Merge "Fix deadlock in updatePasswordHistory()"

author: Eric Biggers <ebiggers@google.com> 2022-08-08 17:37:22 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2022-08-08 17:37:22 +0000
commit: 0d025f53c4e1f52be48f85228d275a3999b8a500 (patch)
tree: ff1c344b728956b366e0d690db612a22cff957a3
parent: 45bdf7a065c40d7cfa5d937f3b037e6621143b07 (diff)
parent: f0832139536abeb23c39f2b502278a348150c0e6 (diff)
1 files changed, 16 insertions, 12 deletions
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java
index b86fa7af8bd8..f4ad750948e6 100644
--- a/services/core/java/com/android/server/locksettings/LockSettingsService.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java
@@ -1627,7 +1627,7 @@ public class LockSettingsService extends ILockSettings.Stub {
             }
 
             onSyntheticPasswordKnown(userId, sp);
-            setLockCredentialWithSpLocked(credential, sp, userId, isLockTiedToParent);
+            setLockCredentialWithSpLocked(credential, sp, userId);
             sendCredentialsOnChangeIfRequired(credential, userId, isLockTiedToParent);
             return true;
         }
@@ -1641,15 +1641,18 @@ public class LockSettingsService extends ILockSettings.Stub {
         if (newCredential.isPattern()) {
             setBoolean(LockPatternUtils.PATTERN_EVER_CHOSEN_KEY, true, userHandle);
         }
+        updatePasswordHistory(newCredential, userHandle);
         mContext.getSystemService(TrustManager.class).reportEnabledTrustAgentsChanged(userHandle);
     }
 
     /**
      * Store the hash of the new password in the password history list, if device policy enforces
      * a password history requirement.
+     *
+     * This must not be called while the mSpManager lock is held, as this calls into
+     * DevicePolicyManagerService to get the requested password history length.
      */
-    private void updatePasswordHistory(SyntheticPassword sp, LockscreenCredential password,
-            int userHandle, boolean isLockTiedToParent) {
+    private void updatePasswordHistory(LockscreenCredential password, int userHandle) {
         if (password.isNone()) {
             return;
         }
@@ -1657,10 +1660,6 @@ public class LockSettingsService extends ILockSettings.Stub {
             // Do not keep track of historical patterns
             return;
         }
-        if (isLockTiedToParent) {
-            // Do not keep track of historical auto-generated profile passwords
-            return;
-        }
         // Add the password to the password history.
         String passwordHistory = getString(
                 LockPatternUtils.PASSWORD_HISTORY_KEY, /* defaultValue= */ null, userHandle);
@@ -1671,9 +1670,16 @@ public class LockSettingsService extends ILockSettings.Stub {
         if (passwordHistoryLength == 0) {
             passwordHistory = "";
         } else {
-            final byte[] hashFactor = sp.derivePasswordHashFactor();
+            final byte[] hashFactor = getHashFactor(password, userHandle);
             final byte[] salt = getSalt(userHandle).getBytes();
             String hash = password.passwordToHistoryHash(salt, hashFactor);
+            if (hash == null) {
+                // This should never happen, as all information needed to compute the hash should be
+                // available.  In particular, unwrapping the SP in getHashFactor() should always
+                // succeed, as we're using the LSKF that was just set.
+                Slog.e(TAG, "Failed to compute password hash; password history won't be updated");
+                return;
+            }
             if (TextUtils.isEmpty(passwordHistory)) {
                 passwordHistory = hash;
             } else {
@@ -2644,7 +2650,7 @@ public class LockSettingsService extends ILockSettings.Stub {
      */
     @GuardedBy("mSpManager")
     private long setLockCredentialWithSpLocked(LockscreenCredential credential,
-            SyntheticPassword sp, int userId, boolean isLockTiedToParent) {
+            SyntheticPassword sp, int userId) {
         if (DEBUG) Slog.d(TAG, "setLockCredentialWithSpLocked: user=" + userId);
         final int savedCredentialType = getCredentialTypeInternal(userId);
         final long oldProtectorId = getCurrentLskfBasedProtectorId(userId);
@@ -2682,7 +2688,6 @@ public class LockSettingsService extends ILockSettings.Stub {
         LockPatternUtils.invalidateCredentialTypeCache();
         synchronizeUnifiedWorkChallengeForProfiles(userId, profilePasswords);
 
-        updatePasswordHistory(sp, credential, userId, isLockTiedToParent);
         setUserPasswordMetrics(credential, userId);
         mManagedProfilePasswordCache.removePassword(userId);
         if (savedCredentialType != CREDENTIAL_TYPE_NONE) {
@@ -2928,8 +2933,7 @@ public class LockSettingsService extends ILockSettings.Stub {
             return false;
         }
         onSyntheticPasswordKnown(userId, result.syntheticPassword);
-        setLockCredentialWithSpLocked(credential, result.syntheticPassword, userId,
-                /* isLockTiedToParent= */ false);
+        setLockCredentialWithSpLocked(credential, result.syntheticPassword, userId);
         return true;
     }
author	Eric Biggers <ebiggers@google.com>	2022-08-08 17:37:22 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2022-08-08 17:37:22 +0000
commit	0d025f53c4e1f52be48f85228d275a3999b8a500 (patch)
tree	ff1c344b728956b366e0d690db612a22cff957a3
parent	45bdf7a065c40d7cfa5d937f3b037e6621143b07 (diff)
parent	f0832139536abeb23c39f2b502278a348150c0e6 (diff)