Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit db60b2f5 authored by Pawan Wagh's avatar Pawan Wagh Committed by Yao Chen
Browse files

Use readUniqueFileDescriptor in incidentd service 

readFileDescriptor doesn't provide ownership of the fds. fdopen
needs ownership of the fds. Fds read from parcel should be duped
in this scenario and readUniqueFileDescriptor dups fds internally.

Test: m incidentd_service_fuzzer && adb sync data && adb shell /data/fuzz/x86_64/incidentd_service_fuzzer/incidentd_service_fuzzer
Test: atest incidentd_test
Bug: 286931110
Bug: 283699145

Merged-In: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e
Change-Id: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e
(cherry picked from commit ba78ef27)
parent 9fd44ec1

cmds/incidentd/src/IncidentService.cpp

+12 −8
Original line number Diff line number Diff line
@@ -500,9 +500,13 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* 


    switch (code) {

        case SHELL_COMMAND_TRANSACTION: {

            int in = data.readFileDescriptor();

            int out = data.readFileDescriptor();

            int err = data.readFileDescriptor();

            unique_fd in, out, err;

            if (status_t status = data.readUniqueFileDescriptor(&in); status != OK) return status;



            if (status_t status = data.readUniqueFileDescriptor(&out); status != OK) return status;



            if (status_t status = data.readUniqueFileDescriptor(&err); status != OK) return status;



            int argc = data.readInt32();

            Vector<String8> args;

            for (int i = 0; i < argc && data.dataAvail() > 0; i++) {
@@ -512,15 +516,15 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* 
            sp<IResultReceiver> resultReceiver =

                    IResultReceiver::asInterface(data.readStrongBinder());



            FILE* fin = fdopen(in, "r");

            FILE* fout = fdopen(out, "w");

            FILE* ferr = fdopen(err, "w");

            FILE* fin = fdopen(in.release(), "r");

            FILE* fout = fdopen(out.release(), "w");

            FILE* ferr = fdopen(err.release(), "w");



            if (fin == NULL || fout == NULL || ferr == NULL) {

                resultReceiver->send(NO_MEMORY);

            } else {

                err = command(fin, fout, ferr, args);

                resultReceiver->send(err);

                status_t result = command(fin, fout, ferr, args);

                resultReceiver->send(result);

            }



            if (fin != NULL) {