diff options
author | Brian Duddie <bduddie@google.com> | 2018-02-15 15:02:29 -0800 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-03-22 20:42:34 +0000 |
commit | 90bddcf0525eca7e70b558a6caf33aca3a4dec96 (patch) | |
tree | a91d02be5bfee3b50e8286b5626df83b69bb9255 | |
parent | e551aa4127312e2bf9980499c0ea65c2ac36b6bf (diff) | |
download | native-90bddcf0525eca7e70b558a6caf33aca3a4dec96.tar.gz |
Add bounds check to sensors direct channel creation
Avoids attempting to read a 0-size array during input validation. Adds
SafetyNet logging when this is triggered.
Also, change the cast for the ashmem size check from int to int64_t to
avoid potential conversion to negative number on 32-bit systems.
Bug: 70986337
Test: run POC, confirm via logs that function bails early
Change-Id: I674285738983f18de3466f9e818d83dabe269b7d
(cherry picked from commit 0eb4624b33aeb375ae431a6b1e2b787c959968fe)
-rw-r--r-- | services/sensorservice/SensorService.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp index dc491d97c0..e5b6dcf750 100644 --- a/services/sensorservice/SensorService.cpp +++ b/services/sensorservice/SensorService.cpp @@ -21,6 +21,7 @@ #include <cutils/properties.h> #include <hardware/sensors.h> #include <hardware_legacy/power.h> +#include <log/log.h> #include <openssl/digest.h> #include <openssl/hmac.h> #include <openssl/rand.h> @@ -993,10 +994,15 @@ sp<ISensorEventConnection> SensorService::createSensorDirectConnection( // check specific to memory type switch(type) { case SENSOR_DIRECT_MEM_TYPE_ASHMEM: { // channel backed by ashmem + if (resource->numFds < 1) { + ALOGE("Ashmem direct channel requires a memory region to be supplied"); + android_errorWriteLog(0x534e4554, "70986337"); // SafetyNet + return nullptr; + } int fd = resource->data[0]; int size2 = ashmem_get_size_region(fd); // check size consistency - if (size2 < static_cast<int>(size)) { + if (size2 < static_cast<int64_t>(size)) { ALOGE("Ashmem direct channel size %" PRIu32 " greater than shared memory size %d", size, size2); return nullptr; |