diff options
author | Tej Singh <singhtejinder@google.com> | 2021-05-19 20:12:46 -0700 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2021-06-16 01:11:15 +0000 |
commit | fbe5177bd5d704dabf434458649fd93a07d8d654 (patch) | |
tree | 80f060e6aceba982c4ef9695859a287b826e4ebe | |
parent | bb2279de3ca08408433dc82496b60ecf4e2b9520 (diff) | |
download | base-fbe5177bd5d704dabf434458649fd93a07d8d654.tar.gz |
[RESTRICT AUTOMERGE] Fix OOB write in noteAtomLogged
It's possible for bad atoms to have negative atom ids. This results in
an OOB write when we note that the atom was logged. This adds a
validation check on the logging.
Also added safetynet logging for negative atoms
Bug: 187957589
Test: POC in bug no longer led to the OOB write & crash
Test: checked event log for safetynet logging
Change-Id: I8a6b094c94309d7b02430fb860891ef814efb426
(cherry picked from commit cc0bba36c7c326e2fb75f1531547d2ed861d392c)
-rw-r--r-- | cmds/statsd/src/guardrail/StatsdStats.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/cmds/statsd/src/guardrail/StatsdStats.cpp b/cmds/statsd/src/guardrail/StatsdStats.cpp index 6e89038f4152..14b967a11830 100644 --- a/cmds/statsd/src/guardrail/StatsdStats.cpp +++ b/cmds/statsd/src/guardrail/StatsdStats.cpp @@ -459,9 +459,12 @@ void StatsdStats::notePullExceedMaxDelay(int pullAtomId) { void StatsdStats::noteAtomLogged(int atomId, int32_t timeSec) { lock_guard<std::mutex> lock(mLock); - if (atomId <= kMaxPushedAtomId) { + if (atomId >= 0 && atomId <= kMaxPushedAtomId) { mPushedAtomStats[atomId]++; } else { + if (atomId < 0) { + android_errorWriteLog(0x534e4554, "187957589"); + } if (mNonPlatformPushedAtomStats.size() < kMaxNonPlatformPushedAtoms) { mNonPlatformPushedAtomStats[atomId]++; } |