Merge cherrypicks of [5027797, 5027798, 5029209, 5030032, 5023135, 5028893, 5028915, 5028916, 5028917, 5028948, 5028949, 5028950, 5030131, 5030132, 5030133, 5030134, 5030135, 5028894, 5028918, 5030033, 5023136, 5030136, 5029210, 5030171, 5030172, 5030173, 5030174, 5030175, 5030176, 5030177, 5030178, 5030179, 5030180, 5029076, 5029077, 5029078, 5029079, 5029080, 5029081, 5029082, 5029083, 5029084, 5029085, 5029086, 5029087, 5029088, 5029089, 5029090, 5030211, 5030212, 5030213, 5030214, 5030215, 5030216, 5030217, 5020440, 5020441, 5020442, 5030137, 5030034, 5020443, 5030138, 5029124, 5027799, 5029125, 5029126, 5029127, 5023137, 5030139, 5030140, 5029132, 5030141, 5030142, 5030143, 5030181, 5030182, 5030183, 5030184, 5030185, 5030186, 5030187, 5030188, 5030189, 5030190, 5030231, 5030232, 5030233, 5030234, 5030235, 5030236, 5030237, 5030238, 5030239, 5030240, 5030241, 5030242, 5030243, 5030244, 5030245, 5030246, 5030247, 5030248, 5030249, 5030250, 5030271, 5030272, 5030273, 5030274, 5030275, 5030276, 5030277, 5030278, 5030279, 5030280, 5030281, 5020444, 5027800, 5030144] into nyc-bugfix-release
Change-Id: Ic96326f490e12a9af733da73a09a96f2459d1696
diff --git a/include/binder/Parcel.h b/include/binder/Parcel.h
index 2490b82..6ea8453 100644
--- a/include/binder/Parcel.h
+++ b/include/binder/Parcel.h
@@ -375,6 +375,7 @@
void freeDataNoInit();
void initState();
void scanForFds() const;
+ status_t validateReadData(size_t len) const;
template<class T>
status_t readAligned(T *pArg) const;
@@ -421,6 +422,7 @@
size_t mObjectsSize;
size_t mObjectsCapacity;
mutable size_t mNextObjectHint;
+ mutable bool mObjectsSorted;
mutable bool mFdsKnown;
mutable bool mHasFds;
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 19ce3eb..e5a34c2 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -459,6 +459,7 @@
mDataPos = pos;
mNextObjectHint = 0;
+ mObjectsSorted = false;
}
status_t Parcel::setDataCapacity(size_t size)
@@ -1284,7 +1285,7 @@
if (err) return err;
// payload
- void* const buf = this->writeInplace(pad_size(len));
+ void* const buf = this->writeInplace(len);
if (buf == NULL)
return BAD_VALUE;
@@ -1363,6 +1364,59 @@
LOG_ALWAYS_FATAL("Parcel::remove() not yet implemented!");
}
+status_t Parcel::validateReadData(size_t upperBound) const
+{
+ // Don't allow non-object reads on object data
+ if (mObjectsSorted || mObjectsSize <= 1) {
+data_sorted:
+ // Expect to check only against the next object
+ if (mNextObjectHint < mObjectsSize && upperBound > mObjects[mNextObjectHint]) {
+ // For some reason the current read position is greater than the next object
+ // hint. Iterate until we find the right object
+ size_t nextObject = mNextObjectHint;
+ do {
+ if (mDataPos < mObjects[nextObject] + sizeof(flat_binder_object)) {
+ // Requested info overlaps with an object
+ ALOGE("Attempt to read from protected data in Parcel %p", this);
+ return PERMISSION_DENIED;
+ }
+ nextObject++;
+ } while (nextObject < mObjectsSize && upperBound > mObjects[nextObject]);
+ mNextObjectHint = nextObject;
+ }
+ return NO_ERROR;
+ }
+ // Quickly determine if mObjects is sorted.
+ binder_size_t* currObj = mObjects + mObjectsSize - 1;
+ binder_size_t* prevObj = currObj;
+ while (currObj > mObjects) {
+ prevObj--;
+ if(*prevObj > *currObj) {
+ goto data_unsorted;
+ }
+ currObj--;
+ }
+ mObjectsSorted = true;
+ goto data_sorted;
+
+data_unsorted:
+ // Insertion Sort mObjects
+ // Great for mostly sorted lists. If randomly sorted or reverse ordered mObjects become common,
+ // switch to std::sort(mObjects, mObjects + mObjectsSize);
+ for (binder_size_t* iter0 = mObjects + 1; iter0 < mObjects + mObjectsSize; iter0++) {
+ binder_size_t temp = *iter0;
+ binder_size_t* iter1 = iter0 - 1;
+ while (iter1 >= mObjects && *iter1 > temp) {
+ *(iter1 + 1) = *iter1;
+ iter1--;
+ }
+ *(iter1 + 1) = temp;
+ }
+ mNextObjectHint = 0;
+ mObjectsSorted = true;
+ goto data_sorted;
+}
+
status_t Parcel::read(void* outData, size_t len) const
{
if (len > INT32_MAX) {
@@ -1373,6 +1427,15 @@
if ((mDataPos+pad_size(len)) >= mDataPos && (mDataPos+pad_size(len)) <= mDataSize
&& len <= pad_size(len)) {
+ if (mObjectsSize > 0) {
+ status_t err = validateReadData(mDataPos + pad_size(len));
+ if(err != NO_ERROR) {
+ // Still increment the data position by the expected length
+ mDataPos += pad_size(len);
+ ALOGV("read Setting data pos of %p to %zu", this, mDataPos);
+ return err;
+ }
+ }
memcpy(outData, mData+mDataPos, len);
mDataPos += pad_size(len);
ALOGV("read Setting data pos of %p to %zu", this, mDataPos);
@@ -1391,6 +1454,16 @@
if ((mDataPos+pad_size(len)) >= mDataPos && (mDataPos+pad_size(len)) <= mDataSize
&& len <= pad_size(len)) {
+ if (mObjectsSize > 0) {
+ status_t err = validateReadData(mDataPos + pad_size(len));
+ if(err != NO_ERROR) {
+ // Still increment the data position by the expected length
+ mDataPos += pad_size(len);
+ ALOGV("readInplace Setting data pos of %p to %zu", this, mDataPos);
+ return NULL;
+ }
+ }
+
const void* data = mData+mDataPos;
mDataPos += pad_size(len);
ALOGV("readInplace Setting data pos of %p to %zu", this, mDataPos);
@@ -1404,6 +1477,15 @@
COMPILE_TIME_ASSERT_FUNCTION_SCOPE(PAD_SIZE_UNSAFE(sizeof(T)) == sizeof(T));
if ((mDataPos+sizeof(T)) <= mDataSize) {
+ if (mObjectsSize > 0) {
+ status_t err = validateReadData(mDataPos + sizeof(T));
+ if(err != NO_ERROR) {
+ // Still increment the data position by the expected length
+ mDataPos += sizeof(T);
+ return err;
+ }
+ }
+
const void* data = mData+mDataPos;
mDataPos += sizeof(T);
*pArg = *reinterpret_cast<const T*>(data);
@@ -2206,6 +2288,7 @@
mObjects = const_cast<binder_size_t*>(objects);
mObjectsSize = mObjectsCapacity = objectsCount;
mNextObjectHint = 0;
+ mObjectsSorted = false;
mOwner = relFunc;
mOwnerCookie = relCookie;
for (size_t i = 0; i < mObjectsSize; i++) {
@@ -2364,6 +2447,7 @@
mObjects = NULL;
mObjectsSize = mObjectsCapacity = 0;
mNextObjectHint = 0;
+ mObjectsSorted = false;
mHasFds = false;
mFdsKnown = true;
mAllowFds = true;
@@ -2450,6 +2534,7 @@
mDataCapacity = desired;
mObjectsSize = mObjectsCapacity = objectsSize;
mNextObjectHint = 0;
+ mObjectsSorted = false;
} else if (mData) {
if (objectsSize < mObjectsSize) {
@@ -2471,6 +2556,7 @@
}
mObjectsSize = objectsSize;
mNextObjectHint = 0;
+ mObjectsSorted = false;
}
// We own the data, so we can just do a realloc().
@@ -2543,6 +2629,7 @@
mObjectsSize = 0;
mObjectsCapacity = 0;
mNextObjectHint = 0;
+ mObjectsSorted = false;
mHasFds = false;
mFdsKnown = true;
mAllowFds = true;
