Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 305374cf authored by Mark Salyzyn's avatar Mark Salyzyn
Browse files

logger: validate hdr_size field in logger entry 

- check hdr_size to make sure it is in the expected range
  from sizeof entry_v1 to entry (entry_v4).
- alter msg() method to report NULL on invalid hdr_size
- alter all users of msg() method.

Bug: 30947841
Change-Id: I9bc1740d7aa9f37df5be966c18de1fb9de63d5dd
parent 82b67fff

debuggerd/tombstone.cpp

+4 −0
Original line number Diff line number Diff line
@@ -539,6 +539,10 @@ static void dump_log_file( 
    if (!hdr_size) {

      hdr_size = sizeof(log_entry.entry_v1);

    }

    if ((hdr_size < sizeof(log_entry.entry_v1)) ||

        (hdr_size > sizeof(log_entry.entry))) {

      continue;

    }

    char* msg = reinterpret_cast<char*>(log_entry.buf) + hdr_size;



    char timeBuf[32];

include/log/logger.h

+8 −1
Original line number Diff line number Diff line
@@ -143,7 +143,14 @@ struct log_msg { 
    }

    char *msg()

    {

        return entry.hdr_size ? (char *) buf + entry.hdr_size : entry_v1.msg;

        unsigned short hdr_size = entry.hdr_size;

        if (!hdr_size) {

            hdr_size = sizeof(entry_v1);

        }

        if ((hdr_size < sizeof(entry_v1)) || (hdr_size > sizeof(entry))) {

            return NULL;

        }

        return (char *) buf + hdr_size;

    }

    unsigned int len()

    {

liblog/logger_read.c

+4 −0
Original line number Diff line number Diff line
@@ -367,6 +367,10 @@ static int android_transport_read(struct android_log_logger_list *logger_list, 
    if (log_msg->entry_v2.hdr_size == 0) {

        log_msg->entry_v2.hdr_size = sizeof(struct logger_entry);

    }

    if ((log_msg->entry_v2.hdr_size < sizeof(log_msg->entry_v1)) ||

            (log_msg->entry_v2.hdr_size > sizeof(log_msg->entry))) {

        return -EINVAL;

    }



    /* len validation */

    if (ret <= log_msg->entry_v2.hdr_size) {

liblog/logprint.c

+10 −0
Original line number Diff line number Diff line
@@ -496,6 +496,11 @@ LIBLOG_ABI_PUBLIC int android_log_processLogBuffer( 
    char *msg = buf->msg;

    struct logger_entry_v2 *buf2 = (struct logger_entry_v2 *)buf;

    if (buf2->hdr_size) {

        if ((buf2->hdr_size < sizeof(((struct log_msg *)NULL)->entry_v1)) ||

                (buf2->hdr_size > sizeof(((struct log_msg *)NULL)->entry))) {

            fprintf(stderr, "+++ LOG: entry illegal hdr_size\n");

            return -1;

        }

        msg = ((char *)buf2) + buf2->hdr_size;

        if (buf2->hdr_size >= sizeof(struct logger_entry_v4)) {

            entry->uid = ((struct logger_entry_v4 *)buf)->uid;
@@ -775,6 +780,11 @@ LIBLOG_ABI_PUBLIC int android_log_processBinaryLogBuffer( 
    eventData = (const unsigned char*) buf->msg;

    struct logger_entry_v2 *buf2 = (struct logger_entry_v2 *)buf;

    if (buf2->hdr_size) {

        if ((buf2->hdr_size < sizeof(((struct log_msg *)NULL)->entry_v1)) ||

                (buf2->hdr_size > sizeof(((struct log_msg *)NULL)->entry))) {

            fprintf(stderr, "+++ LOG: entry illegal hdr_size\n");

            return -1;

        }

        eventData = ((unsigned char *)buf2) + buf2->hdr_size;

        if ((buf2->hdr_size >= sizeof(struct logger_entry_v3)) &&

                (((struct logger_entry_v3 *)buf)->lid == LOG_ID_SECURITY)) {

liblog/pmsg_reader.c

+4 −0
Original line number Diff line number Diff line
@@ -343,6 +343,10 @@ LIBLOG_ABI_PRIVATE ssize_t __android_log_pmsg_file_read( 
        char *msg = (char *)&transp.logMsg + hdr_size;

        char *split = NULL;



        if ((hdr_size < sizeof(transp.logMsg.entry_v1)) ||

                (hdr_size > sizeof(transp.logMsg.entry))) {

            continue;

        }

        /* Check for invalid sequence number */

        if ((transp.logMsg.entry.nsec % ANDROID_LOG_PMSG_FILE_SEQUENCE) ||

                ((transp.logMsg.entry.nsec / ANDROID_LOG_PMSG_FILE_SEQUENCE) >=