Merge "Fix offset check in Parcel::hasFileDescriptorsInRange()" am: bc584178da... (69e66894) · Commits · e / os / android_frameworks_native-old

libs/binder/Parcel.cpp

+10 −13

Original line number	Diff line number	Diff line
		@@ -548,21 +548,17 @@ bool Parcel::hasFileDescriptors() const
		return mHasFds;
		}

		status_t Parcel::hasFileDescriptorsInRange(size_t offset, size_t len, bool& result) const {
		status_t Parcel::hasFileDescriptorsInRange(size_t offset, size_t len, bool* result) const {
		if (len > INT32_MAX \|\| offset > INT32_MAX) {
		// Don't accept size_t values which may have come from an inadvertent conversion from a
		// negative int.
		return BAD_VALUE;
		}
		size_t limit = offset + len;
		if (offset > mDataSize \|\| len > mDataSize \|\| limit > mDataSize \|\| offset > limit) {
		size_t limit;
		if (__builtin_add_overflow(offset, len, &limit) \|\| limit > mDataSize) {
		return BAD_VALUE;
		}
		result = hasFileDescriptorsInRangeUnchecked(offset, len);
		return NO_ERROR;
		}

		bool Parcel::hasFileDescriptorsInRangeUnchecked(size_t offset, size_t len) const {
		*result = false;
		for (size_t i = 0; i < mObjectsSize; i++) {
		size_t pos = mObjects[i];
		if (pos < offset) continue;
		@@ -572,10 +568,11 @@ bool Parcel::hasFileDescriptorsInRangeUnchecked(size_t offset, size_t len) const
		}
		const flat_binder_object* flat = reinterpret_cast<const flat_binder_object*>(mData + pos);
		if (flat->hdr.type == BINDER_TYPE_FD) {
		return true;
		*result = true;
		break;
		}
		}
		return false;
		return NO_ERROR;
		}

		void Parcel::markSensitive() const
		@@ -2568,9 +2565,9 @@ void Parcel::initState()
		}
		}

		void Parcel::scanForFds() const
		{
		mHasFds = hasFileDescriptorsInRangeUnchecked(0, dataSize());
		void Parcel::scanForFds() const {
		status_t status = hasFileDescriptorsInRange(0, dataSize(), &mHasFds);
		ALOGE_IF(status != NO_ERROR, "Error %d calling hasFileDescriptorsInRange()", status);
		mFdsKnown = true;
		}

libs/binder/include/binder/Parcel.h

+1 −2

Original line number	Diff line number	Diff line
		@@ -87,7 +87,7 @@ public:
		void restoreAllowFds(bool lastValue);

		bool hasFileDescriptors() const;
		status_t hasFileDescriptorsInRange(size_t offset, size_t length, bool& result) const;
		status_t hasFileDescriptorsInRange(size_t offset, size_t length, bool* result) const;

		// Zeros data when reallocating. Other mitigations may be added
		// in the future.
		@@ -576,7 +576,6 @@ private:

		status_t writeRawNullableParcelable(const Parcelable*
		parcelable);
		bool hasFileDescriptorsInRangeUnchecked(size_t offset, size_t length) const;

		//-----------------------------------------------------------------------------
		// Generic type read and write methods for Parcel:

libs/binder/tests/parcel_fuzzer/binder.cpp

+1 −1

Original line number	Diff line number	Diff line
		@@ -305,7 +305,7 @@ std::vector<ParcelRead<::android::Parcel>> BINDER_PARCEL_READ_FUNCTIONS {
		size_t offset = p.readUint32();
		size_t length = p.readUint32();
		bool result;
		status_t status = p.hasFileDescriptorsInRange(offset, length, result);
		status_t status = p.hasFileDescriptorsInRange(offset, length, &result);
		FUZZ_LOG() << " status: " << status << " result: " << result;
		},
		};