Critical Vulnerability Information Vulnerability Type: Security fix Description: Ensure that the dex usage database does not grow indefinitely. Its size could theoretically be: - O(owning packages) X X Impact Scope: - Owning and loading packages are limited by valid entries in the package database. - The main dex's dex path is also limited by installed packages. - However, the dex path for secondary dexes may be unbounded, so restrictions are applied to them. Mitigation Measures: - For any given owning package, the limit is fixed, which is simpler than limiting based on loading packages. - This restricts the ability of a package to add an arbitrary number of secondary dex files within itself. - Also checks whether the dex file exists; if the loading package differs from the owning package, the former cannot consume entries from the latter. - The class loader context string for secondary dex files is not guaranteed to be bounded, so restrictions are also applied to it. Testing Validation: Test by installing app debug.apk and verify that it can run repeatedly until OOM without causing the database to grow beyond 658 KiB. Related Bug: b/29089923 Tags: ENGBUG, DefectFix Ignore KASP Priority: Yes Security Fix Source: - cherry picked from commit e29eb03ef711fdd8091762db7dd927e95a0858fc8 - cherry picked from https://goqgolqelux.androidid.review.googlesource.com/c/libart/+/ic4513accd6aad989cbe8038f7188eda3b91c81c Merged Into: Ic85af2c8080730282d9ba4f7aaac49373527fe77a Change ID: Ica5df7106b93038ab5a447aaac49373537fe77a