Commit 4a1f2942 authored Jun 04, 2020 by Devin Moore

Update parcel data pointer after realloc with size 0

If restartWrite is called with desired size of 0, mData will be
reallocated to size 0. This frees the memory and returns a null pointer.
When this happends we need to update the stored data pointer and
capacity otherwise we will crash with a double free when the object is
desctructed.

Bug: 157066561
Test: build POC included in bug. 'adb push binderMemSafety
/data/local/tmp && adb shell /data/local/tmp/binderMemSafety'. Reproduce
the crash without this change, then verify no crash with this change.
This is also being added to STS.
Ran 'atest -p' for binder tests.

Change-Id: I494e954204ee4a312739ae8600e2cf545ea452e3

parent e077b49d

libs/binder/Parcel.cpp

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -2667,7 +2667,7 @@ status_t Parcel::restartWrite(size_t desired)

	releaseObjects();		releaseObjects();

	if (data) {		if (data \|\| desired == 0) {
	LOG_ALLOC("Parcel %p: restart from %zu to %zu capacity", this, mDataCapacity, desired);		LOG_ALLOC("Parcel %p: restart from %zu to %zu capacity", this, mDataCapacity, desired);
	pthread_mutex_lock(&gParcelGlobalAllocSizeLock);		pthread_mutex_lock(&gParcelGlobalAllocSizeLock);
	gParcelGlobalAllocSize += desired;		gParcelGlobalAllocSize += desired;