Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d886a446 authored Jan 21, 2023 by Pawan Wagh

Check for data buffer size while marshalling parcel

Checking for internal buffer size which should handle cases where
parcel has position set beyond datasize and data size is actually
returning the data position.
Test: m && acloud delete --all && acloud create --local-image --local-instance
	&& atest -c CtsNdkBinderTestCases
Test: m binder_parcel_fuzzer &&
out/host/linux-x86/fuzz/x86_64/binder_parcel_fuzzer/binder_parcel_fuzzer
Bug: 264739302

Change-Id: Ib6c49fde1c1a56bae3932ce9af731a200b8a8faa

parent d30f8081

libs/binder/Parcel.cpp

+4 −0

Original line number	Diff line number	Diff line
		@@ -375,6 +375,10 @@ size_t Parcel::dataSize() const
		return (mDataSize > mDataPos ? mDataSize : mDataPos);
		}

		size_t Parcel::dataBufferSize() const {
		return mDataSize;
		}

		size_t Parcel::dataAvail() const
		{
		size_t result = dataSize() - dataPosition();

libs/binder/include/binder/Parcel.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -75,6 +75,7 @@ public:
		size_t dataAvail() const;
		size_t dataPosition() const;
		size_t dataCapacity() const;
		size_t dataBufferSize() const;

		status_t setDataSize(size_t size);

libs/binder/ndk/parcel.cpp

+4 −1

Original line number	Diff line number	Diff line
		@@ -695,7 +695,10 @@ binder_status_t AParcel_marshal(const AParcel* parcel, uint8_t* buffer, size_t s
		if (parcel->get()->objectsCount()) {
		return STATUS_INVALID_OPERATION;
		}
		int32_t dataSize = AParcel_getDataSize(parcel);
		// b/264739302 - getDataSize will return dataPos if it is greater than dataSize
		// which will cause crashes in memcpy at later point. Instead compare with
		// actual length of internal buffer
		int32_t dataSize = parcel->get()->dataBufferSize();
		if (len > static_cast<size_t>(dataSize) \|\| start > static_cast<size_t>(dataSize) - len) {
		return STATUS_BAD_VALUE;
		}