Android Marshmallow AOSP Changes

Changes from 6.0.1_r72 (M4B30X) to 6.0.1_r73 (MMB31C):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Removed Components (0):

None

Updated Components (44):

  • device/asus/flo-kernel with 3 change(s)
    • f87ae9f : flo: update prebuilt kernel
    • 5fcd1f3 : flo: update prebuilt kernel
    • 133e144 : flo: update prebuilt kernel

  • device/asus/fugu-kernel with 1 change(s)
    • 27d373a : fugu: update prebuilt kernel

  • device/htc/flounder-kernel with 1 change(s)
    • 4d7f6cb : flounder: update kernel prebuilt

  • device/lge/bullhead with 1 change(s)
    • e91ecdb : Correct encoder peformance expected values

  • platform/bootable/recovery with 1 change(s)
    • 6896261 : Fix integer overflows in recovery procedure.

  • platform/build with 47 change(s)
    • 71696dc : MMB31C
    • 6a1b4dc : MMB31B
    • 72f32ab : MMB30Z
    • c1532d4 : Updating Security String to 2016-11-05 on mnc-dev b/31618336
    • 2177b06 : Updating Security String to 2016-11-01 on mnc-dev b/31618336
    • 2c199ea : MMB30Y
    • 6a7cd6b : MMB30X
    • feab61c : Update comments around PLATFORM_SECURITY_LEVEL
    • f1d9524 : Update Security String to 2016-10-05 to Platform and CTS for October Security Updates (rebased)
    • d91cf35 : Update Security String to 2016-10-01 to platform and CTS for October Security
    • 2d4c307 : "MMB30W"
    • 1b040a1 : Update Security String to 2016-09-06 to platform and CTS for September Security (+Quadrooter,-PZ)
    • 8a5d1ce : "MMB30V"
    • 495a4ef : Update Security String to 2016-09-07 to platform and CTS for September respin
    • 13b4135 : "MMB30U"
    • 60b76c2 : Updating security string to 2016-09-05 to platform and CTS in preparation for 2016 September OTA on mnc-dev
    • 434e82d : "MMB30T"
    • 70d7fd7 : Updating security string to 2016-09-01 to platform and CTS in preparation for 2016 September OTA
    • b5e3ce3 : "MMB30S"
    • c5fe58c : "MMB30R"
    • 18e3567 : "MMB30Q"
    • 78394a2 : MMB30P
    • 35a7d76 : "MMB30O"
    • f636a81 : "MMB30N"
    • d6e7e6b : disable unpriv perf by default in user{,debug} builds
    • c0dd689 : Updating security string to 2016-08-05 - directly to mnc-mr2-release
    • bc2a4a6 : "MMB30M"
    • 47f18a6 : MMB30L
    • 2949ef1 : "MMB30K"
    • 725cb70 : Updating security string to 2016-07-05 to release branches
    • 5b2836b : MMB30J
    • 9740914 : "MMB30I"
    • 4e01814 : Update security patch string to 2016-06-01
    • 4591129 : "MMB30H"
    • 969670f : MMB30G
    • 26cddab : "MMB30F"
    • d8bce37 : "MMB30E"
    • 9228259 : "MMB30D"
    • f1e44d3 : MMB30C
    • f72b2f2 : MMB30B
    • e7861ff : "MMB29Z"
    • ba03bdb : "MMB29Y"
    • 93b663c : Update Security String to 2016-05-01 in preparation for May 2016 Security OTA
    • 772db68 : "MMB29X"
    • a6860b3 : Update Security String to 2016-04-02 in preparation for April 2016 Security OTA v2 - kernel updates with patches for CVE-2015-1805
    • 2d0200f : "MMB29W"
    • 0ad1f65 : Updating security string patch to 2016-04-01

  • platform/dalvik with 1 change(s)
    • 0f5ea2f : Fix potential buffer overrun.

  • platform/external/aac with 2 change(s)
    • 5944dfa : Fix aacDecoder_drcExtractAndMap()
    • 79aaf83 : Fix stack corruption happening in aacDecoder_drcExtractAndMap()

  • platform/external/boringssl with 4 change(s)
    • 3294a19 : Re-add |EVP_des_ede_cbc|.
    • a4e2afc : Fix NID of |EVP_CIPHER des3_cbc|.
    • 98d0f1b : Fix encoding bug in i2c_ASN1_INTEGER
    • 0f905af : Remove support for mis-encoded PKCS#8 DSA keys.

  • platform/external/bouncycastle with 2 change(s)
    • 4ce8f65 : GCMParameters: in ASN1 encoding, use 12 when no value is specified
    • bc445d7 : GCMParameters: fix insecure tag size

  • platform/external/chromium-webview with 1 change(s)
    • 926fdab : WebView AOSP Integration Request - 52.0.2743.100

  • platform/external/conscrypt with 5 change(s)
    • a233f11 : Fix typo in name of des-ede mapping
    • cb5102c : Use SSL_session_reused to check when a session was reused
    • 1406f14 : Fix updateAAD when offset is not 0
    • 59b06ff : OpenSSLCipher: multiple calls to updateAAD were ignored
    • e2e7583 : OpenSSLCipher: reset AAD when necessary

  • platform/external/dhcpcd with 1 change(s)
    • 2a5eac9 : Improve length checks in DHCP Options parsing of dhcpcd.

  • platform/external/expat with 3 change(s)
    • b3fca5d : Security Vulnerability - CVE-2012-6702 and CVE-2016-5300
    • dcd07ce : Fix CVE-2016-0718: Expat XML Parser Crashes on Malformed Input
    • cdbda27 : Upgrade to expat 2.1.1

  • platform/external/flac with 2 change(s)
    • c804809 : src/libFLAC/stream_decoder.c : Fix NULL de-reference.
    • 7b8718a : Avoid free-before-initialize vulnerability in heap

  • platform/external/jhead with 2 change(s)
    • 33e0f8b : Fix possible out of bounds accesses
    • 9070da4 : Fix possible out of bounds access

  • platform/external/libavc with 13 change(s)
    • b456744 : Decoder: Fixes for handling errors in multi-slice MB Aff streams
    • 017d2b4 : Fix in the case of invalid SPS PPS
    • 6449db4 : Fixed error concealment when no MBs are decoded in the current pic
    • 6f05d8d : Decoder: Initialize first_pb_nal_in_pic for error slices
    • 39ff59e : Decoder: Do not conceal slices with invalid SPS/PPS
    • a24cb59 : Decoder: Fix slice number increment for error clips
    • a09b16b : Fix slice params for interlaced video
    • 67c4732 : Decoder: Set u1_long_term_reference_flag to 0 for error concealment
    • 3d01744 : Decoder: Initialize slice parameters before concealing error MBs
    • 8709f6a : Decoder: Memset few structures to zero to handle error clips
    • f511691 : Decoder: Fix for handling invalid intra mode
    • 0b24cbe : Decoder: Fix stack underflow in CAVLC 4x4 parse functions
    • 2eddadc : Ensure ih264d_start_of_pic() is not repeated in ih264d_mark_err_slice_skip()

  • platform/external/libmpeg2 with 3 change(s)
    • 368a38b : Fixed out of bound read in flush_bits
    • d9c2855 : Fix for handling streams which resulted in negative num_mbs_left
    • 5d98623 : Fixed stack buffer overflow

  • platform/external/libvpx with 1 change(s)
    • 5b03b33 : Fix ParseElementHeader to support 0 payload elements

  • platform/external/sepolicy with 4 change(s)
    • 1825d64 : Allow the zygote to stat all files it opens.
    • 1c4530a : expose control over unpriv perf access to shell
    • 37a6d5b : Remove generic socket access from untrusted processes
    • 8e68ded : Further restrict socket ioctls available to apps

  • platform/external/sonivox with 3 change(s)
    • cd07f55 : Fix NULL pointer dereference
    • c5843be : Sonivox: add SafetyNet log.
    • 6a21338 : Sonivox: sanity check numSamples.

  • platform/external/tremolo with 1 change(s)
    • 827b4e5 : Check partword is in range for # of partitions

  • platform/external/wpa_supplicant_8 with 2 change(s)
    • 8d7fc52 : Guard against return value already being null
    • 80833f4 : Remove newlines from config output

  • platform/frameworks/av with 66 change(s)
    • 5d1f734 : stagefright: don't fail MediaCodec.configure if clients use store-meta key
    • 55a0d6e : IOMX: do not clear buffer if it's allocated by component
    • b4eee7e : IOMX: allow configuration after going to loaded state
    • e322a24 : IOMX: restrict conversion of ANWB to gralloc source in emptyBuffer
    • b884fca : Limit mp4 atom size to something reasonable
    • c89da20 : SampleIterator: clear members on seekTo error
    • 009c94b : Check mprotect result
    • d31f3de : Radio: get service by value.
    • 369df9c : SoundTrigger: get service by value.
    • f5dae04 : Fix stack content leak vulnerability in mediaserver
    • fca1091 : Fix potential overflow in Visualizer effect
    • fad3524 : IOMX: work against metadata buffer spoofing
    • b3726cc : MediaPlayerService: allow next player to be NULL
    • ce7438d : Fix build breakage caused by commit 940829f69b52d6038db66a9c727534636ecc456d.
    • 2541af1 : Add EFFECT_CMD_SET_PARAM parameter checking
    • dee768a : soundtrigger: add size check on sound model and recogntion data
    • c471331 : MediaPlayerService: avoid invalid static cast
    • 1f8a0fe : better validation lengths of strings in ID3 tags
    • cb54be3 : SoftMPEG4: Check the buffer size before writing the reference frame.
    • 066151c : omx: prevent input port enable/disable for software codecs
    • dde79df : Fix build
    • 525891b : Fix build
    • 2e5bb1b : Add bound checks to utf16_to_utf8
    • 510cfc3 : fix build
    • 584ed66 : SoftVPX: fix nFilledLen overflow
    • 938124f : OMXCodec: check IMemory::pointer() before using allocation
    • 4eda480 : Fix corruption via buffer overflow in mediaserver
    • d185e27 : SoftMP3: memset safely
    • 88bff9f : Impose a size bound for dynamically allocated tables in stbl.
    • 2c151ba : Check effect command reply size in AudioFlinger
    • 7b56256 : SoftHEVC: Exit gracefully in case of decoder errors
    • 93482fd : Don't use sp&
    • f06e4f6 : SoftAAC2: fix crash on all-zero adts buffer
    • e4038aa : Fix potential overflow
    • f375ca7 : MPEG4Extractor: ensure kKeyTrackID exists before creating an MPEG4Source as track.
    • 71024bd : limit mediaserver memory
    • edb9201 : Check malloc result to avoid NPD
    • 63a06d6 : Fix security vulnerability in libstagefright
    • 56eba26 : h264bsdActivateParamSets: Prevent multiplication overflow.
    • 2811381 : Clear unused pointer field when sending across binder
    • ffc9b40 : Check section size when verifying CRC
    • 9662a4c : SampleTable.cpp: Fixed a regression caused by a fix for bug 28076789.
    • 832e9c0 : Resolve merge conflict when cp'ing ag/931301 to mnc-mr1-release
    • e3437c4 : h264dec: check for overflows when calculating allocation size.
    • 5c46ae8 : codecs: check OMX buffer size before use in (avc|hevc|mpeg2)dec
    • 46e6f1f : codecs: check OMX buffer size before use in (gsm|g711)dec
    • b3d95b9 : AudioSource: initialize variables
    • 576a46e : Check mp3 output buffer size
    • 4558a32 : codecs: check OMX buffer size before use in (h263|h264)dec
    • ee37b04 : Fix OMX_IndexParamConsumerUsageBits size check
    • 4c92e76 : Fix size check for OMX_IndexParamConsumerUsageBits
    • b2585b5 : Fix initialization of AAC presentation struct
    • e0b5f05 : Fix AMR decoder
    • 9b0317c : SoftAMR: check input buffer size to avoid overflow.
    • f9ac32c : SoftAMR: check output buffer size to avoid overflow.
    • 08e5fb8 : codecs: check OMX buffer size before use in VP8 encoder.
    • 20bac0d : NuPlayerStreamListener: NULL and bounds check before memcpy
    • d9caaac : Camera3Device: Validate template ID
    • bf83193 : Add VPX output buffer size check
    • 6ab905e : Get service by value instead of reference
    • 67d11e9 : Also fix out of bounds access for normal read
    • 20280c5 : Clear allocation to avoid info leak
    • b4ef484 : Fixing safteynet logging bug introduced in ag/862848
    • 8d87321 : 3 uninitialized variables in IOMX.cpp
    • 5a856f2 : Fix info leak vulnerability of IDrm
    • 79b7347 : IOMX.cpp uninitialized pointer in BnOMX::onTransact

  • platform/frameworks/base with 22 change(s)
    • 67f5577 : Avoid crashing when downloading MitM'd PAC that is too big am: 7d2198b586 am: 9c1cb7a273 am: 6634e90ad7 am: 66ee2296a9
    • 3f076ca : Fix build break due to automerge of 7d2198b5
    • b9a1d10 : Ensure munmap matches mmap
    • b37766b : Fix setPairingConfirmation permissions issue (2/2)
    • 186af6a : Backport changes to whitelist sockets opened by the zygote.
    • b0b65b5 : Process: Fix communication with zygote.
    • a3746db : Fix vulnerability in LockSettings service
    • f28516b : Add bound checks to utf16_to_utf8
    • 7517935 : Check caller's uid before allowing notification policy access.
    • 880e600 : Fix string equality comparison
    • af1e4f9 : WifiEnterpriseConfiguration: Do not print credentials in toString
    • eae49fb : Add pm operation to set user restrictions.
    • 3b4b9b1 : Reduce shell power over user management.
    • 557a269 : Don't trust callers to supply app info to bindBackupAgent()
    • 529dcaf : Backport of backup transport whitelist
    • ddbf2db : Backport ChooserTarget package source check from N
    • 9c5a09f : Don't pass URL path and username/password to PAC scripts
    • 3c8552b : Fix missing permission check when saving pattern/password
    • d0a8a19 : Kill the real/isolated uid group, not the ApplicationInfo uid
    • bcdc412 : Add new, hidden MotionEvent flag for partially obscured windows.
    • c5a0fca : Redact Account info from getCurrentSyncs
    • 2b05a69 : Conflict resolution CL to ag/868720 when cp'ing to mnc-mr1-release

  • platform/frameworks/minikin with 2 change(s)
    • f10ea6d : Add error logging on invalid cmap
    • 1880cd8 : Reject fonts with invalid ranges in cmap

  • platform/frameworks/native with 10 change(s)
    • 63f999b : ServiceManager: Allow system services running as secondary users to add services
    • 3ca88ba : Region: Detect malicious overflow in unflatten
    • a99316a : Add FrameStats default constructor
    • 443040b : Correctly handle dup() failure in Parcel::readNativeHandle
    • 489ba53 : Add new MotionEvent flag for partially obscured windows.
    • e0c5451 : Fix issue #27252896: Security Vulnerability -- weak binder
    • b49358b : BQ: fix some uninitialized variables
    • 638ac77 : Add SN logging
    • c9d518e : Sanity check IMemory access versus underlying mmap
    • 43316b3 : BQ: Add permission check to BufferQueueConsumer::dump

  • platform/frameworks/opt/net/wifi with 3 change(s)
    • 9354e2a : ANQPFactory: catch all potential parsing errors
    • a2228a2 : VenueNameElement: fix off-by-one enum bounds check
    • ffe0310 : Deal correctly with short strings

  • platform/frameworks/opt/telephony with 2 change(s)
    • 8e08e67 : Do not allow premium SMS during SuW
    • ed47538 : backport security fix: avoid set NITZ time to 2038

  • platform/hardware/libhardware with 1 change(s)
    • e8f060e : Add guest mode functionality (1/3)

  • platform/hardware/qcom/audio with 2 change(s)
    • fb955c8 : Fix potential overflow in Visualizer effect
    • 012de35 : post proc : volume listener : fix effect release crash

  • platform/hardware/ril with 1 change(s)
    • 5c12513 : Replace variable-length arrays on stack with malloc.

  • platform/libcore with 5 change(s)
    • 956c105 : IDN: Fix handling of long domain names.
    • fd8a90b : CipherTest: in ASN1 encoding for GCM, no value for tag size means 12
    • 5d0d325 : CipherTest: add test for multiple updateAAD calls
    • 0d5a9f5 : CipherTest: test instance reuse with updateAAD
    • 50e16e8 : GCMParameters: check that the default tag size is secure (16 bits)

  • platform/packages/apps/Bluetooth with 2 change(s)
    • bbbf01f : Fix setPairingConfirmation permissions issue (1/2)
    • 7dc160f : Add guest mode functionality (3/3)

  • platform/packages/apps/CertInstaller with 1 change(s)
    • a47158e : Trust CA certificates added for the whole OS only

  • platform/packages/apps/Email with 3 change(s)
    • 37bf26d : Limit account id and id to longs
    • eb1046d : stop exporting EmailAccountCacheProvider
    • e092fdb : Don't allow cachedFile Attachments if the content Uri is pointing to EmailProvider.

  • platform/packages/apps/Nfc with 2 change(s)
    • fcc6ebf : Allow system_server access to NFC reader mode API.
    • 220a93d : Verify setForegroundDispatch caller is in foreground.

  • platform/packages/apps/UnifiedEmail with 2 change(s)
    • 29eed8f : Don't allow cachedFile Attachments if the content Uri is pointing to EmailProvider.
    • 5c1a64f : Don't allow file attachment from file:///data.

  • platform/packages/providers/DownloadProvider with 2 change(s)
    • 8dd54fb : Enforce calling identity before clearing.
    • a8bc340 : Use resolved path for both checking and opening.

  • platform/packages/providers/TelephonyProvider with 1 change(s)
    • 0aeed2d : 30481342: Security Vulnerability - TOCTOU in MmsProvider allows access to files as phone (radio) uid

  • platform/packages/services/Telephony with 2 change(s)
    • 8771dd2 : Make TTY broadcasts protected
    • 4213bf6 : Fixes creation of incorrect SIP PhoneAccountHandle

  • platform/system/bt with 2 change(s)
    • ac1e366 : Add guest mode functionality (2/3)
    • 7c8f520 : btif: Don't persist remote devices to the config

  • platform/system/core with 12 change(s)
    • 67558c4 : liblog: add __android_log_close()
    • 437cf27 : liblog: add __android_log_close()
    • fd3c38a : Fix vold vulnerability in FrameworkListener
    • a057057 : debuggerd: fix missed use of ptrace(PTRACE_ATTACH).
    • 178bfee : adb: use asocket's close function when closing.
    • a27352b : adb: switch the socket list mutex to a recursive_mutex.
    • 153324b : libutils/Unicode.cpp: Correct length computation and add checks for utf16-utf8
    • 5ed57a7 : add a property for controlling perf_event_paranoid
    • b7cc19c : Fix scanf %s in lsof.
    • 5eddd51 : Fix overflow in path building
    • dcf95ac : Don't demangle symbol names.
    • 78aa538 : Don't create tombstone directory.

  • platform/system/media with 3 change(s)
    • bd9ae11 : Fix potential overflow in Visualizer effect
    • 60ec8cc : Camera metadata: Check for inconsistent data count
    • c30c62d : Camera: Prevent data size overflow