Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 79df0b35 authored by Marco Nelissen's avatar Marco Nelissen Committed by Jessica Wagantall
Browse files

Check mprotect result 

mprotect can theoretically fail, which could then let one exploit
a vulnerable codec if one exists on the device.

CYNGNOS-3303
Bug: 31350239
Change-Id: I7b99c190619f0fb2eb93119596e6da0d2deb8ba5
(cherry picked from commit 866c800c)
parent 65a3e27b

media/libmedia/IOMX.cpp

+28 −24
Original line number Diff line number Diff line
@@ -654,7 +654,10 @@ status_t BnOMX::onTransact( 
                            // mark the last page as inaccessible, to avoid exploitation

                            // of codecs that access past the end of the allocation because

                            // they didn't check the size

                            mprotect((char*)params + allocSize - pageSize, pageSize, PROT_NONE);

                            if (mprotect((char*)params + allocSize - pageSize, pageSize,

                                    PROT_NONE) != 0) {

                                ALOGE("mprotect failed: %s", strerror(errno));

                            } else {

                                switch (code) {

                                    case GET_PARAMETER:

                                        err = getParameter(node, index, params, size);
@@ -682,6 +685,7 @@ status_t BnOMX::onTransact( 
                                }

                            }

                        }

                    }

                } else {

                    ALOGE("couldn't map: %s", strerror(errno));

                }