Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 72d3c6f8 authored by Keith Mok's avatar Keith Mok Committed by Android Build Coastguard Worker
Browse files

File size seal for memory mapped region 

When using memfd for cross process communication, we always need to seal
the file size, otherwise remote process and shrink the size we memory
mapped and thus crash the originate process causing a DoS

Bug: 294609150
Test: Build
Ignore-AOSP-First: security
(cherry picked from commit 3d9f1e3b)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:77b758c59f58a05d1c0d45350796951bc778745f)
Merged-In: Ibc263c4f78df897e884378e3d984a188ca8772c7
Change-Id: Ibc263c4f78df897e884378e3d984a188ca8772c7
parent 4444408e

libs/binder/MemoryHeapBase.cpp

+2 −2
Original line number Diff line number Diff line
@@ -73,8 +73,8 @@ MemoryHeapBase::MemoryHeapBase(size_t size, uint32_t flags, char const * name) 
        ALOGV("MemoryHeapBase: Attempting to force MemFD");

        fd = memfd_create_region(name ? name : "MemoryHeapBase", size);

        if (fd < 0 || (mapfd(fd, true, size) != NO_ERROR)) return;

        const int SEAL_FLAGS = ((mFlags & READ_ONLY) ? F_SEAL_FUTURE_WRITE : 0) |

                ((mFlags & MEMFD_ALLOW_SEALING_FLAG) ? 0 : F_SEAL_SEAL);

        const int SEAL_FLAGS = ((mFlags & READ_ONLY) ? F_SEAL_FUTURE_WRITE : 0) | F_SEAL_GROW |

                F_SEAL_SHRINK | ((mFlags & MEMFD_ALLOW_SEALING_FLAG) ? 0 : F_SEAL_SEAL);

        if (SEAL_FLAGS && (fcntl(fd, F_ADD_SEALS, SEAL_FLAGS) == -1)) {

            ALOGE("MemoryHeapBase: MemFD %s sealing with flags %x failed with error  %s", name,

                  SEAL_FLAGS, strerror(errno));

libs/binder/tests/binderMemoryHeapBaseUnitTest.cpp

+9 −4
Original line number Diff line number Diff line
@@ -37,7 +37,8 @@ TEST(MemoryHeapBase, MemfdSealed) { 
    ASSERT_NE(mHeap.get(), nullptr);

    int fd = mHeap->getHeapID();

    EXPECT_NE(fd, -1);

    EXPECT_EQ(fcntl(fd, F_GET_SEALS), F_SEAL_SEAL);

    EXPECT_EQ(fcntl(fd, F_GET_SEALS), F_SEAL_GROW | F_SEAL_SHRINK | F_SEAL_SEAL);

    EXPECT_EQ(ftruncate(fd, 4096), -1);

}



TEST(MemoryHeapBase, MemfdUnsealed) {
@@ -48,7 +49,8 @@ TEST(MemoryHeapBase, MemfdUnsealed) { 
    ASSERT_NE(mHeap.get(), nullptr);

    int fd = mHeap->getHeapID();

    EXPECT_NE(fd, -1);

    EXPECT_EQ(fcntl(fd, F_GET_SEALS), 0);

    EXPECT_EQ(fcntl(fd, F_GET_SEALS), F_SEAL_GROW | F_SEAL_SHRINK);

    EXPECT_EQ(ftruncate(fd, 4096), -1);

}



TEST(MemoryHeapBase, MemfdSealedProtected) {
@@ -59,7 +61,9 @@ TEST(MemoryHeapBase, MemfdSealedProtected) { 
    ASSERT_NE(mHeap.get(), nullptr);

    int fd = mHeap->getHeapID();

    EXPECT_NE(fd, -1);

    EXPECT_EQ(fcntl(fd, F_GET_SEALS), F_SEAL_SEAL | F_SEAL_FUTURE_WRITE);

    EXPECT_EQ(fcntl(fd, F_GET_SEALS),

              F_SEAL_GROW | F_SEAL_SHRINK | F_SEAL_SEAL | F_SEAL_FUTURE_WRITE);

    EXPECT_EQ(ftruncate(fd, 4096), -1);

}



TEST(MemoryHeapBase, MemfdUnsealedProtected) {
@@ -71,7 +75,8 @@ TEST(MemoryHeapBase, MemfdUnsealedProtected) { 
    ASSERT_NE(mHeap.get(), nullptr);

    int fd = mHeap->getHeapID();

    EXPECT_NE(fd, -1);

    EXPECT_EQ(fcntl(fd, F_GET_SEALS), F_SEAL_FUTURE_WRITE);

    EXPECT_EQ(fcntl(fd, F_GET_SEALS), F_SEAL_GROW | F_SEAL_SHRINK | F_SEAL_FUTURE_WRITE);

    EXPECT_EQ(ftruncate(fd, 4096), -1);

}



#else