Throw exception for negative UIDs/GIDs

UIDs and GIDs are unsigned on linux. Badly behaved callers are occasionally passing negative integers for UIDs through JNI to uid_t which is unsigned. Prevent this by throwing a JNI exception. 12-08 23:15:34.542 1000 3354 3388 I ActivityManager: Force stopping com.android.cts.install.lib.testapp.A appid=10109 user=-1: deletePackageX 12-08 23:15:34.543 1000 3354 3388 E libprocessgroup: No such cgroup attribute: /sys/fs/cgroup/uid_4294877405/cgroup.freeze 12-08 23:15:34.543 1000 3354 3388 W libprocessgroup: Failed to apply Frozen process profile: No such file or directory Test: 12-11 18:43:23.145 3432 3466 I ActivityManager: Force stopping com.android.cts.install.lib.testapp.A appid=10109 user=-1: deletePackageX Test: 12-11 18:43:23.146 3432 3466 E ActivityManager: Unable to freeze cgroup uid: -89891: java.lang.IllegalArgumentException: uid is negative: -89891 Test: 12-11 18:43:23.147 3432 3466 E ActivityManager: Unable to unfreeze cgroup uid: -89891: java.lang.IllegalArgumentException: uid is negative: -89891 Bug: 316198981 Change-Id: I24cb1e65e502ef6e09226538efe6ed54c8db7cdd
author: T.J. Mercier <tjmercier@google.com> 2023-12-11 18:50:46 +0000
committer: T.J. Mercier <tjmercier@google.com> 2023-12-13 21:48:18 +0000
commit: 30b2cd8091e0600743e6d0442c7a94127887df82 (patch)
tree: 4479bc5dbb53b4770add2c5044ac1c387754e741
parent: 9bbbca96971cf7f351a4cc13e3f16f132d6d8493 (diff)
1 files changed, 37 insertions, 3 deletions
diff --git a/core/jni/android_util_Process.cpp b/core/jni/android_util_Process.cpp
index 91dfc6023e42..55100a5347fd 100644
--- a/core/jni/android_util_Process.cpp
+++ b/core/jni/android_util_Process.cpp
@@ -282,6 +282,11 @@ void android_os_Process_setProcessGroup(JNIEnv* env, jobject clazz, int pid, jin
 void android_os_Process_setProcessFrozen(
         JNIEnv *env, jobject clazz, jint pid, jint uid, jboolean freeze)
 {
+    if (uid < 0) {
+        jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException", "uid is negative: %d", uid);
+        return;
+    }
+
     bool success = true;
 
     if (freeze) {
@@ -305,6 +310,11 @@ jint android_os_Process_getProcessGroup(JNIEnv* env, jobject clazz, jint pid)
 }
 
 jint android_os_Process_createProcessGroup(JNIEnv* env, jobject clazz, jint uid, jint pid) {
+    if (uid < 0) {
+        return jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException",
+                                    "uid is negative: %d", uid);
+    }
+
     return createProcessGroup(uid, pid);
 }
 
@@ -590,12 +600,21 @@ void android_os_Process_setArgV0(JNIEnv* env, jobject clazz, jstring name)
 
 jint android_os_Process_setUid(JNIEnv* env, jobject clazz, jint uid)
 {
+    if (uid < 0) {
+        return jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException",
+                                    "uid is negative: %d", uid);
+    }
+
     return setuid(uid) == 0 ? 0 : errno;
 }
 
-jint android_os_Process_setGid(JNIEnv* env, jobject clazz, jint uid)
-{
-    return setgid(uid) == 0 ? 0 : errno;
+jint android_os_Process_setGid(JNIEnv* env, jobject clazz, jint gid) {
+    if (gid < 0) {
+        return jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException",
+                                    "gid is negative: %d", gid);
+    }
+
+    return setgid(gid) == 0 ? 0 : errno;
 }
 
 static int pid_compare(const void* v1, const void* v2)
@@ -1235,11 +1254,21 @@ jintArray android_os_Process_getPidsForCommands(JNIEnv* env, jobject clazz,
 
 jint android_os_Process_killProcessGroup(JNIEnv* env, jobject clazz, jint uid, jint pid)
 {
+    if (uid < 0) {
+        return jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException",
+                                    "uid is negative: %d", uid);
+    }
+
     return killProcessGroup(uid, pid, SIGKILL);
 }
 
 jint android_os_Process_sendSignalToProcessGroup(JNIEnv* env, jobject clazz, jint uid, jint pid,
                                                  jint signal) {
+    if (uid < 0) {
+        return jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException",
+                                    "uid is negative: %d", uid);
+    }
+
     return sendSignalToProcessGroup(uid, pid, signal);
 }
 
@@ -1258,6 +1287,11 @@ static jint android_os_Process_nativePidFdOpen(JNIEnv* env, jobject, jint pid, j
 }
 
 void android_os_Process_freezeCgroupUID(JNIEnv* env, jobject clazz, jint uid, jboolean freeze) {
+    if (uid < 0) {
+        jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException", "uid is negative: %d", uid);
+        return;
+    }
+
     bool success = true;
 
     if (freeze) {
author	T.J. Mercier <tjmercier@google.com>	2023-12-11 18:50:46 +0000
committer	T.J. Mercier <tjmercier@google.com>	2023-12-13 21:48:18 +0000
commit	30b2cd8091e0600743e6d0442c7a94127887df82 (patch)
tree	4479bc5dbb53b4770add2c5044ac1c387754e741
parent	9bbbca96971cf7f351a4cc13e3f16f132d6d8493 (diff)