Merge the 2021-02-05 SPL branch from AOSP-Partner
* security-aosp-pi-release:
Fix OOB read in DNS resolver
Change-Id: I8e96083695807d17a95edef2b69b02d5135cfadb
diff --git a/libc/bionic/jemalloc_wrapper.cpp b/libc/bionic/jemalloc_wrapper.cpp
index 19081a4..0e82066 100644
--- a/libc/bionic/jemalloc_wrapper.cpp
+++ b/libc/bionic/jemalloc_wrapper.cpp
@@ -79,6 +79,18 @@
}
}
return 1;
+ } else if (param == M_PURGE) {
+ unsigned narenas;
+ size_t sz = sizeof(unsigned);
+ if (je_mallctl("arenas.narenas", &narenas, &sz, nullptr, 0) != 0) {
+ return 0;
+ }
+ char buffer[100];
+ snprintf(buffer, sizeof(buffer), "arena.%u.purge", narenas);
+ if (je_mallctl(buffer, nullptr, nullptr, nullptr, 0) != 0) {
+ return 0;
+ }
+ return 1;
}
return 0;
}
diff --git a/libc/bionic/pthread_create.cpp b/libc/bionic/pthread_create.cpp
index 21a707b..8825c6f 100644
--- a/libc/bionic/pthread_create.cpp
+++ b/libc/bionic/pthread_create.cpp
@@ -65,8 +65,6 @@
return false;
}
- prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, allocation, allocation_size, "bionic TLS guard");
-
// Carve out the writable TLS section.
thread->bionic_tls = reinterpret_cast<bionic_tls*>(static_cast<char*>(allocation) +
PTHREAD_GUARD_SIZE);
@@ -77,7 +75,6 @@
return false;
}
- prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, thread->bionic_tls, BIONIC_TLS_SIZE, "bionic TLS");
return true;
}
@@ -105,7 +102,6 @@
// We can only use const static allocated string for mapped region name, as Android kernel
// uses the string pointer directly when dumping /proc/pid/maps.
prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ss.ss_sp, ss.ss_size, "thread signal stack");
- prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, stack_base, PTHREAD_GUARD_SIZE, "thread signal stack guard");
}
}
@@ -184,8 +180,6 @@
munmap(space, mmap_size);
return NULL;
}
- prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, space, stack_guard_size, "thread stack guard");
-
return space;
}
diff --git a/libc/dns/resolv/res_cache.c b/libc/dns/resolv/res_cache.c
index dda8694..8de9643 100644
--- a/libc/dns/resolv/res_cache.c
+++ b/libc/dns/resolv/res_cache.c
@@ -2067,14 +2067,19 @@
// max_samples actually change, in practice the overhead of checking is higher than the
// cost, and overflows are unlikely
++cache_info->revision_id;
- } else if (cache_info->params.max_samples != old_max_samples) {
- // If the maximum number of samples changes, the overhead of keeping the most recent
- // samples around is not considered worth the effort, so they are cleared instead. All
- // other parameters do not affect shared state: Changing these parameters does not
- // invalidate the samples, as they only affect aggregation and the conditions under
- // which servers are considered usable.
- _res_cache_clear_stats_locked(cache_info);
- ++cache_info->revision_id;
+ } else {
+ if (cache_info->params.max_samples != old_max_samples) {
+ // If the maximum number of samples changes, the overhead of keeping the most recent
+ // samples around is not considered worth the effort, so they are cleared instead.
+ // All other parameters do not affect shared state: Changing these parameters does
+ // not invalidate the samples, as they only affect aggregation and the conditions
+ // under which servers are considered usable.
+ _res_cache_clear_stats_locked(cache_info);
+ ++cache_info->revision_id;
+ }
+ for (unsigned j = 0; j < numservers; j++) {
+ freeaddrinfo(nsaddrinfo[j]);
+ }
}
// Always update the search paths, since determining whether they actually changed is
diff --git a/libc/include/arpa/inet.h b/libc/include/arpa/inet.h
index db054c9..7716b94 100644
--- a/libc/include/arpa/inet.h
+++ b/libc/include/arpa/inet.h
@@ -33,6 +33,7 @@
#include <stdint.h>
#include <sys/cdefs.h>
#include <sys/types.h>
+#include <inaddr.h>
__BEGIN_DECLS
diff --git a/libc/include/inaddr.h b/libc/include/inaddr.h
new file mode 100644
index 0000000..2d3fbb1
--- /dev/null
+++ b/libc/include/inaddr.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _INADDR_H_
+#define _INADDR_H_
+
+#include <stdint.h>
+
+typedef uint32_t in_addr_t;
+
+#endif
+
diff --git a/libc/include/malloc.h b/libc/include/malloc.h
index 3a678a9..d850a3b 100644
--- a/libc/include/malloc.h
+++ b/libc/include/malloc.h
@@ -79,6 +79,7 @@
/* mallopt options */
#define M_DECAY_TIME -100
+#define M_PURGE -101
int mallopt(int __option, int __value) __INTRODUCED_IN(26);
/*
diff --git a/linker/linker.cpp b/linker/linker.cpp
index c78b9ab..3c83fab 100644
--- a/linker/linker.cpp
+++ b/linker/linker.cpp
@@ -3860,7 +3860,15 @@
// somain and ld_preloads are added to these namespaces after LD_PRELOAD libs are linked
}
- set_application_target_sdk_version(config->target_sdk_version());
+ uint32_t target_sdk = config->target_sdk_version();
+ // The Qualcomm camera deamon is a legacy service written for Android 6 and
+ // causes a check in __pthread_internal_find to fail. It has the generic
+ // __ANDROID_API__ ("future API") SDK version here. Hard-code it to M instead.
+ if (std::string(executable_path) == "/system/vendor/bin/mm-qcamera-daemon") {
+ target_sdk = __ANDROID_API_M__;
+ DEBUG("Forcing target SDK version of %s to %d", executable_path, target_sdk);
+ }
+ set_application_target_sdk_version(target_sdk);
std::vector<android_namespace_t*> created_namespaces;
created_namespaces.reserve(namespaces.size());