Merge cherrypicks of [4741663, 4741664, 4741665, 4741666, 4743080, 4743081, 4743082, 4743083, 4741262, 4741263, 4741264, 4741265, 4741266, 4741667, 4743084, 4741242, 4741243, 4741741, 4741742, 4741743, 4741744, 4741822, 4743085, 4741668, 4741338, 4743055, 4743056, 4743070, 4743073, 4743075, 4743076, 4743078, 4743079, 4743161, 4743162, 4743164, 4743165, 4743167, 4743168, 4743169, 4743170, 4741681, 4741682, 4741683, 4741684, 4741685, 4741686, 4741687, 4741688, 4741689, 4741690, 4741691, 4741692, 4741693, 4741694, 4741695, 4741696, 4741697, 4741698, 4741699, 4743240, 4743241, 4743242, 4743243, 4741745, 4741823, 4741824, 4741825, 4741267, 4741268, 4743244, 4743280, 4743281, 4743224, 4743203, 4743204, 4743205, 4741746, 4741747, 4743245, 4741826, 4741827, 4741828, 4741829, 4741748, 4741749, 4741750, 4743233, 4743282, 4741244, 4741245, 4741246, 4741247, 4743206, 4743207, 4743208, 4743209, 4743210, 4743211, 4743212, 4743213, 4743214, 4743215, 4743216, 4743217, 4743218, 4743219, 4743360, 4743361, 4743362, 4743363, 4743364, 4743365, 4743366, 4743367, 4743368, 4743369, 4743370, 4743371, 4743372, 4743373, 4743374, 4743375, 4743376, 4743377, 4743283, 4743284, 4741830, 4742501, 4743246, 4743086, 4743087, 4743378, 4743379, 4741751] into sparse-4749909-L04200000199131547android-8.1.0_r52 android-8.1.0_r50 android-8.1.0_r47 android-8.1.0_r46 oreo-m7-release oreo-m6-s4-release

Change-Id: Id2f6ae41218452ea63dd18c58ce3d848e41caed8
author: android-build-team Robot <android-build-team-robot@google.com> 2018-08-10 20:33:10 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> 2018-08-10 20:33:10 +0000
commit: a2617c8bb53d885cdbc9c033906faa5b1c0aa064 (patch)
tree: aa968591532df485dfb19491373f67228cb37642
parent: d749b47414fac334c57a2c192dfff9316674bdcf (diff)
parent: b1bbb2c9d9247273d0cdc9e9b14093463fb7e1ed (diff)
download: libhidl-oreo-m7-release.tar.gz
4 files changed, 34 insertions, 0 deletions
diff --git a/libhidlmemory/mapping.cpp b/libhidlmemory/mapping.cpp
index 3cb6485..8f0bcf4 100644
--- a/libhidlmemory/mapping.cpp
+++ b/libhidlmemory/mapping.cpp
@@ -24,6 +24,7 @@
 #include <android-base/logging.h>
 #include <android/hidl/memory/1.0/IMapper.h>
 #include <hidl/HidlSupport.h>
+#include <log/log.h>
 
 using android::sp;
 using android::hidl::memory::V1_0::IMemory;
@@ -63,6 +64,15 @@ sp<IMemory> mapMemory(const hidl_memory& memory) {
         return nullptr;
     }
 
+    // hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map
+    // size in size_t. If size is over SIZE_MAX, mapMemory could succeed
+    // but the mapped memory's actual size will be smaller than the reported size.
+    if (memory.size() > SIZE_MAX) {
+        LOG(ERROR) << "Cannot map " << memory.size() << " bytes of memory because it is too large.";
+        android_errorWriteLog(0x534e4554, "79376389");
+        return nullptr;
+    }
+
     Return<sp<IMemory>> ret = mapper->mapMemory(memory);
 
     if (!ret.isOk()) {
diff --git a/transport/HidlBinderSupport.cpp b/transport/HidlBinderSupport.cpp
index fe1ccbc..31e3be8 100644
--- a/transport/HidlBinderSupport.cpp
+++ b/transport/HidlBinderSupport.cpp
@@ -19,6 +19,7 @@
 #include <hidl/HidlBinderSupport.h>
 
 // C includes
+#include <inttypes.h>
 #include <unistd.h>
 
 // C++ includes
@@ -66,6 +67,15 @@ status_t readEmbeddedFromParcel(const hidl_memory& memory,
                 parentOffset + hidl_memory::kOffsetOfName);
     }
 
+    // hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map
+    // size in size_t. If size is over SIZE_MAX, mapMemory could succeed
+    // but the mapped memory's actual size will be smaller than the reported size.
+    if (memory.size() > SIZE_MAX) {
+        ALOGE("Cannot use memory with %" PRId64 " bytes because it is too large.", memory.size());
+        android_errorWriteLog(0x534e4554, "79376389");
+        return BAD_VALUE;
+    }
+
     return _hidl_err;
 }
 
diff --git a/transport/memory/1.0/default/Android.bp b/transport/memory/1.0/default/Android.bp
index a4f45cf..470d3b8 100644
--- a/transport/memory/1.0/default/Android.bp
+++ b/transport/memory/1.0/default/Android.bp
@@ -32,6 +32,7 @@ cc_library_shared {
         "libhardware",
         "libhwbinder",
         "libbase",
+        "liblog",
         "libutils",
         "libhidlbase",
         "libhidltransport",
diff --git a/transport/memory/1.0/default/AshmemMapper.cpp b/transport/memory/1.0/default/AshmemMapper.cpp
index bef4767..cefaaa4 100644
--- a/transport/memory/1.0/default/AshmemMapper.cpp
+++ b/transport/memory/1.0/default/AshmemMapper.cpp
@@ -16,6 +16,9 @@
 
 #include "AshmemMapper.h"
 
+#include <inttypes.h>
+
+#include <log/log.h>
 #include <sys/mman.h>
 
 #include "AshmemMemory.h"
@@ -32,6 +35,16 @@ Return<sp<IMemory>> AshmemMapper::mapMemory(const hidl_memory& mem) {
         return nullptr;
     }
 
+    // If ashmem service runs in 32-bit (size_t is uint32_t) and a 64-bit
+    // client process requests a memory > 2^32 bytes, the size would be
+    // converted to a 32-bit number in mmap. mmap could succeed but the
+    // mapped memory's actual size would be smaller than the reported size.
+    if (mem.size() > SIZE_MAX) {
+        ALOGE("Cannot map %" PRIu64 " bytes of memory because it is too large.", mem.size());
+        android_errorWriteLog(0x534e4554, "79376389");
+        return nullptr;
+    }
+
     int fd = mem.handle()->data[0];
     void* data = mmap(0, mem.size(), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
     if (data == MAP_FAILED) {
author	android-build-team Robot <android-build-team-robot@google.com>	2018-08-10 20:33:10 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	2018-08-10 20:33:10 +0000
commit	a2617c8bb53d885cdbc9c033906faa5b1c0aa064 (patch)
tree	aa968591532df485dfb19491373f67228cb37642
parent	d749b47414fac334c57a2c192dfff9316674bdcf (diff)
parent	b1bbb2c9d9247273d0cdc9e9b14093463fb7e1ed (diff)
download	libhidl-oreo-m7-release.tar.gz