diff options
| author | TreeHugger Robot <treehugger-gerrit@google.com> | 2021-06-18 15:28:57 +0000 |
|---|---|---|
| committer | Android (Google) Code Review <android-gerrit@google.com> | 2021-06-18 15:28:57 +0000 |
| commit | e37cdac52a575a68934af58b47767219a91acf07 (patch) | |
| tree | e3a91632d79ad0ecbdee8dd88084948b5f384041 | |
| parent | 90c71cad595677cf8b0c889a6d443534d5d1a70d (diff) | |
| parent | d348f15eac59e1c077480c1a9881ebe37360567c (diff) | |
| download | gchips-e37cdac52a575a68934af58b47767219a91acf07.tar.gz | |
Merge "vendorgraphicbuffer: add validation on metadata before operating" into sc-dev
| -rw-r--r-- | gralloc4/src/core/mali_gralloc_reference.cpp | 22 | ||||
| -rw-r--r-- | gralloc4/src/core/mali_gralloc_reference.h | 1 | ||||
| -rw-r--r-- | libvendorgraphicbuffer/Android.bp | 1 | ||||
| -rw-r--r-- | libvendorgraphicbuffer/gralloc4/vendor_graphicbuffer_meta.cpp | 26 |
4 files changed, 42 insertions, 8 deletions
diff --git a/gralloc4/src/core/mali_gralloc_reference.cpp b/gralloc4/src/core/mali_gralloc_reference.cpp index 22d8aa0..e24d9ff 100644 --- a/gralloc4/src/core/mali_gralloc_reference.cpp +++ b/gralloc4/src/core/mali_gralloc_reference.cpp @@ -116,3 +116,25 @@ int mali_gralloc_reference_release(buffer_handle_t handle, bool canFree) pthread_mutex_unlock(&s_map_lock); return 0; } + +int mali_gralloc_reference_validate(buffer_handle_t handle) +{ + if (private_handle_t::validate(handle) < 0) + { + MALI_GRALLOC_LOGE("Reference invalid buffer %p, returning error", handle); + return -EINVAL; + } + + const auto *hnd = (private_handle_t *)handle; + pthread_mutex_lock(&s_map_lock); + + if (hnd->allocating_pid == getpid() || hnd->remote_pid == getpid()) { + pthread_mutex_unlock(&s_map_lock); + return 0; + } else { + pthread_mutex_unlock(&s_map_lock); + MALI_GRALLOC_LOGE("Reference unimported buffer %p, returning error", handle); + return -EINVAL; + } +} + diff --git a/gralloc4/src/core/mali_gralloc_reference.h b/gralloc4/src/core/mali_gralloc_reference.h index f2afc61..555be08 100644 --- a/gralloc4/src/core/mali_gralloc_reference.h +++ b/gralloc4/src/core/mali_gralloc_reference.h @@ -23,5 +23,6 @@ int mali_gralloc_reference_retain(buffer_handle_t handle); int mali_gralloc_reference_release(buffer_handle_t handle, bool canFree); +int mali_gralloc_reference_validate(buffer_handle_t handle); #endif /* MALI_GRALLOC_REFERENCE_H_ */ diff --git a/libvendorgraphicbuffer/Android.bp b/libvendorgraphicbuffer/Android.bp index b1e2a3f..bf8904d 100644 --- a/libvendorgraphicbuffer/Android.bp +++ b/libvendorgraphicbuffer/Android.bp @@ -86,6 +86,7 @@ cc_library_shared { "android.hardware.graphics.mapper@2.1", "android.hardware.graphics.mapper@3.0", "android.hardware.graphics.mapper@4.0", + "android.hardware.graphics.mapper@4.0-impl", "libgralloctypes", "libhidlbase", ], diff --git a/libvendorgraphicbuffer/gralloc4/vendor_graphicbuffer_meta.cpp b/libvendorgraphicbuffer/gralloc4/vendor_graphicbuffer_meta.cpp index 929c6b9..b45cc86 100644 --- a/libvendorgraphicbuffer/gralloc4/vendor_graphicbuffer_meta.cpp +++ b/libvendorgraphicbuffer/gralloc4/vendor_graphicbuffer_meta.cpp @@ -32,6 +32,15 @@ using aidl::android::hardware::graphics::common::Dataspace; #define UNUSED(x) ((void)x) #define SZ_4k 0x1000 +extern int mali_gralloc_reference_validate(buffer_handle_t handle); + +const private_handle_t * convertNativeHandleToPrivateHandle(buffer_handle_t handle) { + if (mali_gralloc_reference_validate(handle) < 0) + return nullptr; + + return static_cast<const private_handle_t *>(handle); +} + int VendorGraphicBufferMeta::get_video_metadata_fd(buffer_handle_t hnd) { const private_handle_t *gralloc_hnd = static_cast<const private_handle_t *>(hnd); @@ -54,6 +63,9 @@ int VendorGraphicBufferMeta::get_dataspace(buffer_handle_t hnd) if (!gralloc_hnd) return -1; + if (mali_gralloc_reference_validate(hnd) < 0) + ALOGW("VendorGraphicBufferMeta: get_dataspace from unimported buffer %p", hnd); + int attr_fd = gralloc_hnd->get_share_attr_fd(); if(attr_fd < 0) @@ -71,9 +83,9 @@ int VendorGraphicBufferMeta::get_dataspace(buffer_handle_t hnd) int VendorGraphicBufferMeta::set_dataspace(buffer_handle_t hnd, android_dataspace_t dataspace) { - const private_handle_t *gralloc_hnd = static_cast<const private_handle_t *>(hnd); + const auto *gralloc_hnd = convertNativeHandleToPrivateHandle(hnd); - if (!gralloc_hnd) + if (gralloc_hnd == nullptr) return -1; arm::mapper::common::set_dataspace(gralloc_hnd, static_cast<Dataspace>(dataspace)); @@ -180,10 +192,9 @@ uint64_t VendorGraphicBufferMeta::get_usage(buffer_handle_t hnd) void* VendorGraphicBufferMeta::get_video_metadata(buffer_handle_t hnd) { - private_handle_t *gralloc_hnd = - static_cast<private_handle_t *>(const_cast<native_handle_t *>(hnd)); + const auto *gralloc_hnd = convertNativeHandleToPrivateHandle(hnd); - if (!gralloc_hnd) + if (gralloc_hnd == nullptr) return nullptr; return gralloc_hnd->attr_base; @@ -191,10 +202,9 @@ void* VendorGraphicBufferMeta::get_video_metadata(buffer_handle_t hnd) void* VendorGraphicBufferMeta::get_video_metadata_roiinfo(buffer_handle_t hnd) { - private_handle_t *gralloc_hnd = - static_cast<private_handle_t *>(const_cast<native_handle_t *>(hnd)); + const auto *gralloc_hnd = convertNativeHandleToPrivateHandle(hnd); - if (!gralloc_hnd) + if (gralloc_hnd == nullptr) return nullptr; if (gralloc_hnd->get_usage() & VendorGraphicBufferUsage::ROIINFO) |