libhwbinder: kernel check also in userspace

To avoid false crashes in fuzzer. Fixes: 220396435 Test: binder_parcel_fuzzer w/ repro Change-Id: I4fd2ab705d2525f2e3786011d90bc5c32de555b4
author: Steven Moreland <smoreland@google.com> 2022-03-08 01:58:53 +0000
committer: Steven Moreland <smoreland@google.com> 2022-03-08 01:58:53 +0000
commit: 487bee35e0416f6aa7c79c5e1f1a184f92609d43 (patch)
tree: 4f8c3b4273ab1018c2dbaee817a32383c40fccbf /Parcel.cpp
parent: 2fcf57e9fd260db88c8abfa014eab775b86db76b (diff)
download: libhwbinder-487bee35e0416f6aa7c79c5e1f1a184f92609d43.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/Parcel.cpp b/Parcel.cpp
index 98300d0..a20d98c 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -1333,11 +1333,17 @@ bool Parcel::verifyBufferObject(const binder_buffer_object *buffer_obj,
             return false;
         }
         if (buffer_obj->parent_offset != parentOffset) {
-              ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
+            ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
                   static_cast<uint64_t>(buffer_obj->parent_offset), parentOffset);
             return false;
         }
 
+        // checked by kernel driver, but needed for fuzzer
+        if (parent >= mObjectsSize) {
+            ALOGE("Parent index %zu but only have %zu objects", parent, mObjectsSize);
+            return false;
+        }
+
         binder_buffer_object *parentBuffer =
             reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent]);
         void* bufferInParent = *reinterpret_cast<void**>(
author	Steven Moreland <smoreland@google.com>	2022-03-08 01:58:53 +0000
committer	Steven Moreland <smoreland@google.com>	2022-03-08 01:58:53 +0000
commit	487bee35e0416f6aa7c79c5e1f1a184f92609d43 (patch)
tree	4f8c3b4273ab1018c2dbaee817a32383c40fccbf /Parcel.cpp
parent	2fcf57e9fd260db88c8abfa014eab775b86db76b (diff)
download	libhwbinder-487bee35e0416f6aa7c79c5e1f1a184f92609d43.tar.gz