Snap for 10103804 from 90f8ec85746d01057064e7c670e23c1cf66e73fe to mainline-tzdata5-release
Change-Id: I45efe79793420e5f0f38f329c188c38ea4c29282
diff --git a/OWNERS b/OWNERS
index cc4d814..8b7f0e5 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,5 @@
+# Bug component: 655781
+
smoreland@google.com
elsk@google.com
malchev@google.com
diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp
index 0926c09..72d99d4 100644
--- a/fuzzer/Android.bp
+++ b/fuzzer/Android.bp
@@ -54,15 +54,4 @@
},
host_supported: true,
-
- sanitize: {
- scs: true,
- cfi: true,
- address: true,
- memtag_heap: true,
- // undefined behavior is expected
- all_undefined: false,
- // integer overflow is expected
- integer_overflow: false,
- },
}
diff --git a/fuzzer/fmq_fuzzer.cpp b/fuzzer/fmq_fuzzer.cpp
index 246b79f..1c92814 100644
--- a/fuzzer/fmq_fuzzer.cpp
+++ b/fuzzer/fmq_fuzzer.cpp
@@ -123,7 +123,7 @@
return;
}
FuzzedDataProvider fdp(&readerData[0], readerData.size());
- payload_t* ring = nullptr;
+ payload_t* ring = reinterpret_cast<payload_t*>(readMq.getRingBufferPtr());
while (fdp.remaining_bytes()) {
typename Queue::MemTransaction tx;
size_t numElements = fdp.ConsumeIntegralInRange<size_t>(0, kMaxNumElements);
@@ -136,9 +136,6 @@
// the ring buffer is only next to the read/write counters when there is
// no user supplied fd
if (!userFd) {
- if (ring == nullptr) {
- ring = firstStart;
- }
if (fdp.ConsumeIntegral<uint8_t>() == 1) {
uint64_t* writeCounter =
getCounterPtr(ring, desc, android::hardware::details::WRITEPTRPOS);
@@ -184,7 +181,7 @@
template <typename Queue, typename Desc>
void writer(const Desc& desc, Queue& writeMq, FuzzedDataProvider& fdp, bool userFd) {
- payload_t* ring = nullptr;
+ payload_t* ring = reinterpret_cast<payload_t*>(writeMq.getRingBufferPtr());
while (fdp.remaining_bytes()) {
typename Queue::MemTransaction tx;
size_t numElements = 1;
@@ -199,9 +196,6 @@
// the ring buffer is only next to the read/write counters when there is
// no user supplied fd
if (!userFd) {
- if (ring == nullptr) {
- ring = firstStart;
- }
if (fdp.ConsumeIntegral<uint8_t>() == 1) {
uint64_t* readCounter =
getCounterPtr(ring, desc, android::hardware::details::READPTRPOS);
diff --git a/include/fmq/MessageQueueBase.h b/include/fmq/MessageQueueBase.h
index 5a56ec1..f99e335 100644
--- a/include/fmq/MessageQueueBase.h
+++ b/include/fmq/MessageQueueBase.h
@@ -421,6 +421,11 @@
*/
bool commitRead(size_t nMessages);
+ /**
+ * Get the pointer to the ring buffer. Useful for debugging and fuzzing.
+ */
+ uint8_t* getRingBufferPtr() const { return mRing; }
+
private:
size_t availableToWriteBytes() const;
size_t availableToReadBytes() const;
@@ -1283,6 +1288,29 @@
return nullptr;
}
+ /*
+ * Expect some grantors to be at least a min size
+ */
+ for (uint32_t i = 0; i < grantors.size(); i++) {
+ switch (i) {
+ case hardware::details::READPTRPOS:
+ if (grantors[i].extent < sizeof(uint64_t)) return nullptr;
+ break;
+ case hardware::details::WRITEPTRPOS:
+ if (grantors[i].extent < sizeof(uint64_t)) return nullptr;
+ break;
+ case hardware::details::DATAPTRPOS:
+ // We don't expect specific data size
+ break;
+ case hardware::details::EVFLAGWORDPOS:
+ if (grantors[i].extent < sizeof(uint32_t)) return nullptr;
+ break;
+ default:
+ // We don't care about unknown grantors
+ break;
+ }
+ }
+
int mapOffset = (grantors[grantorIdx].offset / PAGE_SIZE) * PAGE_SIZE;
if (grantors[grantorIdx].extent < 0 || grantors[grantorIdx].extent > INT_MAX - PAGE_SIZE) {
hardware::details::logError(std::string("Grantor (index " + std::to_string(grantorIdx) +
