diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2018-06-11 22:31:33 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-06-11 22:31:33 +0000 |
| commit | d453e599f2aa099c33c611ffe5cc3a026f9ce16d (patch) | |
| tree | 3307c0fd2951f5fc6ee32575c55c35814a89a270 | |
| parent | 6e933f63a9f3722a315420759bb667f8637b8a84 (diff) | |
| parent | a14038d29b0bce07cbe7ca93c0fd800a591ad568 (diff) | |
| download | libhidl-oreo-m4-s10-release.tar.gz | |
Merge cherrypicks of [4314173, 4314174, 4314175, 4314176, 4314471, 4314472, 4314473, 4314474, 4314475, 4314645, 4314646, 4314193, 4314476, 4314477, 4315350, 4315351, 4315352, 4315353, 4315354, 4314478, 4315430, 4314194, 4314195, 4314196, 4314197, 4314198, 4314199, 4314200, 4315093, 4315094, 4315095, 4315096, 4315097, 4315098, 4315099, 4315100, 4315501, 4315502, 4315503, 4314177, 4315431, 4315432, 4315433, 4315434, 4314178, 4314179, 4315355, 4315435, 4315382, 4315403, 4315404, 4315436, 4315437, 4315438, 4315439, 4315440, 4315521, 4315522, 4315523, 4315524, 4315525, 4315526, 4315527, 4315528, 4315529, 4314035, 4314230, 4315356, 4315530, 4315531, 4315471, 4315357, 4315358, 4314479, 4315532, 4315533, 4315534, 4315535, 4315536] into sparse-4732991-L06700000181398573android-8.1.0_r40oreo-m4-s10-release
Change-Id: I8002474adb929940bc901706fd2877d7f3c666a3
| -rw-r--r-- | libhidlmemory/mapping.cpp | 10 | ||||
| -rw-r--r-- | transport/memory/1.0/default/Android.bp | 1 | ||||
| -rw-r--r-- | transport/memory/1.0/default/AshmemMapper.cpp | 13 |
3 files changed, 24 insertions, 0 deletions
diff --git a/libhidlmemory/mapping.cpp b/libhidlmemory/mapping.cpp index 3cb6485..8f0bcf4 100644 --- a/libhidlmemory/mapping.cpp +++ b/libhidlmemory/mapping.cpp @@ -24,6 +24,7 @@ #include <android-base/logging.h> #include <android/hidl/memory/1.0/IMapper.h> #include <hidl/HidlSupport.h> +#include <log/log.h> using android::sp; using android::hidl::memory::V1_0::IMemory; @@ -63,6 +64,15 @@ sp<IMemory> mapMemory(const hidl_memory& memory) { return nullptr; } + // hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map + // size in size_t. If size is over SIZE_MAX, mapMemory could succeed + // but the mapped memory's actual size will be smaller than the reported size. + if (memory.size() > SIZE_MAX) { + LOG(ERROR) << "Cannot map " << memory.size() << " bytes of memory because it is too large."; + android_errorWriteLog(0x534e4554, "79376389"); + return nullptr; + } + Return<sp<IMemory>> ret = mapper->mapMemory(memory); if (!ret.isOk()) { diff --git a/transport/memory/1.0/default/Android.bp b/transport/memory/1.0/default/Android.bp index a4f45cf..470d3b8 100644 --- a/transport/memory/1.0/default/Android.bp +++ b/transport/memory/1.0/default/Android.bp @@ -32,6 +32,7 @@ cc_library_shared { "libhardware", "libhwbinder", "libbase", + "liblog", "libutils", "libhidlbase", "libhidltransport", diff --git a/transport/memory/1.0/default/AshmemMapper.cpp b/transport/memory/1.0/default/AshmemMapper.cpp index bef4767..cefaaa4 100644 --- a/transport/memory/1.0/default/AshmemMapper.cpp +++ b/transport/memory/1.0/default/AshmemMapper.cpp @@ -16,6 +16,9 @@ #include "AshmemMapper.h" +#include <inttypes.h> + +#include <log/log.h> #include <sys/mman.h> #include "AshmemMemory.h" @@ -32,6 +35,16 @@ Return<sp<IMemory>> AshmemMapper::mapMemory(const hidl_memory& mem) { return nullptr; } + // If ashmem service runs in 32-bit (size_t is uint32_t) and a 64-bit + // client process requests a memory > 2^32 bytes, the size would be + // converted to a 32-bit number in mmap. mmap could succeed but the + // mapped memory's actual size would be smaller than the reported size. + if (mem.size() > SIZE_MAX) { + ALOGE("Cannot map %" PRIu64 " bytes of memory because it is too large.", mem.size()); + android_errorWriteLog(0x534e4554, "79376389"); + return nullptr; + } + int fd = mem.handle()->data[0]; void* data = mmap(0, mem.size(), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); if (data == MAP_FAILED) { |