Age | Commit message (Collapse) | Author |
|
1beedfe9e1 am: 11c9b4f0c9
Original change: https://android-review.googlesource.com/c/platform/system/libhwbinder/+/2704655
Change-Id: I38715f002ba0e6575a3b827a5817dcfd425b414b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
Bug: 294464949
Test: hidl_test
Test: libHidlBase_parcel_fuzzer with test case
Change-Id: I1f27c6d1d8a3fb189d510443c17f44aaff0488f2
|
|
Bug: 295394788
Test: make checkbuild
Change-Id: Ia40faa8c2a974c43bcecf66566b6ed756b955a1f
|
|
To avoid false crashes in fuzzer.
Fixes: 220396435
Test: binder_parcel_fuzzer w/ repro
Change-Id: I4fd2ab705d2525f2e3786011d90bc5c32de555b4
|
|
Original change: https://android-review.googlesource.com/c/platform/system/libhwbinder/+/1815086
Change-Id: Ia961878214b0f572ff197f23ce4d30bffaddee0e
|
|
|
|
missing bounds check
Fixes: 197919958
Test: hidl_test (while manually triggering ubsan)
Change-Id: I0234f56f0649b7bafec6f4e33509a93a3c739221
|
|
system/libhwbinder/Parcel.cpp am: bca47a6466
Original change: https://android-review.googlesource.com/c/platform/system/libhwbinder/+/1811296
Change-Id: Ia20f8047e70b0fdb1f609f1ed2e9661483311bfa
|
|
system/libhwbinder/Parcel.cpp
Like change 1806797, we also try to fix the same compling problem in system/libhwbinder/Parcel.cpp when we enable LOG_REFS.
Change-Id: I74d0f6433791135945b4901108560a5c240e764e
Test: manual
|
|
Merged-In: I6fc38d4dae7e8ed1eab1510eb6775c42344d0ce5
Merged-In: I422190daf26845f8a9625dd798acb922b3673d68
Merged-In: I422190daf26845f8a9625dd798acb922b3673d68
Change-Id: I004a6beb4e89fe107be73ee4913e687dc44e5fa1
|
|
Below is a diagram showing what scatter gather would look like where we
have one reference to a buffer, and then we have a single embedded
buffer. For instance, 'a1' might be the hidl_vec object and 'a2' might
be the data pointer in this object. In practice, there might be
arbitrarily many levels (this happens when structures contain vectors
which contain structures etc...).
legend:
"...." - random data we don't care about
"|" - some position in the data
"<a#>" - some constant address
offsets into Parcel's mData:
.....|....<a1>....|.....|....<a2>....|.....
^ ^ ^ ^
| | | \- 'buffer' field of structure
| | |
| | | (binder object structure)
| | \- mObjects[child]
| |
| \- binder object structure 'buffer' field
|
\- mObjects[parent] (binder object structure)
kernel-owned ro buffer @ address a1 ('parent' buffer)
.......<a3>....................
^
\- parent buffer as address + parent offset
(in the example, this would be the data field
of hidl_vec. This should be a2).
kernel-owned ro buffer @ address a2 ('child' buffer)
............................
(any random data)
What was happening here was that by maliciously constructing
mObjects[child] to be null, there would be no child object, so the
kernel wouldn't know to fixup the embedded buffer (<a3>) and it
would be unchanged.
Bug: 179289794
Test: repro w/ POC, and this fixes it
Test: hidl_test
Change-Id: Ia26e0fc902510b90ce5bbd55343fa6ded8e4fcf5
(cherry picked from commit 25614cbc380db86cc3842ac1886b55d92c913e4d)
(cherry picked from commit fcd86bd0d1b4cfea480a2682c354fb40039f0727)
|
|
Below is a diagram showing what scatter gather would look like where we
have one reference to a buffer, and then we have a single embedded
buffer. For instance, 'a1' might be the hidl_vec object and 'a2' might
be the data pointer in this object. In practice, there might be
arbitrarily many levels (this happens when structures contain vectors
which contain structures etc...).
legend:
"...." - random data we don't care about
"|" - some position in the data
"<a#>" - some constant address
offsets into Parcel's mData:
.....|....<a1>....|.....|....<a2>....|.....
^ ^ ^ ^
| | | \- 'buffer' field of structure
| | |
| | | (binder object structure)
| | \- mObjects[child]
| |
| \- binder object structure 'buffer' field
|
\- mObjects[parent] (binder object structure)
kernel-owned ro buffer @ address a1 ('parent' buffer)
.......<a3>....................
^
\- parent buffer as address + parent offset
(in the example, this would be the data field
of hidl_vec. This should be a2).
kernel-owned ro buffer @ address a2 ('child' buffer)
............................
(any random data)
What was happening here was that by maliciously constructing
mObjects[child] to be null, there would be no child object, so the
kernel wouldn't know to fixup the embedded buffer (<a3>) and it
would be unchanged.
Bug: 179289794
Test: repro w/ POC, and this fixes it
Test: hidl_test
Change-Id: Ia26e0fc902510b90ce5bbd55343fa6ded8e4fcf5
|
|
If restartWrite is called with desired size of 0, mData will be
reallocated to size 0. This frees the memory and returns a null pointer.
When this happends we need to update the stored data pointer and
capacity otherwise we will crash with a double free when the object is
desctructed.
Bug: 157066561
Bug: 183954797
Test: build POC included in bug. 'adb push binderMemSafety
/data/local/tmp && adb shell /data/local/tmp/binderMemSafety'. Reproduce
the crash without this change, then verify no crash with this change.
This is also being added to STS.
Ran 'atest -p' for binder tests.
Change-Id: I494e954204ee4a312739ae8600e2cf545ea452e3
(cherry picked from commit 4a1f294217e1c3869d54b4408f0f6aa175d77e0a)
|
|
This flag instructs the kernel to clear transactions from send/reply
buffers for certain transactions which may contain sensitive data, as a
security precaution.
Bug: 171501998
Test: hidl_test + verify by reading memory bits w/ updated kernel
Change-Id: I7dda8f8d24091f77bdaf99a7de446875356c601c
|
|
Bug: 166295507
Merged-In: I5005b312a0c93ff5838c8c4f8ba3e314f34c5b50
Change-Id: Id8036793f031c5093e701ca07fd645c355cd148d
|
|
Test: treehugger
Change-Id: I02b8ee7ca0b95d91b82e4e8749b926b99218d838
|
|
See https://source.android.com/setup/contribute/respectful-code for reference
BUG=161896447
Change-Id: I794af0bef966ec88d7ee6b5f5d66969571f04317
|
|
Original change: https://android-review.googlesource.com/c/platform/system/libhwbinder/+/1360926
Change-Id: I5005b312a0c93ff5838c8c4f8ba3e314f34c5b50
|
|
Avoid additional users.
Removing these completely is infeasible/not worth it for now for
libbinder, and it's important to keep libbinder/libhwbinder at least
somewhat close to each other. If saving this memory becomes important
here or if we remove this from libbinder, this ensures that no
additional work will be needed.
Bug: 148676615
Test: N/A
Change-Id: I8fd2c2c21bfc5ab47c362cdad93de9a432591a50
|
|
Change-Id: I12be279d82d7806fb80bfe7d4ed24a12e24c2c07
|
|
Change-Id: I3877732518851ec8e9a3ea13c75e04506d542a4a
|
|
This function simply aborts, with no indication of what it should do.
Bug: 149989072
Test: libhwbinder builds
(cherry picked from commit 80afc6f3f15825c06687db6f3bed044515a8c62e)
Change-Id: Ia82477023b872b3581a6fb56460156025f9689b9
|
|
431dc3f4fd
Change-Id: Ic6e0e595b18668074484e5d17ebf907a4b2a269f
|
|
These counters don't need to actually be coherent, so each can be its
own atomic. Avoid the lock, because every lock is a chance for
priority inversion.
Test: builds
Change-Id: I5e3b11a5e5ade7875fcafbb5dfa33e92c996b87c
|
|
For unsigned arithmetic, use:
(a + b < a) to detect whether a+b wraps
(a > c / b) to detect whether a*b > c
Bug: 120078455
Test: builds and boots
Change-Id: I738b90855b6b9a8effbf55a468c751b6d0b8edd9
(cherry picked from commit d79ac373483c36f893981c7319d37a5ebbd63b98)
|
|
For unsigned arithmetic, use:
(a + b < a) to detect whether a+b wraps
(a > c / b) to detect whether a*b > c
Bug: 120078455
Test: builds and boots
Change-Id: I738b90855b6b9a8effbf55a468c751b6d0b8edd9
|
|
fc21535dc2
Change-Id: I7f6c4109d36113cbda140619c148a46a09768d37
|
|
The new headers are coming from the android kernel, so the binder
header file contains everything necessary now.
The only reason to leave the binder_kernel.h file is because one
of the compilers doesn't understandt __packed.
Test: Builds.
Change-Id: I73ae18d77c574a1077ca38bb87a90f455f4d54bf
|
|
am: ded905c822
Change-Id: Ia03016c48607f983b29c20027e0bdf4f7e794e99
|
|
unneeded
Bug: N/A
Test: N/A
Change-Id: I4b73bf5f0af3bb30baba2968fb53b9764811efaf
|
|
eaf38dab97
am: 5309071625
Change-Id: Ia1e32a76efc298a7df2abd3102097590301653f1
|
|
C++20 really wants members ordered unlike C99.
Bug: 139945549
Test: mm
Change-Id: Ide85e012621f53a8a1612a872782ea48e62a4065
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
|
|
Fixes: 141857065
Test: no longer segfaults w/ fuzzer repro
Change-Id: Ib7016cc3def89e7a13c00580949f52c5d9cc4f72
|
|
am: 0cb351f706
Change-Id: I5903be375e8a38b5f950da90a5eb66051e92d6fe
|
|
Bug: N/A
Test: build w/o -Wno-c++98-compat-extra-semi
Change-Id: Id6d7df00a22873917b7e480b71050d662fabb243
|
|
am: 5af06db289
Change-Id: I1278acf73af3135da6c47e441cc064a574a8c6d9
|
|
So that we have better error understanding.
Bug: 141290044
Test: TH
Change-Id: I2cd16fa80c91fd5c573fbc8202031abe7f075b4b
|
|
am: 4603362d56
Change-Id: Id0efa24762605b30dc5c2ebbec0b79b3fe9f34cb
|
|
The motivation of this is for quickly running unit tests of HAL
implementations on host. Before, you would have to abstract away
HIDL stuff, but now, you can just call a class that inherits from
HIDL stuff directly.
Currently, there is no binder or passthrough support on host though.
This is only for unit tests of C++ classes.
Bug: 124524556
Test: mma
Change-Id: I9cf22217f17ad75ad6f23a7bbc63db47e9b821e8
|
|
9c53e8a3d1
am: 675fd5f9f1
Change-Id: I822bf81f4e07b7296c42be64f9b14a1b1d2d27db
|
|
Bug: 124524556
Test: build only
Change-Id: I8e1001a5cc0ff2227e018a43a492e439056e5ceb
|
|
am: 73eadfbb2f
Change-Id: I45a4492f84cb1cbc1201228935b555ee38016cd2
|
|
am: ae7f1806da
Change-Id: Ie6406b1d462e347bf960df773cf099bde3764e32
|
|
Unused/not fully implemented.
Bug: N/A
Test: N/A
Change-Id: I48fb9121175c8bf4296e12482c69551a696aebe2
|
|
Bug: 136196576
Change-Id: I2ecaea1e2e59807dbf153c9ec0d2fccbec27fc88
|
|
am: 643a8b2d1a
Change-Id: I2992afd45379c58041534d7adfdc8f8e7072dc57
|
|
am: 7bd4ffaa7f
Change-Id: I4edfda7249fc44e53fd50649ecf566e79be37cef
|
|
Bug: N/A
Test: N/A
Change-Id: Ibd419acdede4fbda4c5caa95ec67e36f3f965c16
|
|
|
|
Fixes: 134168436
Test: atest CtsOsTestCases:ParcelTest#testObjectDoubleFree
Change-Id: I82e7e8c7b4206fb45b832a71d174df45edb62710
(cherry picked from commit 6af27a83256e676da6f9c02921ef9dfeffc8c52d)
|