mapMemory: Do not map if size is > SIZE_MAX

Bug: 79376389 Test: hidl_test Test: POC in bug Change-Id: Ibaced858aa07bfd7ab6e938cc1339b974b0de14f Merged-In: Ibaced858aa07bfd7ab6e938cc1339b974b0de14f
author: Yifan Hong <elsk@google.com> 2018-05-11 14:19:42 -0700
committer: Yifan Hong <elsk@google.com> 2018-05-14 20:53:13 +0000
commit: 694bd8d1b43b9e60623cb3d5bd3f21662680dd7c (patch)
tree: 3307c0fd2951f5fc6ee32575c55c35814a89a270 /libhidlmemory
parent: 3671d6c58e6fba347a096391586da957c5d15143 (diff)
download: libhidl-694bd8d1b43b9e60623cb3d5bd3f21662680dd7c.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/libhidlmemory/mapping.cpp b/libhidlmemory/mapping.cpp
index 3cb6485..8f0bcf4 100644
--- a/libhidlmemory/mapping.cpp
+++ b/libhidlmemory/mapping.cpp
@@ -24,6 +24,7 @@
 #include <android-base/logging.h>
 #include <android/hidl/memory/1.0/IMapper.h>
 #include <hidl/HidlSupport.h>
+#include <log/log.h>
 
 using android::sp;
 using android::hidl::memory::V1_0::IMemory;
@@ -63,6 +64,15 @@ sp<IMemory> mapMemory(const hidl_memory& memory) {
         return nullptr;
     }
 
+    // hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map
+    // size in size_t. If size is over SIZE_MAX, mapMemory could succeed
+    // but the mapped memory's actual size will be smaller than the reported size.
+    if (memory.size() > SIZE_MAX) {
+        LOG(ERROR) << "Cannot map " << memory.size() << " bytes of memory because it is too large.";
+        android_errorWriteLog(0x534e4554, "79376389");
+        return nullptr;
+    }
+
     Return<sp<IMemory>> ret = mapper->mapMemory(memory);
 
     if (!ret.isOk()) {
author	Yifan Hong <elsk@google.com>	2018-05-11 14:19:42 -0700
committer	Yifan Hong <elsk@google.com>	2018-05-14 20:53:13 +0000
commit	694bd8d1b43b9e60623cb3d5bd3f21662680dd7c (patch)
tree	3307c0fd2951f5fc6ee32575c55c35814a89a270 /libhidlmemory
parent	3671d6c58e6fba347a096391586da957c5d15143 (diff)
download	libhidl-694bd8d1b43b9e60623cb3d5bd3f21662680dd7c.tar.gz