diff options
| author | 2025-05-15 16:39:49 +0000 | |
|---|---|---|
| committer | 2025-09-18 10:09:18 +0200 | |
| commit | afd850182d79df08b03bbc24eb2b070980fb2826 (patch) | |
| tree | 629e94e304fe0f4f17958a086028ff70c1a96a34 /services/surfaceflinger/CompositionEngine/src/Output.cpp | |
| parent | 68cf00580d81909ea0474123462a69673d635091 (diff) | |
[SP 2025-09-01] Don't blur too many layersbanksia-dev
An application requesting lots and lots of blurs:
a. Enables pixel stealing by measuring how long it takes to perform a
blur across windows
b. Probably isn't very valid anyways.
So, just arbitrarily pick an upper bound for blur requests that a
display is allowed to manage (10), and disable everything else.
Arbitrarily, pick the 10 "front-most" blurs to be respected.
Bug: 399120953
Flag: EXEMPT security
Test: Security PoC no longer PoCs
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fbcb9ae5eb45e2273be05d5366b47bd8436c1718)
Merged-In: Ie7195eb852b52aff2f58da8bd095d8684baceef6
Change-Id: Ie7195eb852b52aff2f58da8bd095d8684baceef6
Diffstat (limited to 'services/surfaceflinger/CompositionEngine/src/Output.cpp')
| -rw-r--r-- | services/surfaceflinger/CompositionEngine/src/Output.cpp | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/services/surfaceflinger/CompositionEngine/src/Output.cpp b/services/surfaceflinger/CompositionEngine/src/Output.cpp index 00a61a5ab6..8a2b33bf68 100644 --- a/services/surfaceflinger/CompositionEngine/src/Output.cpp +++ b/services/surfaceflinger/CompositionEngine/src/Output.cpp @@ -776,6 +776,9 @@ void Output::ensureOutputLayerIfVisible(sp<compositionengine::LayerFE>& layerFE, // one, or create a new one if we do not. auto outputLayer = ensureOutputLayer(prevOutputLayerIndex, layerFE); + coverage.aboveBlurRequests += static_cast<int32_t>(layerFEState->backgroundBlurRadius > 0 || + !layerFEState->blurRegions.empty()); + // Store the layer coverage information into the layer state as some of it // is useful later. auto& outputLayerState = outputLayer->editState(); @@ -790,6 +793,11 @@ void Output::ensureOutputLayerIfVisible(sp<compositionengine::LayerFE>& layerFE, ? outputState.transform.transform( transparentRegion.intersect(outputState.layerStackSpace.getContent())) : Region(); + + // See b/399120953: blurs are so expensive that they may be susceptible to compression side + // channel attacks + static constexpr auto kMaxBlurRequests = 10; + outputLayerState.ignoreBlur = coverage.aboveBlurRequests > kMaxBlurRequests; if (CC_UNLIKELY(computeAboveCoveredExcludingOverlays)) { outputLayerState.coveredRegionExcludingDisplayOverlays = std::move(coveredRegionExcludingDisplayOverlays); @@ -1499,7 +1507,7 @@ std::vector<LayerFE::LayerSettings> Output::generateClientCompositionRequests( const Region viewportRegion(outputState.layerStackSpace.getContent()); bool firstLayer = true; - bool disableBlurs = false; + bool disableBlursWholesale = false; uint64_t previousOverrideBufferId = 0; for (auto* layer : getOutputLayersOrderedByZ()) { @@ -1516,7 +1524,8 @@ std::vector<LayerFE::LayerSettings> Output::generateClientCompositionRequests( continue; } - disableBlurs |= layerFEState->sidebandStream != nullptr; + disableBlursWholesale |= layerFEState->sidebandStream != nullptr; + bool disableBlurForLayer = layer->getState().ignoreBlur || disableBlursWholesale; const bool clientComposition = layer->requiresClientComposition(); @@ -1546,7 +1555,8 @@ std::vector<LayerFE::LayerSettings> Output::generateClientCompositionRequests( layer->getLayerFE().getDebugName()); } } else { - LayerFE::ClientCompositionTargetSettings::BlurSetting blurSetting = disableBlurs + LayerFE::ClientCompositionTargetSettings::BlurSetting blurSetting = + disableBlurForLayer ? LayerFE::ClientCompositionTargetSettings::BlurSetting::Disabled : (layer->getState().overrideInfo.disableBackgroundBlur ? LayerFE::ClientCompositionTargetSettings::BlurSetting:: |