Validate metadata dmabuf separately am: e0b9db90f3

Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/google/gchips/+/18356342 Change-Id: Ia8020b4499891897e26d7e47541280b893c898d5 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Ankit Goyal <layog@google.com> 2022-05-13 21:54:32 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2022-05-13 21:54:32 +0000
commit: 52da0f0057f44510647a8495b8a47012c37af6d7 (patch)
tree: 4c0f0fe39212f48536a4783216d72be38fcf8d69
parent: 6e0b791f856accb2310de726b6ec6128ec9eca00 (diff)
parent: e0b9db90f3602383cc68838f0e600145154c5ba8 (diff)
download: gchips-52da0f0057f44510647a8495b8a47012c37af6d7.tar.gz
2 files changed, 55 insertions, 15 deletions
diff --git a/gralloc4/src/core/mali_gralloc_reference.cpp b/gralloc4/src/core/mali_gralloc_reference.cpp
index b73c08b..8f12975 100644
--- a/gralloc4/src/core/mali_gralloc_reference.cpp
+++ b/gralloc4/src/core/mali_gralloc_reference.cpp
@@ -21,6 +21,7 @@
 #include <android-base/thread_annotations.h>
 #include <hardware/gralloc1.h>
 
+#include <algorithm>
 #include <map>
 #include <mutex>
 
@@ -58,6 +59,54 @@ private:
         return hnd->get_usage() & cpu_access_usage;
     }
 
+    static off_t get_buffer_size(unsigned int fd) {
+        off_t current = lseek(fd, 0, SEEK_CUR);
+        off_t size = lseek(fd, 0, SEEK_END);
+        lseek(fd, current, SEEK_SET);
+        return size;
+    }
+
+    static bool dmabuf_sanity_check(buffer_handle_t handle) {
+        private_handle_t *hnd =
+                static_cast<private_handle_t *>(const_cast<native_handle_t *>(handle));
+
+        int valid_fd_count = std::find(hnd->fds, hnd->fds + MAX_FDS, -1) - hnd->fds;
+        // One fd is reserved for metadata which is not accounted for in fd_count
+        if (hnd->fd_count != valid_fd_count - 1) {
+            MALI_GRALLOC_LOGE("%s failed: count of valid buffer fds does not match fd_count",
+                              __func__);
+            return false;
+        }
+
+        auto check_pid = [&](int fd, uint64_t allocated_size) -> bool {
+            auto size = get_buffer_size(fd);
+            auto size_padding = size - (off_t)allocated_size;
+            if ((size != -1) && ((size_padding < 0) || (size_padding > PAGE_SIZE))) {
+                MALI_GRALLOC_LOGE("%s failed: fd (%d) size (%jd) is not within a PAGE_SIZE of "
+                                  "expected size (%" PRIx64 ")",
+                                  __func__, fd, static_cast<intmax_t>(size), allocated_size);
+                return false;
+            }
+            return true;
+        };
+
+        // Check client facing dmabufs
+        for (auto i = 0; i < hnd->fd_count; i++) {
+            if (!check_pid(hnd->fds[i], hnd->alloc_sizes[i])) {
+                MALI_GRALLOC_LOGE("%s failed: Size check failed for alloc_sizes[%d]", __func__, i);
+                return false;
+            }
+        }
+
+        // Check metadata dmabuf
+        if (!check_pid(hnd->get_share_attr_fd(), hnd->attr_size)) {
+            MALI_GRALLOC_LOGE("%s failed: Size check failed for metadata fd", __func__);
+            return false;
+        }
+
+        return true;
+    }
+
     int map_locked(buffer_handle_t handle) REQUIRES(lock) {
         private_handle_t *hnd = (private_handle_t *)handle;
         auto it = buffer_map.find(hnd);
@@ -72,18 +121,13 @@ private:
             MALI_GRALLOC_LOGE("BUG: Found an imported buffer with ref count 0, expect errors");
         }
 
+        // Return early if buffer is already mapped
         if (data.bases[0] != nullptr) {
             return 0;
         }
 
-        for (auto i = 0; i < MAX_BUFFER_FDS; i++) {
-            auto size = get_buffer_size(hnd->fds[i]);
-            auto size_padding = size - (off_t)hnd->alloc_sizes[i];
-            if ((size != -1) && ((size_padding < 0) || (size_padding > PAGE_SIZE))){
-                MALI_GRALLOC_LOGE("Found an imported buffer with out-of-bounds size %" PRIu64 "",
-                                  hnd->alloc_sizes[i]);
-                return -EINVAL;
-            }
+        if (!dmabuf_sanity_check(handle)) {
+            return -EINVAL;
         }
 
         int error = mali_gralloc_ion_map(hnd);
@@ -134,13 +178,6 @@ private:
         return 0;
     }
 
-    off_t get_buffer_size(unsigned int fd) {
-        off_t current = lseek(fd, 0, SEEK_CUR);
-        off_t size = lseek(fd, 0, SEEK_END);
-        lseek(fd, current, SEEK_SET);
-        return size;
-    }
-
 public:
     static BufferManager &getInstance() {
         static BufferManager instance;
diff --git a/gralloc4/src/mali_gralloc_buffer.h b/gralloc4/src/mali_gralloc_buffer.h
index 02172c6..3863342 100644
--- a/gralloc4/src/mali_gralloc_buffer.h
+++ b/gralloc4/src/mali_gralloc_buffer.h
@@ -177,6 +177,9 @@ struct private_handle_t
 	int magic DEFAULT_INITIALIZER(sMagic);
 	int flags DEFAULT_INITIALIZER(0);
 
+	/*
+	 * Number of dmabuf fds, NOT including the metadata fd
+	 */
 	int fd_count DEFAULT_INITIALIZER(1);
 
 	/*
author	Ankit Goyal <layog@google.com>	2022-05-13 21:54:32 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-05-13 21:54:32 +0000
commit	52da0f0057f44510647a8495b8a47012c37af6d7 (patch)
tree	4c0f0fe39212f48536a4783216d72be38fcf8d69
parent	6e0b791f856accb2310de726b6ec6128ec9eca00 (diff)
parent	e0b9db90f3602383cc68838f0e600145154c5ba8 (diff)
download	gchips-52da0f0057f44510647a8495b8a47012c37af6d7.tar.gz