Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 16429352 authored by Marco Nelissen's avatar Marco Nelissen Committed by Gerrit Code Review
Browse files

Check mprotect result 

mprotect can theoretically fail, which could then let one exploit
a vulnerable codec if one exists on the device.

CYNGNOS-3303
Bug: 31350239
Change-Id: I7b99c190619f0fb2eb93119596e6da0d2deb8ba5
(cherry picked from commit 866c800c)
(cherry picked from commit 79df0b35)
(cherry picked from commit 7084228c)
parent 841139a8

media/libmedia/IOMX.cpp

+28 −24
Original line number Diff line number Diff line
@@ -654,7 +654,10 @@ status_t BnOMX::onTransact( 
                            // mark the last page as inaccessible, to avoid exploitation

                            // of codecs that access past the end of the allocation because

                            // they didn't check the size

                            mprotect((char*)params + allocSize - pageSize, pageSize, PROT_NONE);

                            if (mprotect((char*)params + allocSize - pageSize, pageSize,

                                    PROT_NONE) != 0) {

                                ALOGE("mprotect failed: %s", strerror(errno));

                            } else {

                                switch (code) {

                                    case GET_PARAMETER:

                                        err = getParameter(node, index, params, size);
@@ -682,6 +685,7 @@ status_t BnOMX::onTransact( 
                                }

                            }

                        }

                    }

                } else {

                    ALOGE("couldn't map: %s", strerror(errno));

                }