Update BatteryStatsService.java#5
Open
uvitor wants to merge 1 commit into
Open
Conversation
testing to fix app info crashing on S10
phhusson
pushed a commit
that referenced
this pull request
Jun 2, 2020
There is a potential injection by using screencap in case of user handled parameters. "dumpstate" command launches "screencap", when "-p" is argument is set. At that moment, content of "-o" parameter generates a path with ".png" extension to define "screencap" argument. "dumpstate" is often run as a service with "root" privileged such as defined in "dumpstate.rc". For instance "bugreportz" call "ctl.start" property with "dumpstatez". Launching "dumpstate" with "-p" option and a user input as "-o" would result in a root command execution. SE Linux might protect part of this attack. Cherry-pick from ag/10651695 with fix ag/10700515 Bug: 123230379 Test: please see commands #4 and #5 Change-Id: Icd88cdf4af153e07addb4449cdb117b1a3c881d3
abun880007
pushed a commit
to 420rom/platform_frameworks_base
that referenced
this pull request
Dec 20, 2020
abun880007
pushed a commit
to 420rom/platform_frameworks_base
that referenced
this pull request
Feb 8, 2024
Fix NULL deref
```
Cmdline: com.android.systemui
pid: 2530, tid: 2589, name: RenderThread >>> com.android.systemui <<<
uid: 10293
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0000000000000010
Cause: null pointer dereference
x0 b400007cbe7b8ff0 x1 0000007bf78fb9f0 x2 b400007c8c184898 x3 0000000000000001
x4 0000007bf78faf80 x5 00000000007f5687 x6 000000001991ade0 x7 0000000000000010
x8 0000000000000000 x9 43490de4ff9b0700 x10 b400007cbe7b8c00 x11 0000000000000002
x12 0000000000000000 x13 000000003f800000 x14 000000003f800000 x15 0000000000000000
x16 0000007d71724720 x17 0000007d57ccdb00 x18 0000007bf7568000 x19 b400007cbe7b8ff0
x20 b400007cbe7b9018 x21 b400007cbe7b8ff0 x22 b400007cbe280010 x23 b400007cbe280000
x24 7ffffffffffffff8 x25 1fffffffffffffff x26 00000000ffffffff x27 b400007c7e1b0da8
x28 0000007bf78fc000 x29 0000007bf78fb7a0
lr 0000007d67aaf330 sp 0000007bf78fb7a0 pc 0000007d67ab1590 pst 0000000020001000
backtrace:
#00 pc 0000000000253590 /system/lib64/libhwui.so (android::uirenderer::AnimatorManager::pushStaging()+112)
phhusson#1 pc 000000000025132c /system/lib64/libhwui.so (android::uirenderer::AnimationContext::runRemainingAnimations(android::uirenderer::TreeInfo&)+44)
phhusson#2 pc 0000000000267664 /system/lib64/libhwui.so (android::uirenderer::AnimationContextBridge::runRemainingAnimations(android::uirenderer::TreeInfo&)+36)
phhusson#3 pc 0000000000292720 /system/lib64/libhwui.so (android::uirenderer::renderthread::CanvasContext::prepareTree(android::uirenderer::TreeInfo&, long*, long, android::uirenderer::RenderNode*)+352)
phhusson#4 pc 00000000002959c8 /system/lib64/libhwui.so (std::__1::__function::__func<android::uirenderer::renderthread::DrawFrameTask::postAndWait()::$_0, std::__1::allocator<android::uirenderer::renderthread::DrawFrameTask::postAndWait()::$_0>, void ()>::operator()() (.c1671e787f244890c877724752face20)+360)
phhusson#5 pc 0000000000282ce4 /system/lib64/libhwui.so (android::uirenderer::WorkQueue::process()+1108)
phhusson#6 pc 00000000002a808c /system/lib64/libhwui.so (android::uirenderer::renderthread::RenderThread::threadLoop()+556)
phhusson#7 pc 0000000000013a14 /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+436)
phhusson#8 pc 00000000000d07ac /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204)
phhusson#9 pc 00000000000567f0 /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64)
```
Signed-off-by: Pranav Vashi <neobuddy89@gmail.com>
abun880007
pushed a commit
to 420rom/platform_frameworks_base
that referenced
this pull request
Feb 8, 2024
* i thought this was fixed by dropping HB and freetype modifications but a user reported a sysui crash without logcat nor context so im using my old copy
* addr2line was pointing the NPD [1] to a new instance of SkMemoryStream (if im not mistaken)
minaripenguin@minaripenguin:~/bugreport-oriole-TQ2A.230405.003.E1-2023-04-13-09-02-17/FS/data/tombstones$ addr2line -f -e '/mnt/xxxx/xxxxx/out/target/product/oriole/system/lib/libhwui.so' 000000000024a61c
_ZN14SkMemoryStreamC2E5sk_spI6SkDataE
* to temporarily aid the crash issue, until we find and fix the font that causes the crash, silently swallow the errors since the rom shouldn't booting at all if current font in use has invalid data.
[1]
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
RisingOS Version: '1.0-20230412-UNOFFICIAL-oriole'
Build fingerprint: 'google/oriole/oriole:13/TQ2A.230305.008.E1/9677224:user/release-keys'
Revision: 'MP1.0'
ABI: 'arm64'
Timestamp: 2023-04-13 00:41:15.026955853+0800
Process uptime: 216s
Cmdline: com.android.systemui
pid: 17576, tid: 17613, name: RenderThread >>> com.android.systemui <<<
uid: 10403
tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0000000000000010
Cause: null pointer dereference
x0 b4000074cc5b7e60 x1 00000072ca63fa20 x2 00000072ca63fa20 x3 0000000000000001
x4 00000072ca63efa0 x5 000000747c59e4bc x6 00005a120000edab x7 0000906f00008280
x8 0000000000000000 x9 56bd015d3f6fc8f6 x10 0000000000000000 x11 000000000000001a
x12 0000000000000000 x13 b4000074ecbba980 x14 0000000000000033 x15 0000000000000019
x16 00000075f74ae6a8 x17 00000075fdb0fec0 x18 00000072ca470000 x19 b4000074cc5b7e60
x20 b4000074cc5b7e88 x21 b4000074cc5b7e60 x22 b40000737c76ae48 x23 b40000737c76ae30
x24 7ffffffffffffff8 x25 1fffffffffffffff x26 00000000ffffffff x27 b4000073cc52f898
x28 00000072ca547000 x29 00000072ca63f7e0
lr 00000075eec487e0 sp 00000072ca63f7e0 pc 00000075eec4a61c pst 0000000020001000
backtrace:
#00 pc 000000000024a61c /system/lib64/libhwui.so (android::uirenderer::AnimatorManager::pushStaging()+108) (BuildId: f37109e40765e94e2634e351e2ba0981)
phhusson#1 pc 00000000002487dc /system/lib64/libhwui.so (android::uirenderer::AnimationContext::runRemainingAnimations(android::uirenderer::TreeInfo&)+44) (BuildId: f37109e40765e94e2634e351e2ba0981)
phhusson#2 pc 000000000025b2a4 /system/lib64/libhwui.so (android::uirenderer::AnimationContextBridge::runRemainingAnimations(android::uirenderer::TreeInfo&)+36) (BuildId: f37109e40765e94e2634e351e2ba0981)
phhusson#3 pc 000000000027fdcc /system/lib64/libhwui.so (android::uirenderer::renderthread::CanvasContext::prepareTree(android::uirenderer::TreeInfo&, long*, long, android::uirenderer::RenderNode*)+348) (BuildId: f37109e40765e94e2634e351e2ba0981)
phhusson#4 pc 0000000000282bdc /system/lib64/libhwui.so (std::__1::__function::__func<android::uirenderer::renderthread::DrawFrameTask::postAndWait()::$_0, std::__1::allocator<android::uirenderer::renderthread::DrawFrameTask::postAndWait()::$_0>, void ()>::operator()() (.c1671e787f244890c877724752face20)+364) (BuildId: f37109e40765e94e2634e351e2ba0981)
phhusson#5 pc 0000000000272c34 /system/lib64/libhwui.so (android::uirenderer::WorkQueue::process()+580) (BuildId: f37109e40765e94e2634e351e2ba0981)
phhusson#6 pc 0000000000292e9c /system/lib64/libhwui.so (android::uirenderer::renderthread::RenderThread::threadLoop()+412) (BuildId: f37109e40765e94e2634e351e2ba0981)
phhusson#7 pc 0000000000013220 /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+416) (BuildId: 536947a6fb111c99b28090cdd95ee772)
phhusson#8 pc 00000000000bc1cc /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204) (BuildId: 7c802f36645db769f96376c94049c9cf)
phhusson#9 pc 0000000000055020 /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 7c802f36645db769f96376c94049c9cf)
Signed-off-by: minaripenguin <minaripenguin@users.noreply.github.com>
Signed-off-by: Pranav Vashi <neobuddy89@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
testing to fix app info crashing on S10