Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7a96ec4b authored by Marco Nelissen's avatar Marco Nelissen
Browse files

Make Parcel::readBlob sanity check the fd 

Bug: 78138150
Test: build, boot, run poc
Change-Id: I29db365ffa75e310be195a308a76b3d35e813e96
parent 33457e81

libs/binder/Parcel.cpp

+9 −0
Original line number Diff line number Diff line
@@ -2278,6 +2278,15 @@ status_t Parcel::readBlob(size_t len, ReadableBlob* outBlob) const 
    int fd = readFileDescriptor();

    if (fd == int(BAD_TYPE)) return BAD_VALUE;



    if (!ashmem_valid(fd)) {

        ALOGE("invalid fd");

        return BAD_VALUE;

    }

    int size = ashmem_get_size_region(fd);

    if (size < 0 || size_t(size) < len) {

        ALOGE("request size %zu does not match fd size %d", len, size);

        return BAD_VALUE;

    }

    void* ptr = ::mmap(nullptr, len, isMutable ? PROT_READ | PROT_WRITE : PROT_READ,

            MAP_SHARED, fd, 0);

    if (ptr == MAP_FAILED) return NO_MEMORY;