[automerge] Validate alloc_size while mapping a buffer 2p: e7e91d94d1 am: 6af58d8abb

Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/google/gchips/+/17464220 Change-Id: I47ef0fce16277408d57b438c48d7c8a6f829f85e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Presubmit Automerger Backend <android-build-presubmit-automerger-backend@system.gserviceaccount.com> 2022-04-07 23:09:13 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2022-04-07 23:09:13 +0000
commit: 0a6200f15ff328b1ae52a0a537a69ba72f0a735c (patch)
tree: edf23c1c6fc925495ed82ddf7cd65c1b85098f8a
parent: 590c03c46d5bcd1507addd9a68260b67b4e39d0f (diff)
parent: 6af58d8abb7d006d1e4ce3b5b5507bc620dafefa (diff)
download: gchips-0a6200f15ff328b1ae52a0a537a69ba72f0a735c.tar.gz
1 files changed, 18 insertions, 1 deletions
diff --git a/gralloc4/src/core/mali_gralloc_reference.cpp b/gralloc4/src/core/mali_gralloc_reference.cpp
index 954c2b3..b73c08b 100644
--- a/gralloc4/src/core/mali_gralloc_reference.cpp
+++ b/gralloc4/src/core/mali_gralloc_reference.cpp
@@ -76,6 +76,16 @@ private:
             return 0;
         }
 
+        for (auto i = 0; i < MAX_BUFFER_FDS; i++) {
+            auto size = get_buffer_size(hnd->fds[i]);
+            auto size_padding = size - (off_t)hnd->alloc_sizes[i];
+            if ((size != -1) && ((size_padding < 0) || (size_padding > PAGE_SIZE))){
+                MALI_GRALLOC_LOGE("Found an imported buffer with out-of-bounds size %" PRIu64 "",
+                                  hnd->alloc_sizes[i]);
+                return -EINVAL;
+            }
+        }
+
         int error = mali_gralloc_ion_map(hnd);
         if (error != 0) {
             return error;
@@ -115,7 +125,7 @@ private:
         } else {
             for (auto i = 0; i < MAX_BUFFER_FDS; i++) {
                 if (hnd->bases[i] != 0 || data.bases[i] != nullptr) {
-                    MALI_GRALLOC_LOGE("Validation failed: Expected nullptr for unmaped buffer");
+                    MALI_GRALLOC_LOGE("Validation failed: Expected nullptr for unmapped buffer");
                     return -EINVAL;
                 }
             }
@@ -124,6 +134,13 @@ private:
         return 0;
     }
 
+    off_t get_buffer_size(unsigned int fd) {
+        off_t current = lseek(fd, 0, SEEK_CUR);
+        off_t size = lseek(fd, 0, SEEK_END);
+        lseek(fd, current, SEEK_SET);
+        return size;
+    }
+
 public:
     static BufferManager &getInstance() {
         static BufferManager instance;
author	Presubmit Automerger Backend <android-build-presubmit-automerger-backend@system.gserviceaccount.com>	2022-04-07 23:09:13 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-04-07 23:09:13 +0000
commit	0a6200f15ff328b1ae52a0a537a69ba72f0a735c (patch)
tree	edf23c1c6fc925495ed82ddf7cd65c1b85098f8a
parent	590c03c46d5bcd1507addd9a68260b67b4e39d0f (diff)
parent	6af58d8abb7d006d1e4ce3b5b5507bc620dafefa (diff)
download	gchips-0a6200f15ff328b1ae52a0a537a69ba72f0a735c.tar.gz