,
     private VerifyCredentialResponse doVerifyPassword(String password, boolean hasChallenge,
             long challenge, int userId) throws RemoteException {
        checkPasswordReadPermission(userId);
+       if (TextUtils.isEmpty(password)) {
+           throw new IllegalArgumentException("Password can't be null or empty");
+       }
        CredentialHash storedHash = mStorage.readPasswordHash(userId);
        return verifyCredential(userId, storedHash, password, hasChallenge, challenge,
                new CredentialUtil() {
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -3651,6 +3651,15 @@ private final void startProcessLocked(ProcessRecord app, String hostingType,
             app.killedByAm = false;
             checkTime(startTime, "startProcess: starting to update pids map");
             synchronized (mPidsSelfLocked) {
+                ProcessRecord oldApp;
+                // If there is already an app occupying that pid that hasn't been cleaned up
+                if ((oldApp = mPidsSelfLocked.get(startResult.pid)) != null && !app.isolated) {
+                    // Clean up anything relating to this pid first
+                    Slog.w(TAG, "Reusing pid " + startResult.pid
+                            + " while app is still mapped to it");
+                    cleanUpApplicationRecordLocked(oldApp, false, false, -1,
+                            true /*replacingPid*/);
+                }
                 this.mPidsSelfLocked.put(startResult.pid, app);
                 if (isActivityProcess) {
                     Message msg = mHandler.obtainMessage(PROC_START_TIMEOUT_MSG);
@@ -4804,7 +4813,8 @@ public void overridePendingTransition(IBinder token, String packageName,
     private final void handleAppDiedLocked(ProcessRecord app,
             boolean restarting, boolean allowRestart) {
         int pid = app.pid;
-        boolean kept = cleanUpApplicationRecordLocked(app, restarting, allowRestart, -1);
+        boolean kept = cleanUpApplicationRecordLocked(app, restarting, allowRestart, -1,
+                false /*replacingPid*/);
         if (!kept && !restarting) {
             removeLruProcessLocked(app);
             if (pid > 0) {
@@ -15903,7 +15913,8 @@ private final boolean removeDyingProviderLocked(ProcessRecord proc,
      * app that was passed in must remain on the process lists.
      */
     private final boolean cleanUpApplicationRecordLocked(ProcessRecord app,
-            boolean restarting, boolean allowRestart, int index) {
+            boolean restarting, boolean allowRestart, int index, boolean replacingPid) {
+        Slog.d(TAG, "cleanUpApplicationRecord -- " + app.pid);
         if (index >= 0) {
             removeLruProcessLocked(app);
             ProcessList.remove(app.pid);
@@ -16033,7 +16044,9 @@ private final boolean cleanUpApplicationRecordLocked(ProcessRecord app,
         if (!app.persistent || app.isolated) {
             if (DEBUG_PROCESSES || DEBUG_CLEANUP) Slog.v(TAG_CLEANUP,
                     "Removing non-persistent process during cleanup: " + app);
-            removeProcessNameLocked(app.processName, app.uid);
+            if (!replacingPid) {
+                removeProcessNameLocked(app.processName, app.uid);
+            }
             if (mHeavyWeightProcess == app) {
                 mHandler.sendMessage(mHandler.obtainMessage(CANCEL_HEAVY_NOTIFICATION_MSG,
                         mHeavyWeightProcess.userId, 0));
@@ -20001,7 +20014,7 @@ final void trimApplications() {
                             // Ignore exceptions.
                         }
                     }
-                    cleanUpApplicationRecordLocked(app, false, true, -1);
+                    cleanUpApplicationRecordLocked(app, false, true, -1, false /*replacingPid*/);
                     mRemovedProcesses.remove(i);
 
                     if (app.persistent) {
diff --git a/services/core/java/com/android/server/am/BroadcastQueue.java b/services/core/java/com/android/server/am/BroadcastQueue.java
@@ -297,6 +297,11 @@ public boolean sendPendingBroadcastsLocked(ProcessRecord app) {
         boolean didSomething = false;
         final BroadcastRecord br = mPendingBroadcast;
         if (br != null && br.curApp.pid == app.pid) {
+            if (br.curApp != app) {
+                Slog.e(TAG, "App mismatch when sending pending broadcast to "
+                        + app.processName + ", intended target is " + br.curApp.processName);
+                return false;
+            }
             try {
                 mPendingBroadcast = null;
                 processCurBroadcastLocked(br, app);
diff --git a/services/core/java/com/android/server/fingerprint/FingerprintService.java b/services/core/java/com/android/server/fingerprint/FingerprintService.java
@@ -127,6 +127,7 @@ public void handleMessage(android.os.Message msg) {
     private IFingerprintDaemon mDaemon;
     private final PowerManager mPowerManager;
     private final AlarmManager mAlarmManager;
+    private int mCurrentUserId = UserHandle.USER_NULL;
 
     private final BroadcastReceiver mLockoutReceiver = new BroadcastReceiver() {
         @Override
@@ -340,7 +341,8 @@ void startEnrollment(IBinder token, byte[] cryptoToken, int groupId,
             return;
         }
         stopPendingOperations(true);
-        mEnrollClient = new ClientMonitor(token, receiver, groupId, restricted, token.toString());
+        mEnrollClient = new ClientMonitor(token, receiver, mCurrentUserId, groupId, restricted,
+                token.toString());
         final int timeout = (int) (ENROLLMENT_TIMEOUT_MS / MS_PER_SEC);
         try {
             final int result = daemon.enroll(cryptoToken, groupId, timeout);
@@ -428,7 +430,8 @@ void startAuthentication(IBinder token, long opId, int groupId,
             return;
         }
         stopPendingOperations(true);
-        mAuthClient = new ClientMonitor(token, receiver, groupId, restricted, opPackageName);
+        mAuthClient = new ClientMonitor(token, receiver, mCurrentUserId, groupId, restricted,
+                opPackageName);
         if (inLockoutMode()) {
             Slog.v(TAG, "In lockout mode; disallowing authentication");
             if (!mAuthClient.sendError(FingerprintManager.FINGERPRINT_ERROR_LOCKOUT)) {
@@ -485,7 +488,8 @@ void startRemove(IBinder token, int fingerId, int userId,
         }
 
         stopPendingOperations(true);
-        mRemoveClient = new ClientMonitor(token, receiver, userId, restricted, token.toString());
+        mRemoveClient = new ClientMonitor(token, receiver, mCurrentUserId, userId, restricted,
+                token.toString());
         // The fingerprint template ids will be removed when we get confirmation from the HAL
         try {
             final int result = daemon.remove(fingerId, userId);
@@ -623,15 +627,17 @@ private void notifyLockoutResetMonitors() {
     private class ClientMonitor implements IBinder.DeathRecipient {
         IBinder token;
         IFingerprintServiceReceiver receiver;
-        int userId;
+        int userId; // userId of the caller
+        int currentUserId; // current user id when this was created
         boolean restricted; // True if client does not have MANAGE_FINGERPRINT permission
         String owner;
 
-        public ClientMonitor(IBinder token, IFingerprintServiceReceiver receiver, int userId,
-                boolean restricted, String owner) {
+        public ClientMonitor(IBinder token, IFingerprintServiceReceiver receiver,
+                int currentUserId, int userId, boolean restricted, String owner) {
             this.token = token;
             this.receiver = receiver;
             this.userId = userId;
+            this.currentUserId = currentUserId;
             this.restricted = restricted;
             this.owner = owner; // name of the client that owns this - for debugging
             try {
@@ -720,9 +726,9 @@ private boolean sendAuthenticated(int fpId, int groupId) {
                             Slog.v(TAG, "onAuthenticated(owner=" + mAuthClient.owner
                                     + ", id=" + fpId + ", gp=" + groupId + ")");
                         }
-                        Fingerprint fp = !restricted ?
-                                new Fingerprint("" /* TODO */, groupId, fpId, mHalDeviceId) : null;
-                        receiver.onAuthenticationSucceeded(mHalDeviceId, fp);
+                        Fingerprint fp = !restricted ? new Fingerprint("" /* TODO */, groupId, fpId,
+                                mHalDeviceId) : null;
+                        receiver.onAuthenticationSucceeded(mHalDeviceId, fp, currentUserId);
                     }
                 } catch (RemoteException e) {
                     Slog.w(TAG, "Failed to notify Authenticated:", e);
@@ -1147,6 +1153,7 @@ private void updateActiveGroup(int userId) {
                 Slog.e(TAG, "Failed to setActiveGroup():", e);
             }
         }
+        mCurrentUserId = userId;
     }
 
     private void listenForUserSwitches() {
diff --git a/services/core/java/com/android/server/location/GpsXtraDownloader.java b/services/core/java/com/android/server/location/GpsXtraDownloader.java
@@ -21,8 +21,11 @@
 
 import java.net.HttpURLConnection;
 import java.net.URL;
-import libcore.io.Streams;
 
+import libcore.io.IoUtils;
+
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
 import java.io.IOException;
 import java.util.Properties;
 import java.util.Random;
@@ -36,6 +39,7 @@ public class GpsXtraDownloader {
 
     private static final String TAG = "GpsXtraDownloader";
     private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG);
+    private static final long MAXIMUM_CONTENT_LENGTH_BYTES = 1000000;  // 1MB.
     private static final String DEFAULT_USER_AGENT = "Android";
 
     private final String[] mXtraServers;
@@ -121,7 +125,19 @@ protected byte[] doDownload(String url) {
                 return null;
             }
 
-            return Streams.readFully(connection.getInputStream());
+            try (InputStream in = connection.getInputStream()) {
+                ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+                byte[] buffer = new byte[1024];
+                int count;
+                while ((count = in.read(buffer)) != -1) {
+                    bytes.write(buffer, 0, count);
+                    if (bytes.size() > MAXIMUM_CONTENT_LENGTH_BYTES) {
+                        if (DEBUG) Log.d(TAG, "XTRA file too large");
+                        return null;
+                    }
+                }
+                return bytes.toByteArray();
+            }
         } catch (IOException ioe) {
             if (DEBUG) Log.d(TAG, "Error downloading gps XTRA: ", ioe);
         } finally {
@@ -133,3 +149,4 @@ protected byte[] doDownload(String url) {
     }
 
 }
+

Original file line number	Diff line number	Diff line change
`@@ -301,7 +301,7 @@ public boolean checkPattern(List<LockPatternView.Cell> pattern, int userId)`
`301`	`301`	`return false;`
`302`	`302`	`}`
`303`	`303`	`} catch (RemoteException re) {`
`304`		`- return true;`
	`304`	`+ return false;`
`305`	`305`	`}`
`306`	`306`	`}`
`307`	`307`
`@@ -350,7 +350,7 @@ public boolean checkPassword(String password, int userId) throws RequestThrottle`
`350`	`350`	`return false;`
`351`	`351`	`}`
`352`	`352`	`} catch (RemoteException re) {`
`353`		`- return true;`
	`353`	`+ return false;`
`354`	`354`	`}`
`355`	`355`	`}`
`356`	`356`