Android Marshmallow AOSP Changes

Changes from 6.0.1_r68 (MTC20L) to 6.0.1_r69 (MMB30Y):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Removed Components (0):

None

Updated Components (64):

  • device/asus/flo-kernel with 5 change(s)
    • f87ae9f : flo: update prebuilt kernel
    • 5fcd1f3 : flo: update prebuilt kernel
    • 133e144 : flo: update prebuilt kernel
    • fcd47fe : flo: update prebuilt kernel
    • 7bec2fc : flo: update prebuilt kernel

  • device/asus/fugu-kernel with 3 change(s)
    • 27d373a : fugu: update prebuilt kernel
    • 60a03c5 : fugu: update prebuilt kernel
    • 387e641 : fugu: update prebuilt kernel

  • device/htc/flounder-kernel with 1 change(s)
    • 4d7f6cb : flounder: update kernel prebuilt

  • device/huawei/angler with 1 change(s)
    • c09a606 : Remove TMO & MetroPCS for mcc/mnc 310/580 in apn-conf

  • device/huawei/angler-kernel with 9 change(s)
    • 7c93881 : angler: update prebuilt kernel
    • b66ad72 : angler: update prebuilt kernel
    • 902a87e : angler: update prebuilt kernel
    • b6a6168 : angler: update prebuilt kernel
    • 433dcff : angler: update prebuilt kernel
    • 032fd03 : angler: update prebuilt kernel
    • 289f63e : angler: update prebuilt kernel
    • 5de7325 : angler: update prebuilt kernel
    • a9be772 : angler: update prebuilt kernel

  • device/lge/bullhead with 2 change(s)
    • e91ecdb : Correct encoder peformance expected values
    • f2739a0 : Remove TMO & MetroPCS entries for mcc/mnc 310/580 in apn-conf

  • device/lge/bullhead-kernel with 4 change(s)
    • 1a6dff5 : bullhead: update prebuilt kernel
    • 62cea51 : bullhead: update prebuilt kernel
    • 926d561 : bullhead: update prebuilt kernel
    • e54ef6d : bullhead: update prebuilt kernel

  • device/lge/hammerhead with 1 change(s)
    • 1638379 : Remove TMO & MetroPCS entries for mcc/mnc 310/580 in apn-conf

  • device/lge/hammerhead-kernel with 6 change(s)
    • 6767894 : hammerhead: update prebuilt kernel
    • 90907a5 : hammerhead: update prebuilt kernel
    • a43c65c : hammerhead: update prebuilt kernel
    • c3c2a3d : hammerhead: update prebuilt kernel
    • 83ef69f : hammerhead: update prebuilt kernel
    • e230aeb : hammerhead: update prebuilt kernel

  • device/moto/shamu-kernel with 4 change(s)
    • 401ef24 : shamu: update prebuilt kernel
    • 672d67a : shamu: update prebuilt kernel
    • 036d81c : shamu: update prebuilt kernel
    • fe33504 : shamu: update prebuilt kernel

  • device/sample with 1 change(s)
    • afdacb6 : Remove TMO & MetroPCS entries for mcc/mnc 310/580 in apn-conf

  • platform/art with 1 change(s)
    • 7f57e8c : [WIP] ART: Write-protect TLS

  • platform/bootable/recovery with 1 change(s)
    • 6896261 : Fix integer overflows in recovery procedure.

  • platform/build with 94 change(s)

  • platform/dalvik with 1 change(s)
    • 0f5ea2f : Fix potential buffer overrun.

  • platform/external/aac with 3 change(s)
    • 5944dfa : Fix aacDecoder_drcExtractAndMap()
    • 79aaf83 : Fix stack corruption happening in aacDecoder_drcExtractAndMap()
    • 48b330d : Remove __DATE__/__TIME__

  • platform/external/boringssl with 2 change(s)
    • 98d0f1b : Fix encoding bug in i2c_ASN1_INTEGER
    • 0f905af : Remove support for mis-encoded PKCS#8 DSA keys.

  • platform/external/bouncycastle with 2 change(s)
    • 4ce8f65 : GCMParameters: in ASN1 encoding, use 12 when no value is specified
    • bc445d7 : GCMParameters: fix insecure tag size

  • platform/external/conscrypt with 6 change(s)
    • cb5102c : Use SSL_session_reused to check when a session was reused
    • 1406f14 : Fix updateAAD when offset is not 0
    • 59b06ff : OpenSSLCipher: multiple calls to updateAAD were ignored
    • e2e7583 : OpenSSLCipher: reset AAD when necessary
    • 4bdc877 : Prevent duplicate certificates in TrustedCertificateIndex
    • 04e7d1d : Cache intermediate CA separately

  • platform/external/dhcpcd with 1 change(s)
    • 2a5eac9 : Improve length checks in DHCP Options parsing of dhcpcd.

  • platform/external/flac with 2 change(s)
    • c804809 : src/libFLAC/stream_decoder.c : Fix NULL de-reference.
    • 7b8718a : Avoid free-before-initialize vulnerability in heap

  • platform/external/jhead with 2 change(s)
    • 33e0f8b : Fix possible out of bounds accesses
    • 9070da4 : Fix possible out of bounds access

  • platform/external/libavc with 13 change(s)
    • 6449db4 : Fixed error concealment when no MBs are decoded in the current pic
    • 6f05d8d : Decoder: Initialize first_pb_nal_in_pic for error slices
    • 39ff59e : Decoder: Do not conceal slices with invalid SPS/PPS
    • a24cb59 : Decoder: Fix slice number increment for error clips
    • a09b16b : Fix slice params for interlaced video
    • 67c4732 : Decoder: Set u1_long_term_reference_flag to 0 for error concealment
    • 3d01744 : Decoder: Initialize slice parameters before concealing error MBs
    • 8709f6a : Decoder: Memset few structures to zero to handle error clips
    • f511691 : Decoder: Fix for handling invalid intra mode
    • 0b24cbe : Decoder: Fix stack underflow in CAVLC 4x4 parse functions
    • 2eddadc : Ensure ih264d_start_of_pic() is not repeated in ih264d_mark_err_slice_skip()
    • c64afe7 : Decoder Update mb count after mb map is set.
    • 533e5a7 : Remove __DATE__/__TIME__ from Android builds

  • platform/external/libhevc with 2 change(s)
    • cc92338 : Added few memsets to avoid uninitialized reads for error clips
    • 3f4863f : Remove __DATE__/__TIME__ from Android builds

  • platform/external/libmpeg2 with 6 change(s)
    • 368a38b : Fixed out of bound read in flush_bits
    • d9c2855 : Fix for handling streams which resulted in negative num_mbs_left
    • 5d98623 : Fixed stack buffer overflow
    • 5422a29 : Return error for wrong mb_type
    • 154dea8 : Fixed bit stream access to make sure that it is not read beyond the allocated size.
    • 9c9fd7a : Remove __DATE__/__TIME__ from Android builds

  • platform/external/libnfc-nci with 2 change(s)
    • 63183d2 : Don't free memory that shouldn't be freed.
    • e3b367f : Fix 256-bit Thinfilm NFC barcode.

  • platform/external/libvpx with 1 change(s)
    • 5b03b33 : Fix ParseElementHeader to support 0 payload elements

  • platform/external/mdnsresponder with 1 change(s)
    • 11b8cee : Stop building __DATE__/__TIME__ into Android binaries

  • platform/external/noto-fonts with 6 change(s)
    • 8f0a9cf : Better compression for NotoColorEmoji
    • 4e14473 : Update NotoColorEmoji font to Unicode 7 and 8
    • a037025 : Revert "Update NotoColorEmoji font to Unicode 7 and 8"
    • de94b35 : Revert "Better compression for NotoColorEmoji"
    • 37d9071 : Better compression for NotoColorEmoji
    • 221e51b : Update NotoColorEmoji font to Unicode 7 and 8

  • platform/external/sepolicy with 4 change(s)
    • 1c4530a : expose control over unpriv perf access to shell
    • 37a6d5b : Remove generic socket access from untrusted processes
    • 8e68ded : Further restrict socket ioctls available to apps
    • 9acda2f : Enable permission checking by binderservicedomain.

  • platform/external/sonivox with 3 change(s)
    • cd07f55 : Fix NULL pointer dereference
    • c5843be : Sonivox: add SafetyNet log.
    • 6a21338 : Sonivox: sanity check numSamples.

  • platform/external/tremolo with 1 change(s)
    • 827b4e5 : Check partword is in range for # of partitions

  • platform/external/webrtc with 1 change(s)
    • e4dce38 : Remove __DATE__ and __TIME__ from tracing

  • platform/external/wpa_supplicant_8 with 3 change(s)
    • 8d7fc52 : Guard against return value already being null
    • 80833f4 : Remove newlines from config output
    • 86da57f : WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use

  • platform/frameworks/av with 60 change(s)
    • b3726cc : MediaPlayerService: allow next player to be NULL
    • ce7438d : Fix build breakage caused by commit 940829f69b52d6038db66a9c727534636ecc456d.
    • 2541af1 : Add EFFECT_CMD_SET_PARAM parameter checking
    • dee768a : soundtrigger: add size check on sound model and recogntion data
    • c471331 : MediaPlayerService: avoid invalid static cast
    • 1f8a0fe : better validation lengths of strings in ID3 tags
    • cb54be3 : SoftMPEG4: Check the buffer size before writing the reference frame.
    • 066151c : omx: prevent input port enable/disable for software codecs
    • dde79df : Fix build
    • 525891b : Fix build
    • 2e5bb1b : Add bound checks to utf16_to_utf8
    • 510cfc3 : fix build
    • 584ed66 : SoftVPX: fix nFilledLen overflow
    • 938124f : OMXCodec: check IMemory::pointer() before using allocation
    • 4eda480 : Fix corruption via buffer overflow in mediaserver
    • d185e27 : SoftMP3: memset safely
    • 88bff9f : Impose a size bound for dynamically allocated tables in stbl.
    • 2c151ba : Check effect command reply size in AudioFlinger
    • 7b56256 : SoftHEVC: Exit gracefully in case of decoder errors
    • 93482fd : Don't use sp&
    • f06e4f6 : SoftAAC2: fix crash on all-zero adts buffer
    • e4038aa : Fix potential overflow
    • f375ca7 : MPEG4Extractor: ensure kKeyTrackID exists before creating an MPEG4Source as track.
    • 71024bd : limit mediaserver memory
    • edb9201 : Check malloc result to avoid NPD
    • 63a06d6 : Fix security vulnerability in libstagefright
    • 56eba26 : h264bsdActivateParamSets: Prevent multiplication overflow.
    • 2811381 : Clear unused pointer field when sending across binder
    • ffc9b40 : Check section size when verifying CRC
    • 9662a4c : SampleTable.cpp: Fixed a regression caused by a fix for bug 28076789.
    • 832e9c0 : Resolve merge conflict when cp'ing ag/931301 to mnc-mr1-release
    • e3437c4 : h264dec: check for overflows when calculating allocation size.
    • 5c46ae8 : codecs: check OMX buffer size before use in (avc|hevc|mpeg2)dec
    • 46e6f1f : codecs: check OMX buffer size before use in (gsm|g711)dec
    • b3d95b9 : AudioSource: initialize variables
    • 576a46e : Check mp3 output buffer size
    • 4558a32 : codecs: check OMX buffer size before use in (h263|h264)dec
    • ee37b04 : Fix OMX_IndexParamConsumerUsageBits size check
    • 4c92e76 : Fix size check for OMX_IndexParamConsumerUsageBits
    • b2585b5 : Fix initialization of AAC presentation struct
    • e0b5f05 : Fix AMR decoder
    • 9b0317c : SoftAMR: check input buffer size to avoid overflow.
    • f9ac32c : SoftAMR: check output buffer size to avoid overflow.
    • 08e5fb8 : codecs: check OMX buffer size before use in VP8 encoder.
    • 20bac0d : NuPlayerStreamListener: NULL and bounds check before memcpy
    • d9caaac : Camera3Device: Validate template ID
    • bf83193 : Add VPX output buffer size check
    • 6ab905e : Get service by value instead of reference
    • 67d11e9 : Also fix out of bounds access for normal read
    • 20280c5 : Clear allocation to avoid info leak
    • b4ef484 : Fixing safteynet logging bug introduced in ag/862848
    • 8d87321 : 3 uninitialized variables in IOMX.cpp
    • 5a856f2 : Fix info leak vulnerability of IDrm
    • 79b7347 : IOMX.cpp uninitialized pointer in BnOMX::onTransact
    • 38f1da3 : Camera: Disallow dumping clients directly
    • d764049 : Fix out-of-bounds write
    • 3491698 : fix possible overflow in effect wrappers.
    • 0681b53 : libstagefright: check requested memory size before allocation for SoftMPEG4Encoder and SoftVPXEncoder.
    • 5dc9ffe : Reduce lock time for dump to make sure not locked when calling back to IResourceManagerClient.
    • 6c7a59a : ALooper::awaitResponse gets reply and returns immediately if the looper is stopped.

  • platform/frameworks/base with 44 change(s)
    • b0b65b5 : Process: Fix communication with zygote.
    • a3746db : Fix vulnerability in LockSettings service
    • f28516b : Add bound checks to utf16_to_utf8
    • 7517935 : Check caller's uid before allowing notification policy access.
    • 880e600 : Fix string equality comparison
    • af1e4f9 : WifiEnterpriseConfiguration: Do not print credentials in toString
    • eae49fb : Add pm operation to set user restrictions.
    • 3b4b9b1 : Reduce shell power over user management.
    • 557a269 : Don't trust callers to supply app info to bindBackupAgent()
    • 529dcaf : Backport of backup transport whitelist
    • ddbf2db : Backport ChooserTarget package source check from N
    • 9c5a09f : Don't pass URL path and username/password to PAC scripts
    • 3c8552b : Fix missing permission check when saving pattern/password
    • d0a8a19 : Kill the real/isolated uid group, not the ApplicationInfo uid
    • bcdc412 : Add new, hidden MotionEvent flag for partially obscured windows.
    • c5a0fca : Redact Account info from getCurrentSyncs
    • 2b05a69 : Conflict resolution CL to ag/868720 when cp'ing to mnc-mr1-release
    • 6a431ee : Check permissions on getDeviceId.
    • 463c543 : Don't allow contact sharing by default for device not recognized as carkit.
    • 4d70bd7 : Revert "Fix race condition when setting default ringtones"
    • df252d6 : Fix race condition when setting default ringtones
    • 49eddaa : Block directory selection in openable modes.
    • 1408358 : Kick movement preconditions onto handler thread.
    • d028ee7 : Revert "Remove -ffast-math from libhwui makefile"
    • 76cb25b : When the incoming light source is invalid, don't generate any shadow
    • 12412ce : Early return when the scale is 0.
    • 067470f : Remove -ffast-math from libhwui makefile
    • 0929827 : Revert "Use clang for libhwui"
    • b38fcc3 : Convert ashmem bitmap thresholds to constants.
    • b38c1e8 : Use clang for libhwui
    • a2dbe43 : Limit persistent ashmem backed fds to a minimum of 128kB.
    • 4232444 : Fix issue #25357209: Could not send SMS or MMS messages, had to reboot
    • 73546bb : Fix a crash while printing ICCID because of alphabets in UICC.
    • 0d6d12a : Fixed a bug where the panel could get stuck closing
    • 613e5fe : Improve comment on EXTRA_CALL_RAT_TYPE.
    • 20779c2 : NetworkTimeUpdateService: Grab a wakelock when manipulating system time
    • 7ed23d2 : Don't try overriding system fixed permissions on install
    • a8d4225 : PackageSettingBase needs to copy volume UUID.
    • 9c648bd : Handle "uninstalled" apps when pruning app-ops.
    • 52e3639 : IMS: Support For Per-Call RAT Info
    • 4ff3b61 : Allow verifier to grant permissions
    • bf3347f : Get rid of getTypesVisibleToCaller log spam.
    • c32aacb : UsbDeviceManager: set mUsbDataUnlocked=false on user switch
    • 9abc2aa : Don't crash if a DHCP server doesn't send the server ID option.

  • platform/frameworks/minikin with 3 change(s)
    • f10ea6d : Add error logging on invalid cmap
    • 1880cd8 : Reject fonts with invalid ranges in cmap
    • 715e31e : Avoid integer overflows in parsing fonts

  • platform/frameworks/native with 12 change(s)
    • 63f999b : ServiceManager: Allow system services running as secondary users to add services
    • 3ca88ba : Region: Detect malicious overflow in unflatten
    • a99316a : Add FrameStats default constructor
    • 443040b : Correctly handle dup() failure in Parcel::readNativeHandle
    • 489ba53 : Add new MotionEvent flag for partially obscured windows.
    • e0c5451 : Fix issue #27252896: Security Vulnerability -- weak binder
    • b49358b : BQ: fix some uninitialized variables
    • 638ac77 : Add SN logging
    • c9d518e : Sanity check IMemory access versus underlying mmap
    • 43316b3 : BQ: Add permission check to BufferQueueConsumer::dump
    • daca8c3 : IGraphicBufferProducer: fix QUEUE_BUFFER info leak
    • 93312a3 : IGraphicBufferConsumer: fix ATTACH_BUFFER info leak

  • platform/frameworks/opt/net/wifi with 3 change(s)
    • 9354e2a : ANQPFactory: catch all potential parsing errors
    • a2228a2 : VenueNameElement: fix off-by-one enum bounds check
    • ffe0310 : Deal correctly with short strings

  • platform/frameworks/opt/telephony with 5 change(s)
    • 8e08e67 : Do not allow premium SMS during SuW
    • ed47538 : backport security fix: avoid set NITZ time to 2038
    • c078223 : Check permissions on getDeviceId.
    • edb3e72 : Fix a crash while printing ICCID because of alphabets in UICC.
    • 09ee5a4 : Set WIFI icon for connection based on connection extra.

  • platform/hardware/broadcom/wlan with 1 change(s)
    • 2c5a4fa : Fix use-after-free in wifi_cleanup()

  • platform/hardware/intel/common/omx-components with 1 change(s)
    • a2f2b42 : fix random SEGV issue which is caused by wild pointer in libmix

  • platform/hardware/intel/img/hwcomposer with 2 change(s)
    • 6fd39da : Use default csc mode and video range setting for HDMI. Update VideoPayloadBuffer to align with palyload in video driver
    • 781a2f1 : Use default csc mode and video range setting for HDMI. Update VideoPayloadBuffer to align with palyload in video driver

  • platform/hardware/libhardware with 1 change(s)
    • e8f060e : Add guest mode functionality (1/3)

  • platform/hardware/qcom/audio with 1 change(s)
    • 012de35 : post proc : volume listener : fix effect release crash

  • platform/hardware/ril with 1 change(s)
    • 5c12513 : Replace variable-length arrays on stack with malloc.

  • platform/libcore with 4 change(s)
    • fd8a90b : CipherTest: in ASN1 encoding for GCM, no value for tag size means 12
    • 5d0d325 : CipherTest: add test for multiple updateAAD calls
    • 0d5a9f5 : CipherTest: test instance reuse with updateAAD
    • 50e16e8 : GCMParameters: check that the default tag size is secure (16 bits)

  • platform/packages/apps/Bluetooth with 1 change(s)
    • 7dc160f : Add guest mode functionality (3/3)

  • platform/packages/apps/CertInstaller with 1 change(s)
    • a47158e : Trust CA certificates added for the whole OS only

  • platform/packages/apps/Email with 3 change(s)
    • 37bf26d : Limit account id and id to longs
    • eb1046d : stop exporting EmailAccountCacheProvider
    • e092fdb : Don't allow cachedFile Attachments if the content Uri is pointing to EmailProvider.

  • platform/packages/apps/InCallUI with 1 change(s)
    • de77e31 : Show child number in incoming call notification.

  • platform/packages/apps/Nfc with 2 change(s)
    • fcc6ebf : Allow system_server access to NFC reader mode API.
    • 220a93d : Verify setForegroundDispatch caller is in foreground.

  • platform/packages/apps/Settings with 6 change(s)
    • f4b8ad6 : Preserve FRP lock if wiped during SUW
    • ec25157 : Uncheck checkbox for contact sharing by default for non carkit devices.
    • da91ef8 : Block developer settings during SUW
    • 46742e0 : Null check queryIntentServices
    • 91e50a2 : Further tweak to issue #issue #25371736: Don't include z-ram allocations in Android OS
    • a0fc2b8 : Fix issue #25371736: Don't include z-ram allocations in Android OS

  • platform/packages/apps/UnifiedEmail with 2 change(s)
    • 29eed8f : Don't allow cachedFile Attachments if the content Uri is pointing to EmailProvider.
    • 5c1a64f : Don't allow file attachment from file:///data.

  • platform/packages/inputmethods/LatinIME with 7 change(s)
    • e044d12 : Unicode 8.0 emoji additions to Google Keyboard.
    • dc1554f : Revert "Unicode 8.0 emoji additions to Google Keyboard."
    • 41396aa : Unicode 8.0 emoji additions to Google Keyboard.
    • 2ca6cea : Revert "Unicode 8.0 emoji changes to Google Keyboard."
    • 397fa0b : Revert "Add description strings for Unicode 8.0 new emoji."
    • b18083a : Unicode 8.0 emoji changes to Google Keyboard.
    • cd9814c : Add description strings for Unicode 8.0 new emoji.

  • platform/packages/providers/CalendarProvider with 1 change(s)
    • 5d19871 : Work on issue #25467052: System lagged out

  • platform/packages/providers/DownloadProvider with 1 change(s)
    • a8bc340 : Use resolved path for both checking and opening.

  • platform/packages/providers/TelephonyProvider with 2 change(s)
    • 0aeed2d : 30481342: Security Vulnerability - TOCTOU in MmsProvider allows access to files as phone (radio) uid
    • f596d65 : Try-catch for deletePreferredApnId()

  • platform/packages/services/Telephony with 4 change(s)
    • 8771dd2 : Make TTY broadcasts protected
    • 4213bf6 : Fixes creation of incorrect SIP PhoneAccountHandle
    • fbd58ff : Revert "Ensure sim contacts import screen supports rotation."
    • 092d26a : Ensure connection extras are propagated on start of call.

  • platform/system/bt with 7 change(s)
    • ac1e366 : Add guest mode functionality (2/3)
    • 7c8f520 : btif: Don't persist remote devices to the config
    • ed1563b : Fix crashes with lots of discovered LE devices
    • 3e8755e : Always update remote address type during LE scan
    • 903777d : Fix bug in SDP 128-bit UUID lookup
    • 1a3139b : Do not mask out secure connections (SC) bit for BT 4.2
    • eb6b364 : Serialize remote version query over LE

  • platform/system/core with 14 change(s)
    • fd3c38a : Fix vold vulnerability in FrameworkListener
    • a057057 : debuggerd: fix missed use of ptrace(PTRACE_ATTACH).
    • 178bfee : adb: use asocket's close function when closing.
    • a27352b : adb: switch the socket list mutex to a recursive_mutex.
    • 153324b : libutils/Unicode.cpp: Correct length computation and add checks for utf16-utf8
    • 5ed57a7 : add a property for controlling perf_event_paranoid
    • b7cc19c : Fix scanf %s in lsof.
    • 5eddd51 : Fix overflow in path building
    • dcf95ac : Don't demangle symbol names.
    • 78aa538 : Don't create tombstone directory.
    • d167d5e : Fix incorrect check of descsz value.
    • 5b73585 : Add macro to call event logger for errors.
    • a611696 : logd: pruning time horizon
    • eb88db4 : Remove __DATE__/__TIME__ from init and debuggerd

  • platform/system/keymaster with 1 change(s)
    • 39ba76d : Return correct error from keymaster0engine for large RSA input

  • platform/system/media with 2 change(s)
    • 60ec8cc : Camera metadata: Check for inconsistent data count
    • c30c62d : Camera: Prevent data size overflow

  • platform/system/security with 1 change(s)
    • 1f76969 : Limit maximum number of concurrent keystore operations.