Android Marshmallow AOSP Changes

Changes from 6.0.1_r69 (MMB30Y) to 6.0.1_r70 (MOB31H):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Removed Components (0):

None

Updated Components (46):

  • device/asus/flo-kernel with 4 change(s)
    • c8a3abb : flo: update prebuilt kernel
    • d999d3f : flo: update prebuilt kernel
    • aaa92aa : flo: update prebuilt kernel
    • 8c18194 : flo: update prebuilt kernel

  • device/asus/fugu-kernel with 1 change(s)
    • 2d0e37c : fugu: update prebuilt kernel

  • device/htc/flounder-kernel with 1 change(s)
    • 7d164b2 : flounder: update kernel prebuilt

  • device/moto/shamu-kernel with 1 change(s)
    • 6f9a8fe : shamu: update prebuilt kernel

  • device/sample with 1 change(s)
    • b239828 : Adding APN for ATT AGMS Global (310-380)

  • platform/bionic with 1 change(s)
    • 12123df : Update timezone data to 2016a

  • platform/bootable/recovery with 1 change(s)
    • 7d4457c : Fix integer overflows in recovery procedure.

  • platform/build with 50 change(s)
    • f26f928 : MOB31H
    • 51e569c : MOB31G
    • c49265a : MOB31F
    • 7d3077c : Update comments around PLATFORM_SECURITY_LEVEL
    • f03c12b : Update Security String to 2016-10-05 to Platform and CTS for October Security Updates (rebased)
    • a9e57f6 : Update Security String to 2016-10-01 to platform and CTS for October Security
    • 633dd52 : "MOB31E"
    • a65a6c4 : Update Security String to 2016-09-06 to platform and CTS for September Security (+Quadrooter,-PZ)
    • 52f12c7 : "MOB31D"
    • 2f6515c : Update Security String to 2016-09-07 to platform and CTS for September respin
    • b24a529 : "MOB31C"
    • 827f04b : Updating security string to 2016-09-05 to platform and CTS in preparation for 2016 September OTA on mnc-dev
    • 92212a9 : "MOB31B"
    • f4607de : Updating security string to 2016-09-01 to platform and CTS in preparation for 2016 September OTA
    • 5d5a58e : "MOB30Z"
    • a8994a2 : "MOB30Y"
    • 7441560 : "MOB30X"
    • c5f5bf3 : "MOB30W"
    • 2f9b1a7 : "MOB30V"
    • 36e2d00 : MOB30U
    • 82d53be : "MOB30T"
    • 6d81a4a : "MOB30S"
    • 01e9203 : disable unpriv perf by default in user{,debug} builds
    • 20dde10 : "MOB30R"
    • 067d200 : Updating security string to 2016-08-05 - directly to mnc-mr2-release
    • f665835 : MOB30Q
    • 931561f : "MOB30P"
    • d066358 : "MOB30O"
    • 592c3a4 : Updating security string to 2016-07-05 to release branches
    • 4f182df : "MOB30N"
    • bbe9b53 : MOB30M
    • b9d4958 : "MOB30L"
    • 18648c1 : "MOB30K"
    • e240735 : Update security patch string to 2016-06-01
    • f30ec8b : "MOB30J"
    • de6dc95 : "MOB30I"
    • 571de13 : "MOB30H"
    • 46d1699 : "MOB30G"
    • 7feafe7 : "MOB30F"
    • 85ff546 : "MOB30E"
    • c8641b4 : Update Security String to 2016-05-01 in preparation for May 2016 Security OTA
    • 25b7ce3 : MOB30D
    • 42d5725 : Update Security String to 2016-04-02 in preparation for April 2016 Security OTA v2 - kernel updates with patches for CVE-2015-1805
    • 13678cf : MOB30C
    • 5250d69 : MOB30B
    • 0a9c18b : "MOB29Z"
    • f103e81 : Updating security string patch to 2016-04-01
    • 5994b11 : MOB29Y
    • c322528 : "MOB29X"
    • 49537b0 : "MOB29W"

  • platform/dalvik with 1 change(s)
    • 338aeaf : Fix potential buffer overrun.

  • platform/external/aac with 2 change(s)
    • d99efb7 : Fix aacDecoder_drcExtractAndMap()
    • 5d4405f : Fix stack corruption happening in aacDecoder_drcExtractAndMap()

  • platform/external/boringssl with 2 change(s)
    • 74750e1 : Fix encoding bug in i2c_ASN1_INTEGER
    • 591be84 : Remove support for mis-encoded PKCS#8 DSA keys.

  • platform/external/bouncycastle with 2 change(s)
    • 2096fd1 : GCMParameters: in ASN1 encoding, use 12 when no value is specified
    • 6183c75 : GCMParameters: fix insecure tag size

  • platform/external/conscrypt with 4 change(s)
    • 5af5e93 : Use SSL_session_reused to check when a session was reused
    • 1638945 : Fix updateAAD when offset is not 0
    • 8bec47d : OpenSSLCipher: multiple calls to updateAAD were ignored
    • 50d0447 : OpenSSLCipher: reset AAD when necessary

  • platform/external/dhcpcd with 1 change(s)
    • 3c47c99 : Improve length checks in DHCP Options parsing of dhcpcd.

  • platform/external/flac with 2 change(s)
    • b93c406 : src/libFLAC/stream_decoder.c : Fix NULL de-reference.
    • b499389 : Avoid free-before-initialize vulnerability in heap

  • platform/external/icu with 1 change(s)
    • a8a9e45 : Update timezone data to 2016a

  • platform/external/jhead with 2 change(s)
    • cbbecf7 : Fix possible out of bounds accesses
    • bae6715 : Fix possible out of bounds access

  • platform/external/libavc with 11 change(s)
    • 7109ce3 : Fixed error concealment when no MBs are decoded in the current pic
    • 326fe99 : Decoder: Initialize first_pb_nal_in_pic for error slices
    • 7554755 : Decoder: Do not conceal slices with invalid SPS/PPS
    • a78887b : Decoder: Fix slice number increment for error clips
    • cc676eb : Fix slice params for interlaced video
    • d4841f1 : Decoder: Set u1_long_term_reference_flag to 0 for error concealment
    • e629194 : Decoder: Initialize slice parameters before concealing error MBs
    • ecf6c7c : Decoder: Memset few structures to zero to handle error clips
    • a583270 : Decoder: Fix for handling invalid intra mode
    • 78c2c6e : Decoder: Fix stack underflow in CAVLC 4x4 parse functions
    • b41e5f3 : Ensure ih264d_start_of_pic() is not repeated in ih264d_mark_err_slice_skip()

  • platform/external/libmpeg2 with 3 change(s)
    • d1c775d : Fixed out of bound read in flush_bits
    • e786210 : Fix for handling streams which resulted in negative num_mbs_left
    • b658a21 : Fixed stack buffer overflow

  • platform/external/libvpx with 1 change(s)
    • 65c49d5 : Fix ParseElementHeader to support 0 payload elements

  • platform/external/sepolicy with 3 change(s)
    • f2b123a : expose control over unpriv perf access to shell
    • abf0663 : Remove generic socket access from untrusted processes
    • 556bb0f : Further restrict socket ioctls available to apps

  • platform/external/sonivox with 3 change(s)
    • cadfb7a : Fix NULL pointer dereference
    • 90f91b3 : Sonivox: add SafetyNet log.
    • e372b39 : Sonivox: sanity check numSamples.

  • platform/external/tremolo with 1 change(s)
    • 659030a : Check partword is in range for # of partitions

  • platform/external/wpa_supplicant_8 with 2 change(s)
    • b845b81 : Guard against return value already being null
    • b79e095 : Remove newlines from config output

  • platform/frameworks/av with 55 change(s)
    • 4b459da : MediaPlayerService: allow next player to be NULL
    • 45f500a : Fix build breakage caused by commit 940829f69b52d6038db66a9c727534636ecc456d.
    • 497fcd7 : Add EFFECT_CMD_SET_PARAM parameter checking
    • 4d96096 : soundtrigger: add size check on sound model and recogntion data
    • 54ac346 : MediaPlayerService: avoid invalid static cast
    • 173e6eb : better validation lengths of strings in ID3 tags
    • b52c757 : SoftMPEG4: Check the buffer size before writing the reference frame.
    • c174665 : omx: prevent input port enable/disable for software codecs
    • d67bab6 : Fix build
    • ae1810f : Fix build
    • 36dd3c2 : Add bound checks to utf16_to_utf8
    • 50643aa : fix build
    • ee44d7c : SoftVPX: fix nFilledLen overflow
    • 97837bb : OMXCodec: check IMemory::pointer() before using allocation
    • f9391b3 : Fix corruption via buffer overflow in mediaserver
    • 9871fae : SoftMP3: memset safely
    • 030001d : Impose a size bound for dynamically allocated tables in stbl.
    • 9cd8c32 : Check effect command reply size in AudioFlinger
    • a4567c6 : SoftHEVC: Exit gracefully in case of decoder errors
    • 42a25c4 : Don't use sp&
    • 8e438e1 : SoftAAC2: fix crash on all-zero adts buffer
    • 590d172 : Fix potential overflow
    • d112f7d : Resolve a merge issue between lmp and lmp-mr1+
    • f810380 : MPEG4Extractor: ensure kKeyTrackID exists before creating an MPEG4Source as track.
    • 6fdee2a : limit mediaserver memory
    • e7142a0 : Check malloc result to avoid NPD
    • e248db0 : Fix security vulnerability in libstagefright
    • 6054780 : h264bsdActivateParamSets: Prevent multiplication overflow.
    • daef432 : Clear unused pointer field when sending across binder
    • 4f236c5 : Check section size when verifying CRC
    • b57b396 : SampleTable.cpp: Fixed a regression caused by a fix for bug 28076789.
    • 45737cb : Resolve merge conflict when cp'ing ag/931301 to mnc-mr1-release
    • 2b6f22d : h264dec: check for overflows when calculating allocation size.
    • 918eeaa : codecs: check OMX buffer size before use in (avc|hevc|mpeg2)dec
    • 7cea5cb : codecs: check OMX buffer size before use in (gsm|g711)dec
    • dd35467 : AudioSource: initialize variables
    • ad40e57 : Check mp3 output buffer size
    • d2f4719 : codecs: check OMX buffer size before use in (h263|h264)dec
    • db82969 : Fix OMX_IndexParamConsumerUsageBits size check
    • 0bb5ced : Fix size check for OMX_IndexParamConsumerUsageBits
    • 94d9e64 : Fix initialization of AAC presentation struct
    • daa85da : Fix AMR decoder
    • 65756b4 : SoftAMR: check input buffer size to avoid overflow.
    • 44749eb : SoftAMR: check output buffer size to avoid overflow.
    • 7fd96eb : codecs: check OMX buffer size before use in VP8 encoder.
    • a2d1d85 : NuPlayerStreamListener: NULL and bounds check before memcpy
    • b04aee8 : Camera3Device: Validate template ID
    • f9ed2fe : Add VPX output buffer size check
    • de2430f : Get service by value instead of reference
    • 582c02e : Also fix out of bounds access for normal read
    • 3a90a02 : Clear allocation to avoid info leak
    • 1f76ce4 : Fixing safteynet logging bug introduced in ag/862848
    • 57bf497 : 3 uninitialized variables in IOMX.cpp
    • 638e5ba : Fix info leak vulnerability of IDrm
    • 3ba0bbe : IOMX.cpp uninitialized pointer in BnOMX::onTransact

  • platform/frameworks/base with 19 change(s)
    • a1e1881 : Process: Fix communication with zygote.
    • 1d6c0ef : Fix vulnerability in LockSettings service
    • f0ea4c8 : Add bound checks to utf16_to_utf8
    • 28460c2 : Check caller's uid before allowing notification policy access.
    • 81be4e3 : Fix string equality comparison
    • 55271d4 : WifiEnterpriseConfiguration: Do not print credentials in toString
    • 4e4743a : Add pm operation to set user restrictions.
    • 01875b0 : Reduce shell power over user management.
    • e7cf91a : Don't trust callers to supply app info to bindBackupAgent()
    • 9b8c6d2 : Backport of backup transport whitelist
    • d2ef34d : Backport ChooserTarget package source check from N
    • ec2fc50 : Don't pass URL path and username/password to PAC scripts
    • e83f0f6 : Fix missing permission check when saving pattern/password
    • 9878bb9 : Kill the real/isolated uid group, not the ApplicationInfo uid
    • 613f63b : Add new, hidden MotionEvent flag for partially obscured windows.
    • 3cd1905 : Redact Account info from getCurrentSyncs
    • b22f3f2 : Conflict resolution CL to ag/868720 when cp'ing to mnc-mr1-release
    • 1e24c42 : Fix missing observer reply callbacks
    • bea20d5 : Exit getAllValidScorers early if not the primary.

  • platform/frameworks/minikin with 2 change(s)
    • 75265b3 : Add error logging on invalid cmap
    • 013771f : Reject fonts with invalid ranges in cmap

  • platform/frameworks/native with 10 change(s)
    • 23e7c1d : ServiceManager: Allow system services running as secondary users to add services
    • 1ecb999 : Region: Detect malicious overflow in unflatten
    • 3bcf0ca : Add FrameStats default constructor
    • 54cb02a : Correctly handle dup() failure in Parcel::readNativeHandle
    • 03a53d1 : Add new MotionEvent flag for partially obscured windows.
    • a59b827 : Fix issue #27252896: Security Vulnerability -- weak binder
    • a30d7d9 : BQ: fix some uninitialized variables
    • 5243afa : Add SN logging
    • 25719f6 : Sanity check IMemory access versus underlying mmap
    • b3a9e6d : BQ: Add permission check to BufferQueueConsumer::dump

  • platform/frameworks/opt/net/wifi with 3 change(s)
    • d9be1b6 : ANQPFactory: catch all potential parsing errors
    • b2219ef : VenueNameElement: fix off-by-one enum bounds check
    • a209ff1 : Deal correctly with short strings

  • platform/frameworks/opt/telephony with 2 change(s)
    • 7217535 : Do not allow premium SMS during SuW
    • f47bc30 : backport security fix: avoid set NITZ time to 2038

  • platform/hardware/libhardware with 1 change(s)
    • 8b3d5a6 : Add guest mode functionality (1/3)

  • platform/hardware/qcom/audio with 1 change(s)
    • a18111d : post proc : volume listener : fix effect release crash

  • platform/hardware/ril with 1 change(s)
    • 87c2ac6 : Replace variable-length arrays on stack with malloc.

  • platform/libcore with 4 change(s)
    • c95c72e : CipherTest: in ASN1 encoding for GCM, no value for tag size means 12
    • e565176 : CipherTest: add test for multiple updateAAD calls
    • 156bf0a : CipherTest: test instance reuse with updateAAD
    • 4e6f599 : GCMParameters: check that the default tag size is secure (16 bits)

  • platform/packages/apps/Bluetooth with 2 change(s)
    • 122feb9 : Add guest mode functionality (3/3)
    • eb6e43c : Fix memory leak in Bluetooth AVRCP JNI

  • platform/packages/apps/CertInstaller with 1 change(s)
    • 32071b2 : Trust CA certificates added for the whole OS only

  • platform/packages/apps/Email with 3 change(s)
    • 9046b84 : Limit account id and id to longs
    • cb2dfe4 : stop exporting EmailAccountCacheProvider
    • 2791f0b : Don't allow cachedFile Attachments if the content Uri is pointing to EmailProvider.

  • platform/packages/apps/Nfc with 2 change(s)
    • e1bc9bb : Allow system_server access to NFC reader mode API.
    • 9ea802b : Verify setForegroundDispatch caller is in foreground.

  • platform/packages/apps/UnifiedEmail with 2 change(s)
    • a551683 : Don't allow cachedFile Attachments if the content Uri is pointing to EmailProvider.
    • 0471215 : Don't allow file attachment from file:///data.

  • platform/packages/providers/ContactsProvider with 1 change(s)
    • d1d67f9 : Update directories when initializing ContactsProvider.

  • platform/packages/providers/DownloadProvider with 3 change(s)
    • 3f2cf47 : Revert "Enforce calling identity before clearing."
    • 6f753b3 : Enforce calling identity before clearing.
    • a921675 : Use resolved path for both checking and opening.

  • platform/packages/providers/TelephonyProvider with 1 change(s)
    • c8f249d : 30481342: Security Vulnerability - TOCTOU in MmsProvider allows access to files as phone (radio) uid

  • platform/packages/services/Telephony with 2 change(s)
    • c76129b : Make TTY broadcasts protected
    • d2e1ace : Fixes creation of incorrect SIP PhoneAccountHandle

  • platform/system/bt with 2 change(s)
    • 37c8810 : Add guest mode functionality (2/3)
    • 158910b : btif: Don't persist remote devices to the config

  • platform/system/core with 11 change(s)
    • b825f11 : Fix vold vulnerability in FrameworkListener
    • 4cc6d3d : debuggerd: fix missed use of ptrace(PTRACE_ATTACH).
    • f483354 : adb: use asocket's close function when closing.
    • 014b159 : adb: switch the socket list mutex to a recursive_mutex.
    • 3c28cda : libutils/Unicode.cpp: Correct length computation and add checks for utf16-utf8
    • 671d62d : add a property for controlling perf_event_paranoid
    • ae18eb0 : Fix scanf %s in lsof.
    • 864e2e2 : Fix overflow in path building
    • ad54cfe : Don't demangle symbol names.
    • e1d7846 : Don't create tombstone directory.
    • e296514 : Re-derive permissions after package changes.

  • platform/system/media with 2 change(s)
    • 8d0a86a : Camera metadata: Check for inconsistent data count
    • 882db90 : Camera: Prevent data size overflow