Loading libs/binder/IMemory.cpp +3 −1 Original line number Diff line number Diff line Loading @@ -149,7 +149,7 @@ void* IMemory::fastPointer(const sp<IBinder>& binder, ssize_t offset) const return static_cast<char*>(base) + offset; } void* IMemory::pointer() const { void* IMemory::unsecurePointer() const { ssize_t offset; sp<IMemoryHeap> heap = getMemory(&offset); void* const base = heap!=nullptr ? heap->base() : MAP_FAILED; Loading @@ -158,6 +158,8 @@ void* IMemory::pointer() const { return static_cast<char*>(base) + offset; } void* IMemory::pointer() const { return unsecurePointer(); } size_t IMemory::size() const { size_t size; getMemory(nullptr, &size); Loading libs/binder/include/binder/IMemory.h +25 −2 Original line number Diff line number Diff line Loading @@ -77,10 +77,33 @@ public: virtual sp<IMemoryHeap> getMemory(ssize_t* offset=nullptr, size_t* size=nullptr) const = 0; // helpers void* fastPointer(const sp<IBinder>& heap, ssize_t offset) const; void* pointer() const; // Accessing the underlying pointer must be done with caution, as there are // some inherent security risks associated with it. When receiving an // IMemory from an untrusted process, there is currently no way to guarantee // that this process would't change the content after the fact. This may // lead to TOC/TOU class of security bugs. In most cases, when performance // is not an issue, the recommended practice is to immediately copy the // buffer upon reception, then work with the copy, e.g.: // // std::string private_copy(mem.size(), '\0'); // memcpy(private_copy.data(), mem.unsecurePointer(), mem.size()); // // In cases where performance is an issue, this matter must be addressed on // an ad-hoc basis. void* unsecurePointer() const; size_t size() const; ssize_t offset() const; private: // These are now deprecated and are left here for backward-compatibility // with prebuilts that may reference these symbol at runtime. // Instead, new code should use unsecurePointer()/unsecureFastPointer(), // which do the same thing, but make it more obvious that there are some // security-related pitfalls associated with them. void* pointer() const; void* fastPointer(const sp<IBinder>& heap, ssize_t offset) const; }; class BnMemory : public BnInterface<IMemory> Loading Loading
libs/binder/IMemory.cpp +3 −1 Original line number Diff line number Diff line Loading @@ -149,7 +149,7 @@ void* IMemory::fastPointer(const sp<IBinder>& binder, ssize_t offset) const return static_cast<char*>(base) + offset; } void* IMemory::pointer() const { void* IMemory::unsecurePointer() const { ssize_t offset; sp<IMemoryHeap> heap = getMemory(&offset); void* const base = heap!=nullptr ? heap->base() : MAP_FAILED; Loading @@ -158,6 +158,8 @@ void* IMemory::pointer() const { return static_cast<char*>(base) + offset; } void* IMemory::pointer() const { return unsecurePointer(); } size_t IMemory::size() const { size_t size; getMemory(nullptr, &size); Loading
libs/binder/include/binder/IMemory.h +25 −2 Original line number Diff line number Diff line Loading @@ -77,10 +77,33 @@ public: virtual sp<IMemoryHeap> getMemory(ssize_t* offset=nullptr, size_t* size=nullptr) const = 0; // helpers void* fastPointer(const sp<IBinder>& heap, ssize_t offset) const; void* pointer() const; // Accessing the underlying pointer must be done with caution, as there are // some inherent security risks associated with it. When receiving an // IMemory from an untrusted process, there is currently no way to guarantee // that this process would't change the content after the fact. This may // lead to TOC/TOU class of security bugs. In most cases, when performance // is not an issue, the recommended practice is to immediately copy the // buffer upon reception, then work with the copy, e.g.: // // std::string private_copy(mem.size(), '\0'); // memcpy(private_copy.data(), mem.unsecurePointer(), mem.size()); // // In cases where performance is an issue, this matter must be addressed on // an ad-hoc basis. void* unsecurePointer() const; size_t size() const; ssize_t offset() const; private: // These are now deprecated and are left here for backward-compatibility // with prebuilts that may reference these symbol at runtime. // Instead, new code should use unsecurePointer()/unsecureFastPointer(), // which do the same thing, but make it more obvious that there are some // security-related pitfalls associated with them. void* pointer() const; void* fastPointer(const sp<IBinder>& heap, ssize_t offset) const; }; class BnMemory : public BnInterface<IMemory> Loading
