Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0eb4624b authored by Brian Duddie's avatar Brian Duddie
Browse files

Add bounds check to sensors direct channel creation 

Avoids attempting to read a 0-size array during input validation. Adds
SafetyNet logging when this is triggered.

Also, change the cast for the ashmem size check from int to int64_t to
avoid potential conversion to negative number on 32-bit systems.

Bug: 70986337
Test: run POC, confirm via logs that function bails early
Change-Id: I674285738983f18de3466f9e818d83dabe269b7d
parent 11e6a7f0

services/sensorservice/SensorService.cpp

+7 −1
Original line number Diff line number Diff line
@@ -21,6 +21,7 @@ 
#include <cutils/properties.h>

#include <hardware/sensors.h>

#include <hardware_legacy/power.h>

#include <log/log.h>

#include <openssl/digest.h>

#include <openssl/hmac.h>

#include <openssl/rand.h>
@@ -986,10 +987,15 @@ sp<ISensorEventConnection> SensorService::createSensorDirectConnection( 
    // check specific to memory type

    switch(type) {

        case SENSOR_DIRECT_MEM_TYPE_ASHMEM: { // channel backed by ashmem

            if (resource->numFds < 1) {

                ALOGE("Ashmem direct channel requires a memory region to be supplied");

                android_errorWriteLog(0x534e4554, "70986337");  // SafetyNet

                return nullptr;

            }

            int fd = resource->data[0];

            int size2 = ashmem_get_size_region(fd);

            // check size consistency

            if (size2 < static_cast<int>(size)) {

            if (size2 < static_cast<int64_t>(size)) {

                ALOGE("Ashmem direct channel size %" PRIu32 " greater than shared memory size %d",

                      size, size2);

                return nullptr;