Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7cacf26a authored by forkbomb's avatar forkbomb Committed by Simon Shields
Browse files

libbinder: allow devices to disable ashmem size tracking 

The addition of ashmem size tracking can lead to parcel objects
overwriting other values on the stack in old binary blobs.

Change-Id: Ife8514be1ba639c4061de38b59794c46bcc2d7f8
parent d40a35f6

include/binder/Parcel.h

+2 −0
Original line number Diff line number Diff line
@@ -340,8 +340,10 @@ public: 
        inline void* data() { return mData; }

    };



#ifndef DISABLE_ASHMEM_TRACKING

private:

    size_t mOpenAshmemSize;

#endif



public:

    // TODO: Remove once ABI can be changed.

libs/binder/Parcel.cpp

+34 −0
Original line number Diff line number Diff line
@@ -182,6 +182,10 @@ static void release_object(const sp<ProcessState>& proc, 


                    close(obj.handle);

                }

#ifdef DISABLE_ASHMEM_TRACKING

            } else if (obj.cookie != 0) {

                close(obj.handle);

#endif

            }

            return;

        }
@@ -532,7 +536,11 @@ status_t Parcel::appendFrom(const Parcel *parcel, size_t offset, size_t len) 


            flat_binder_object* flat

                = reinterpret_cast<flat_binder_object*>(mData + off);

#ifndef DISABLE_ASHMEM_TRACKING

            acquire_object(proc, *flat, this, &mOpenAshmemSize);

#else

            acquire_object(proc, *flat, this);

#endif



            if (flat->type == BINDER_TYPE_FD) {

                // If this is a file descriptor, we need to dup it so the
@@ -1052,7 +1060,11 @@ restart_write: 
        // Need to write meta-data?

        if (nullMetaData || val.binder != 0) {

            mObjects[mObjectsSize] = mDataPos;

#ifndef DISABLE_ASHMEM_TRACKING

            acquire_object(ProcessState::self(), val, this, &mOpenAshmemSize);

#else

            acquire_object(ProcessState::self(), val, this);

#endif

            mObjectsSize++;

        }
@@ -1635,7 +1647,11 @@ void Parcel::releaseObjects() 
        i--;

        const flat_binder_object* flat

            = reinterpret_cast<flat_binder_object*>(data+objects[i]);

#ifndef DISABLE_ASHMEM_TRACKING

        release_object(proc, *flat, this, &mOpenAshmemSize);

#else

        release_object(proc, *flat, this);

#endif

    }

}
@@ -1649,7 +1665,11 @@ void Parcel::acquireObjects() 
        i--;

        const flat_binder_object* flat

            = reinterpret_cast<flat_binder_object*>(data+objects[i]);

#ifndef DISABLE_ASHMEM_TRACKING

        acquire_object(proc, *flat, this, &mOpenAshmemSize);

#else

        acquire_object(proc, *flat, this);

#endif

    }

}
@@ -1831,7 +1851,11 @@ status_t Parcel::continueWrite(size_t desired) 
                    // will need to rescan because we may have lopped off the only FDs

                    mFdsKnown = false;

                }

#ifndef DISABLE_ASHMEM_TRACKING

                release_object(proc, *flat, this, &mOpenAshmemSize);

#else

                release_object(proc, *flat, this);

#endif

            }

            binder_size_t* objects =

                (binder_size_t*)realloc(mObjects, objectsSize*sizeof(binder_size_t));
@@ -1916,7 +1940,9 @@ void Parcel::initState() 
    mFdsKnown = true;

    mAllowFds = true;

    mOwner = NULL;

#ifndef DISABLE_ASHMEM_TRACKING

    mOpenAshmemSize = 0;

#endif

}



void Parcel::scanForFds() const
@@ -1939,12 +1965,20 @@ size_t Parcel::getBlobAshmemSize() const 
    // This used to return the size of all blobs that were written to ashmem, now we're returning

    // the ashmem currently referenced by this Parcel, which should be equivalent.

    // TODO: Remove method once ABI can be changed.

#ifndef DISABLE_ASHMEM_TRACKING

    return mOpenAshmemSize;

#else

    return 0;

#endif

}



size_t Parcel::getOpenAshmemSize() const

{

#ifndef DISABLE_ASHMEM_TRACKING

    return mOpenAshmemSize;

#else

    return 0;

#endif

}



// --- Parcel::Blob ---