Merge cherrypicks of [4583929, 4582754, 4582755, 4582756, 4583930, 4583931, 4583932, 4586307, 4586953, 4582585, 4586964, 4586965, 4586984, 4586985, 4586986, 4586987, 4586966, 4582586, 4582885, 4586531, 4586532, 4586533, 4586535, 4586536, 4586537, 4586538, 4586539, 4586540, 4586541, 4586542, 4586890, 4586891, 4586892, 4586893, 4586894, 4586895, 4586896, 4586897, 4586898, 4586899, 4586900, 4586901, 4586902, 4586903, 4587104, 4587105, 4587106, 4586988, 4583933, 4583934, 4583935, 4586989, 4586990, 4587136, 4587138, 4586991, 4586308, 4586967, 4587069, 4587070, 4582886, 4582887, 4587164, 4582888, 4587027, 4587028, 4587029, 4587030, 4582587, 4582588, 4582589, 4582590, 4582591, 4582592, 4582593, 4582594, 4582595, 4582596, 4582597, 4582598, 4582599, 4582600, 4582601, 4582602, 4582603, 4587244, 4587245, 4587246, 4587247, 4587248, 4587249, 4587250, 4587251, 4587252, 4582760, 4583936, 4582761, 4586992, 4587229, 4587230, 4587231, 4587253, 4586968] into sparse-4732991-L37700000192334752
Change-Id: Ib4f2e14621543e30ac756a28e482f2068dbf4039
diff --git a/libhidlmemory/mapping.cpp b/libhidlmemory/mapping.cpp
index 3cb6485..8f0bcf4 100644
--- a/libhidlmemory/mapping.cpp
+++ b/libhidlmemory/mapping.cpp
@@ -24,6 +24,7 @@
#include <android-base/logging.h>
#include <android/hidl/memory/1.0/IMapper.h>
#include <hidl/HidlSupport.h>
+#include <log/log.h>
using android::sp;
using android::hidl::memory::V1_0::IMemory;
@@ -63,6 +64,15 @@
return nullptr;
}
+ // hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map
+ // size in size_t. If size is over SIZE_MAX, mapMemory could succeed
+ // but the mapped memory's actual size will be smaller than the reported size.
+ if (memory.size() > SIZE_MAX) {
+ LOG(ERROR) << "Cannot map " << memory.size() << " bytes of memory because it is too large.";
+ android_errorWriteLog(0x534e4554, "79376389");
+ return nullptr;
+ }
+
Return<sp<IMemory>> ret = mapper->mapMemory(memory);
if (!ret.isOk()) {
diff --git a/transport/memory/1.0/default/Android.bp b/transport/memory/1.0/default/Android.bp
index a4f45cf..470d3b8 100644
--- a/transport/memory/1.0/default/Android.bp
+++ b/transport/memory/1.0/default/Android.bp
@@ -32,6 +32,7 @@
"libhardware",
"libhwbinder",
"libbase",
+ "liblog",
"libutils",
"libhidlbase",
"libhidltransport",
diff --git a/transport/memory/1.0/default/AshmemMapper.cpp b/transport/memory/1.0/default/AshmemMapper.cpp
index bef4767..cefaaa4 100644
--- a/transport/memory/1.0/default/AshmemMapper.cpp
+++ b/transport/memory/1.0/default/AshmemMapper.cpp
@@ -16,6 +16,9 @@
#include "AshmemMapper.h"
+#include <inttypes.h>
+
+#include <log/log.h>
#include <sys/mman.h>
#include "AshmemMemory.h"
@@ -32,6 +35,16 @@
return nullptr;
}
+ // If ashmem service runs in 32-bit (size_t is uint32_t) and a 64-bit
+ // client process requests a memory > 2^32 bytes, the size would be
+ // converted to a 32-bit number in mmap. mmap could succeed but the
+ // mapped memory's actual size would be smaller than the reported size.
+ if (mem.size() > SIZE_MAX) {
+ ALOGE("Cannot map %" PRIu64 " bytes of memory because it is too large.", mem.size());
+ android_errorWriteLog(0x534e4554, "79376389");
+ return nullptr;
+ }
+
int fd = mem.handle()->data[0];
void* data = mmap(0, mem.size(), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (data == MAP_FAILED) {
