Fixed
Status Update
No update yet.
Comments
cb...@google.com
Project: platform/frameworks/support
Branch: androidx-main
commit 4945dfa31180f343697de5810b99ec80a48dc386
Author: Andrei Shikov <ashikov@google.com>
Date: Mon Jun 20 16:09:06 2022
Prevent removing derived state from composition when it is read in other scopes
Derived state observations were previously unconditionally removed from the recompose scope and composition together, which broke other scopes which might be still observing derived state.
This change only removes derived state instances if it is no longer observed by other scopes.
Fixes: 236618362
Test: CompositionAndDerivedStateTests#observingDerivedStateInMultipleScopes
Change-Id: I92e7c8702efecb33bea3ea3effe9ec47e2a6ae5b
M compose/runtime/runtime/src/commonMain/kotlin/androidx/compose/runtime/Composition.kt
M compose/runtime/runtime/src/commonTest/kotlin/androidx/compose/runtime/CompositionAndDerivedStateTests.kt
https://android-review.googlesource.com/2131915
Branch: androidx-main
commit 4945dfa31180f343697de5810b99ec80a48dc386
Author: Andrei Shikov <ashikov@google.com>
Date: Mon Jun 20 16:09:06 2022
Prevent removing derived state from composition when it is read in other scopes
Derived state observations were previously unconditionally removed from the recompose scope and composition together, which broke other scopes which might be still observing derived state.
This change only removes derived state instances if it is no longer observed by other scopes.
Fixes: 236618362
Test: CompositionAndDerivedStateTests#observingDerivedStateInMultipleScopes
Change-Id: I92e7c8702efecb33bea3ea3effe9ec47e2a6ae5b
M compose/runtime/runtime/src/commonMain/kotlin/androidx/compose/runtime/Composition.kt
M compose/runtime/runtime/src/commonTest/kotlin/androidx/compose/runtime/CompositionAndDerivedStateTests.kt
hb...@google.com
The following release(s) address this bug:
androidx.compose.runtime:runtime:1.3.0
hb...@google.com
[Empty comment from Monorail migration]
Description
address before taking it. This ensures that untrusted code cannot use the
syscall interface to vector execution to an arbitrary address. This role
is entrusted to the function NaClSandboxAddr, in sel_ldr.h. Unfortunately,
since r572, this function has been a no-op on x86.
-- What happened?
During a routine refactoring, code that once read
aligned_tramp_ret = tramp_ret & ~(nap->align_boundary - 1);
was changed to read
return addr & ~(uintptr_t)((1 << nap->align_boundary) - 1);
Besides the variable renames (which were intentional and correct), a shift
was introduced, treating nap->align_boundary as the log2 of bundle size.
We didn't notice this because NaCl on x86 uses a 32-byte bundle size. On
x86 with gcc, (1 << 32) == 1. (I believe the standard leaves this behavior
undefined, but I'm rusty.) Thus, the entire sandboxing sequence became a
no-op.
This change had four listed reviewers and was explicitly LGTM'd by two.
Nobody appears to have noticed the change.
-- Impact
There is a potential for untrusted code on 32-bit x86 to unalign its
instruction stream by constructing a return address and making a syscall.
This could subvert the validator. A similar vulnerability may affect x86-
64.
ARM is not affected for historical reasons: the ARM implementation masks
the untrusted return address using a different method.