[RESTRICT AUTOMERGE] Fix OOB write in noteAtomLogged

It's possible for bad atoms to have negative atom ids. This results in an OOB write when we note that the atom was logged. This adds a validation check on the logging. Also added safetynet logging for negative atoms Bug: 187957589 Test: POC in bug no longer led to the OOB write & crash Test: checked event log for safetynet logging Change-Id: I8a6b094c94309d7b02430fb860891ef814efb426
author: Tej Singh <singhtejinder@google.com> 2021-05-19 20:12:46 -0700
committer: Tej Singh <singhtejinder@google.com> 2021-05-20 15:55:27 -0700
commit: b13b741a94a3d1fc85277de22644c62778bd3adc (patch)
tree: b7cb36fe0b4c8fd3392f1de1244b1c219aeeb84b
parent: 12f7871029999a41dc68746cdaaff66983fceab8 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/cmds/statsd/src/guardrail/StatsdStats.cpp b/cmds/statsd/src/guardrail/StatsdStats.cpp
index a836bd14c012..936a8751fd1d 100644
--- a/cmds/statsd/src/guardrail/StatsdStats.cpp
+++ b/cmds/statsd/src/guardrail/StatsdStats.cpp
@@ -449,9 +449,12 @@ void StatsdStats::notePullExceedMaxDelay(int pullAtomId) {
 void StatsdStats::noteAtomLogged(int atomId, int32_t timeSec) {
     lock_guard<std::mutex> lock(mLock);
 
-    if (atomId <= android::util::kMaxPushedAtomId) {
+    if (atomId >= 0 && atomId <= android::util::kMaxPushedAtomId) {
         mPushedAtomStats[atomId]++;
     } else {
+        if (atomId < 0) {
+            android_errorWriteLog(0x534e4554, "187957589");
+        }
         if (mNonPlatformPushedAtomStats.size() < kMaxNonPlatformPushedAtoms) {
             mNonPlatformPushedAtomStats[atomId]++;
         }
author	Tej Singh <singhtejinder@google.com>	2021-05-19 20:12:46 -0700
committer	Tej Singh <singhtejinder@google.com>	2021-05-20 15:55:27 -0700
commit	b13b741a94a3d1fc85277de22644c62778bd3adc (patch)
tree	b7cb36fe0b4c8fd3392f1de1244b1c219aeeb84b
parent	12f7871029999a41dc68746cdaaff66983fceab8 (diff)