Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4e76d690 authored by Steven Moreland's avatar Steven Moreland
Browse files

libbinder: Parcel: validate read data before write 

This is slow, but it's required to prevent memory
corruption.

Ignore-AOSP-First: security
Bug: 370840874
Test: fuzzer
Merged-In: Ibc5566ade0389221690dc90324f93394cf7fc9a5
Change-Id: Ibc5566ade0389221690dc90324f93394cf7fc9a5
(cherry picked from commit c54dad65)
parent 4cc54592

libs/binder/Parcel.cpp

+12 −0
Original line number Diff line number Diff line
@@ -888,6 +888,10 @@ restart_write: 
        //printf("Writing %ld bytes, padded to %ld\n", len, padded);

        uint8_t* const data = mData+mDataPos;



        if (status_t status = validateReadData(mDataPos + padded); status != OK) {

            return nullptr; // drops status

        }



        // Need to pad at end?

        if (padded != len) {

#if BYTE_ORDER == BIG_ENDIAN
@@ -1405,6 +1409,10 @@ status_t Parcel::writeObject(const flat_binder_object& val, bool nullMetaData) 
    const bool enoughObjects = mObjectsSize < mObjectsCapacity;

    if (enoughData && enoughObjects) {

restart_write:

        if (status_t status = validateReadData(mDataPos + sizeof(val)); status != OK) {

            return status;

        }



        *reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;



        // remember if it's a file descriptor
@@ -1621,6 +1629,10 @@ status_t Parcel::writeAligned(T val) { 


    if ((mDataPos+sizeof(val)) <= mDataCapacity) {

restart_write:

        if (status_t status = validateReadData(mDataPos + sizeof(val)); status != OK) {

            return status;

        }



        memcpy(mData + mDataPos, &val, sizeof(val));

        return finishWrite(sizeof(val));

    }