Bug 120032857 is seeing what appears to be allocations with incorrect
end addresses, leading to a much later crash when it tries to map
a zero page outside the valid virtual address space. Detect allocations
that extend outside the highest or lowest memory mapping and crash
immediately instead.
Test: memunreachable_test
Bug: 120032857
Change-Id: I9be670a025143e7078360a6bf7a83219279614d9
Even though it isn't strictly needed when not system-as-root, for
backwards compatibility, it is desired to keep this symlink.
Bug: 119851742
Test: tree-hugger
Change-Id: I47bc25ab257336f56ef09b5db6ebaf6b17daad35
This change adds an ANDROID_RUNTIME_ROOT environment variable
to indicate the root of the Android runtime. This can be
used in place of ANDROID_SYSTEM to locate files when they
move inside the runtime APEX.
Bug: 119935277
Test: build / boot
Change-Id: Ic3b1ae3e3c98eea7d7c59e514ce62994679ab7b7
This CL also adds namespace android::fs_mgr and remove FsManager* prefix
for class names. Note that android::fs_mgr::FsManagerAvbOps will be removed
in later CLs when fs_mgr doesn't rely on libavb->avb_slot_verify() to
parse vbmeta structs.
Some lingering sources for by_name_symlink_map_ are also removed.
Bug: 112103720
Test: boot crosshatch_mainline-userdebug
Change-Id: I2d1a5cc39bcd5a699da8d5539f191d8c7737c4af
The --fastdeploy switch caused errors when CRC collisions were present in the input apk and/or
an apk with a similar package name to the input apk was already installed on the device.
Test: mm -j 64
Test: adb install -r --fastdeploy --force-agent --local-agent /mnt/raid/boat-attack-apk/boat-attack-swappy.apk
Bug: 119934862
Change-Id: Ibfe0cec38bdbb7371803fc2f73b0ec1697cef624
On retrofit devices, if both slots contain dynamic partition builds,
then "flashall" will attempt to write secondary images to dynamic
partitions in the other slot. At worst, this can fail with an error. At
best, it will result in the "other" partition not being mounted on first
boot.
This patch therefore deletes logical partitions for secondary images, on
retrofit devices only. On a Pixel device on the "b" slot, this means
"system_a" and "vendor_a" will be deleted before flashing, and therefore
system_other and vendor_other will be flashed to physical partitions
instead.
Bug: 120034852
Test: fastboot set_active a
fastboot flashall
fastboot set_active b
fastboot flashall
Change-Id: I6affe9a6c639b0495bffc77fcf20f329b86ad159
Check if overlayfs is supplied in the kernel before proceeding to
determining if there is a disabled verity and an overlayfs filesystem
to deploy.
Test: adb-remount-test.sh
Bug: 119929969
Change-Id: I28116f0aa6959040bb9f38f46c058a221591f735
NIAP certification requires that all cryptographic functions
undergo a self-test during startup to demonstrate correct
operation. This change adds such a check.
If the check fails, it will prevent the device from booting
by rebooting into the bootloader.
Bug: 119826244
Test: Built for walleye. After device booted examined dmesg and
observed logs from init showing that the new task did
start. Further, when BoringSSL is built to fail its self
check the device did stop during a normal boot and enter
the bootloader, and did so before the boot animation stopped.
Change-Id: I07a5dc73a314502c87de566bb26f4d73499d2675
This reverts commit 055347e564.
Reason for revert:
init boots with XOM now. I think this was fixed when this boringssl patch got merged in earlier this week (init has a static dependency on libcrypto):
https://boringssl-review.googlesource.com/c/boringssl/+/33245
Change-Id: I70e15fad4a194c0d2087941bba70dfcd38abe8b5
Follow up to the change made for AVB2 devices in
I19371b05912240480dc50864a2c04131258a7103.
The same consideration must be made in the fall through case, which
is taken either if AVB is completely disabled, or the dm-verity / AVB1
mechanism is used.
Bug: 113175337
Test: boot test on cuttlefish
Change-Id: I99d46a2c2630c40f5f5c02279b11e423998a1e05
Some devices we want to test on, like cuttlefish, may not have a
partition table on any block device Android can see. The partitions are
simply exposed as separate block devices. This means we need to be able
to override the super_partition name to a regular block device name even
on non-A/B devices.
Bug: 113175337
Test: boot test on cuttlefish
Change-Id: I6ff460d0ba7b1e26cb5d60ba446737aa49549c18
When checking for existence of "super_empty.img" to determine if
flash image product set is meant for logical partitions, we die if
ANDROID_PRODUCT_OUT environment is unset or empty. This check
is done before we look at the flash image name to determine if it
is a candidate to look at the logical metadata.
Instead, allow this check to conservatively fail for now.
Test: export ANDROID_PRODUCT_OUT=
fastboot flash bootloader
Bug: 120041144
Change-Id: I43f124015f9d26c79a0feb9123522432fe937343
Merged-In: I43f124015f9d26c79a0feb9123522432fe937343
Non-treblized devices use ld.config.legacy.txt, which does not
support product partition, leading to access denial from/to product partition.
Declare directly /product since search paths are resolved in linker config.
Test: m -j with non-treblized device upgraded to P.
Change-Id: Ic142b807f5dbffdfa5c774b3df8d0903b9626b6a
There is a problem about tombstone, which it will fail to
generate tombstone file in some scenarios due to socket
communication exception.
Reproduce step:
step 1: reboot device
step 2: ps -ef |grep zygote , get the pid of zygote64
(Attention: zygote64 should never been killed or reboot,
otherwise we can get the tombstone file)
step 3: kill -5 pid of zygote64
step 4: cd data/tombstones/, and could not find the tombstone
file of zygote64.
[Cause Analysis]
1. There are following logs by logcat:
11-19 15:38:43.789 569 569 F libc : Fatal signal 5 (SIGTRAP),
code 0 (SI_USER) in tid 569 (main), pid 569 (main)
11-19 15:38:43.829 6115 6115 I crash_dump64: obtaining output
fd from tombstoned, type: kDebuggerdTombstone
11-19 15:38:43.830 569 5836 I Zygote : Process 6114 exited
cleanly (0)
11-19 15:38:43.830 777 777 I /system/bin/tombstoned: received
crash request for pid 569
11-19 15:38:43.831 6115 6115 I crash_dump64: performing dump of
process 569 (target tid = 569)
...
11-19 15:38:43.937 777 777 W /system/bin/tombstoned: crash
socket received short read of length 0 (expected 12)
2. The last log was print by function of crash_request_cb in
file of tombstoned.cpp, following related code:
rc = TEMP_FAILURE_RETRY(read(sockfd, &request, sizeof(request)));
if (rc == -1) {
PLOG(WARNING) << "failed to read from crash socket";
goto fail;
} else if (rc != sizeof(request)) {
LOG(WARNING) << "crash socket received short read of length " << rc << " (expected "
<< sizeof(request) << ")";
goto fail;
}
Tombstoned read message by socket, and now the message length is
zero. Some socket communication exception occurs at that time.
We try to let crash_dump resend the socket message when the
communication is abnormal. Just as this CL.
Test: 1 reboot device
2 ps -ef |grep zygote , get the pid of zygote64
(Attention: zygote64 should never been killed or reboot,
otherwise we can get the tombstone file)
3 kill -5 pid of zygote64
4 cd data/tombstones/, and could find the tombstone file of
zygote64.
Change-Id: Ic152b081024d6c12f757927079fd221b63445b18
The excessive logging of pages with segfaults is making it hard to
see what caused the problem, only log the first page that segfaults,
the range that was being walked when the first segfault happened,
and the total number of pages that segfaulted.
Bug: 120032857
Test: memunreachable_test --gtest_filter=HeapWalkerTest.segv
Change-Id: I71821a3f5be65f2fbcb36afc4b7b1ffa4a48e660
Most vendor_overlay files are product specific that are not allowed
to be installed on system partition.
To install those files on product partition, product/vendor_overlay
is added to the vendor_overlay source directory list.
If the same files are provided from both partitions, files on product
partition will be used.
Bug: 119850553
Test: Build and boot to check if the vendor_overlay works
Change-Id: I1ae97cb5c9dd66d1da5c9eaa3133426d2ba77471
There is an issue in LogAudit::auditParse where
android::uidToName(uid) crashes with a null pointer dereference.
Include a null check on the value before passing it on.
Bug: 120043607
Test: End-to-end test with syzkaller as per instructions in bug.
Change-Id: Ic0ac5c3003fcd289ec156ce63fbd668413763429
If scratch gets made too small (eg: fastboot flash scratch small-file)
it can not recover without a workaround. The workaround is not
intuitive, (adb enable-verity then adb disable-verity to erase and
re-establish the proper sized scratch. This needs to be automatic.
If we detect it is too small to support a filesystem, resize it to an
more appropriate size if it exists.
Alter unit test to check for fastboot characteristics and assumptions
associated with the scratch partition, and a test case to flash the
partition.
Test: adb-remount-test.sh
Bug: 109821005
Change-Id: Icfceaa461c2bf13ca5a7dd4e34675dde8a4d251f
Currently /dev/uinput is owned by system/bluetooth.
But that's inconsistent with some of the sepolicies for uhid_device.
This also means that the new native tests for inputflinger aren't able
to execute properly, because they require the ability to register a new
input device via uinput.
Bug: none
Test: atest inputflinger_test
The newly added EventHub_test is still under review
Change-Id: I53524738db1a5d3ba962b9bec35ef322ed3028f2
init doesn't cooperate with execute-only memory just yet, so disable it
until we can determine the root cause.
Bug: 77958880
Test: Device boots.
Change-Id: Ieb78315ba1e48c9cd0d047a42951bd3fbd36641b
Make XOM related crashes a little less mysterious by adding an abort
cause explaining the crash.
Bug: 77958880
Test: Abort cause in tombstone for a XOM-related crash.
Change-Id: I7af1bc251d9823bc755ad98d8b3b87c12bbaecba
