Google Git
Sign in
fuchsia / third_party / android.googlesource.com / platform / system / libhidl / refs/tags/android-8.1.0_r51^1..refs/tags/android-8.1.0_r51 / .
commit69904a8f8aeb49ee42c1a61ef2dc7b6341cfbc64[log] [tgz]
authorandroid-build-team Robot <android-build-team-robot@google.com>Fri Aug 03 19:21:36 2018 +0000
committerandroid-build-team Robot <android-build-team-robot@google.com>Fri Aug 03 19:21:36 2018 +0000
treeaa968591532df485dfb19491373f67228cb37642
parent6e933f63a9f3722a315420759bb667f8637b8a84 [diff]
parent15a9cf0622d862cd6ab33ba2033a8b51429e3497 [diff]
Merge cherrypicks of [4691111, 4689862, 4690575, 4690576, 4690577, 4690578, 4689866, 4689868, 4689869, 4689870, 4691132, 4689456, 4689963, 4691133, 4691134, 4691156, 4691157, 4691159, 4691161, 4690581, 4689964, 4689460, 4691112, 4690582, 4690583, 4691165, 4691166, 4691167, 4691168, 4691169, 4691170, 4691211, 4691212, 4691213, 4691214, 4691215, 4691216, 4691217, 4691218, 4691219, 4691232, 4691233, 4691234, 4691235, 4691236, 4691237, 4691238, 4691239, 4691240, 4691241, 4691243, 4691245, 4691247, 4691249, 4691250, 4691291, 4691292, 4691293, 4691294, 4691295, 4691296, 4691255, 4689476, 4689477, 4689478, 4691223, 4691224, 4691136, 4689479, 4689480, 4691137, 4691225, 4691226, 4691227, 4691371, 4691228, 4691328, 4689967, 4691138, 4691139, 4691140, 4691433, 4689968, 4689969, 4691395, 4691230, 4691297, 4691298, 4691299, 4691300, 4691396, 4691397, 4691398, 4691399, 4691400, 4691401, 4691402, 4691403, 4691404, 4691405, 4691406, 4691407, 4691408, 4691409, 4691410, 4691471, 4691472, 4691473, 4691474, 4691475, 4691476, 4691477, 4691478, 4691479, 4691480, 4691481, 4691482, 4691483, 4691484, 4691485, 4691486, 4691487, 4691488, 4691143, 4691144, 4691511, 4691113, 4689482, 4691533, 4691145, 4691146, 4691147, 4691148, 4691536] into sparse-4732991-L01200000196794104

Change-Id: I55b92a88dbd487e6e73d3fc11cdc000179881259

diff --git a/libhidlmemory/mapping.cpp b/libhidlmemory/mapping.cpp
index 3cb6485..8f0bcf4 100644
--- a/libhidlmemory/mapping.cpp
+++ b/libhidlmemory/mapping.cpp

@@ -24,6 +24,7 @@
 #include <android-base/logging.h>
 #include <android/hidl/memory/1.0/IMapper.h>
 #include <hidl/HidlSupport.h>
+#include <log/log.h>
 
 using android::sp;
 using android::hidl::memory::V1_0::IMemory;
@@ -63,6 +64,15 @@
         return nullptr;
     }
 
+    // hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map
+    // size in size_t. If size is over SIZE_MAX, mapMemory could succeed
+    // but the mapped memory's actual size will be smaller than the reported size.
+    if (memory.size() > SIZE_MAX) {
+        LOG(ERROR) << "Cannot map " << memory.size() << " bytes of memory because it is too large.";
+        android_errorWriteLog(0x534e4554, "79376389");
+        return nullptr;
+    }
+
     Return<sp<IMemory>> ret = mapper->mapMemory(memory);
 
     if (!ret.isOk()) {

diff --git a/transport/HidlBinderSupport.cpp b/transport/HidlBinderSupport.cpp
index fe1ccbc..31e3be8 100644
--- a/transport/HidlBinderSupport.cpp
+++ b/transport/HidlBinderSupport.cpp

@@ -19,6 +19,7 @@
 #include <hidl/HidlBinderSupport.h>
 
 // C includes
+#include <inttypes.h>
 #include <unistd.h>
 
 // C++ includes
@@ -66,6 +67,15 @@
                 parentOffset + hidl_memory::kOffsetOfName);
     }
 
+    // hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map
+    // size in size_t. If size is over SIZE_MAX, mapMemory could succeed
+    // but the mapped memory's actual size will be smaller than the reported size.
+    if (memory.size() > SIZE_MAX) {
+        ALOGE("Cannot use memory with %" PRId64 " bytes because it is too large.", memory.size());
+        android_errorWriteLog(0x534e4554, "79376389");
+        return BAD_VALUE;
+    }
+
     return _hidl_err;
 }
 

diff --git a/transport/memory/1.0/default/Android.bp b/transport/memory/1.0/default/Android.bp
index a4f45cf..470d3b8 100644
--- a/transport/memory/1.0/default/Android.bp
+++ b/transport/memory/1.0/default/Android.bp

@@ -32,6 +32,7 @@
         "libhardware",
         "libhwbinder",
         "libbase",
+        "liblog",
         "libutils",
         "libhidlbase",
         "libhidltransport",

diff --git a/transport/memory/1.0/default/AshmemMapper.cpp b/transport/memory/1.0/default/AshmemMapper.cpp
index bef4767..cefaaa4 100644
--- a/transport/memory/1.0/default/AshmemMapper.cpp
+++ b/transport/memory/1.0/default/AshmemMapper.cpp

@@ -16,6 +16,9 @@
 
 #include "AshmemMapper.h"
 
+#include <inttypes.h>
+
+#include <log/log.h>
 #include <sys/mman.h>
 
 #include "AshmemMemory.h"
@@ -32,6 +35,16 @@
         return nullptr;
     }
 
+    // If ashmem service runs in 32-bit (size_t is uint32_t) and a 64-bit
+    // client process requests a memory > 2^32 bytes, the size would be
+    // converted to a 32-bit number in mmap. mmap could succeed but the
+    // mapped memory's actual size would be smaller than the reported size.
+    if (mem.size() > SIZE_MAX) {
+        ALOGE("Cannot map %" PRIu64 " bytes of memory because it is too large.", mem.size());
+        android_errorWriteLog(0x534e4554, "79376389");
+        return nullptr;
+    }
+
     int fd = mem.handle()->data[0];
     void* data = mmap(0, mem.size(), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
     if (data == MAP_FAILED) {