Merge \"liblog: pmsg_read add validity checking for prio\" (0d9ce373) · Commits · e / os / android_system_core

liblog/pmsg_reader.c

+18 −10

Original line number	Original line	Diff line number	Diff line
	@@ -144,6 +144,7 @@ static int pmsgRead(struct android_log_logger_list *logger_list,
	struct __attribute__((__packed__)) {		struct __attribute__((__packed__)) {
	android_pmsg_log_header_t p;		android_pmsg_log_header_t p;
	android_log_header_t l;		android_log_header_t l;
			uint8_t prio;
	} buf;		} buf;
	static uint8_t preread_count;		static uint8_t preread_count;
	bool is_system;		bool is_system;
	@@ -180,11 +181,16 @@ static int pmsgRead(struct android_log_logger_list *logger_list,
	if (preread_count != sizeof(buf)) {		if (preread_count != sizeof(buf)) {
	return preread_count ? -EIO : -EAGAIN;		return preread_count ? -EIO : -EAGAIN;
	}		}
	if ((buf.p.magic != LOGGER_MAGIC)		if ((buf.p.magic != LOGGER_MAGIC) \|\|
	\|\| (buf.p.len <= sizeof(buf))		(buf.p.len <= sizeof(buf)) \|\|
	\|\| (buf.p.len > (sizeof(buf) + LOGGER_ENTRY_MAX_PAYLOAD))		(buf.p.len > (sizeof(buf) + LOGGER_ENTRY_MAX_PAYLOAD)) \|\|
	\|\| (buf.l.id >= LOG_ID_MAX)		(buf.l.id >= LOG_ID_MAX) \|\|
	\|\| (buf.l.realtime.tv_nsec >= NS_PER_SEC)) {		(buf.l.realtime.tv_nsec >= NS_PER_SEC) \|\|
			((buf.l.id != LOG_ID_EVENTS) &&
			(buf.l.id != LOG_ID_SECURITY) &&
			((buf.prio == ANDROID_LOG_UNKNOWN) \|\|
			(buf.prio == ANDROID_LOG_DEFAULT) \|\|
			(buf.prio >= ANDROID_LOG_SILENT)))) {
	do {		do {
	memmove(&buf.p.magic, &buf.p.magic + 1, --preread_count);		memmove(&buf.p.magic, &buf.p.magic + 1, --preread_count);
	} while (preread_count && (buf.p.magic != LOGGER_MAGIC));		} while (preread_count && (buf.p.magic != LOGGER_MAGIC));
	@@ -202,10 +208,12 @@ static int pmsgRead(struct android_log_logger_list *logger_list,
	uid = get_best_effective_uid();		uid = get_best_effective_uid();
	is_system = uid_has_log_permission(uid);		is_system = uid_has_log_permission(uid);
	if (is_system \|\| (uid == buf.p.uid)) {		if (is_system \|\| (uid == buf.p.uid)) {
	ret = TEMP_FAILURE_RETRY(read(transp->context.fd,		char *msg = is_system ?
	is_system ?
	log_msg->entry_v4.msg :		log_msg->entry_v4.msg :
	log_msg->entry_v3.msg,		log_msg->entry_v3.msg;
			*msg = buf.prio;
			ret = TEMP_FAILURE_RETRY(read(transp->context.fd,
			msg + sizeof(buf.prio),
	buf.p.len - sizeof(buf)));		buf.p.len - sizeof(buf)));
	if (ret < 0) {		if (ret < 0) {
	return -errno;		return -errno;
	@@ -214,7 +222,7 @@ static int pmsgRead(struct android_log_logger_list *logger_list,
	return -EIO;		return -EIO;
	}		}

	log_msg->entry_v4.len = buf.p.len - sizeof(buf);		log_msg->entry_v4.len = buf.p.len - sizeof(buf) + sizeof(buf.prio);
	log_msg->entry_v4.hdr_size = is_system ?		log_msg->entry_v4.hdr_size = is_system ?
	sizeof(log_msg->entry_v4) :		sizeof(log_msg->entry_v4) :
	sizeof(log_msg->entry_v3);		sizeof(log_msg->entry_v3);
	@@ -227,7 +235,7 @@ static int pmsgRead(struct android_log_logger_list *logger_list,
	log_msg->entry_v4.uid = buf.p.uid;		log_msg->entry_v4.uid = buf.p.uid;
	}		}

	return ret + log_msg->entry_v4.hdr_size;		return ret + sizeof(buf.prio) + log_msg->entry_v4.hdr_size;
	}		}
	}		}