[RESTRICT AUTOMERGE] Fix OOB write in noteAtomLogged

It's possible for bad atoms to have negative atom ids. This results in an OOB write when we note that the atom was logged. This adds a validation check on the logging. Also added safetynet logging for negative atoms Bug: 187957589 Test: POC in bug no longer led to the OOB write & crash Test: checked event log for safetynet logging Change-Id: I8a6b094c94309d7b02430fb860891ef814efb426
author: Tej Singh <singhtejinder@google.com> 2021-05-19 20:12:46 -0700
committer: Tej Singh <singhtejinder@google.com> 2021-05-20 22:42:01 +0000
commit: cc0bba36c7c326e2fb75f1531547d2ed861d392c (patch)
tree: 0106137e5ba7980d1f6ec4ed60e82feb56a63a9b
parent: e159dbb07ff554c9dc4c593d8eb53a60b0006403 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/cmds/statsd/src/guardrail/StatsdStats.cpp b/cmds/statsd/src/guardrail/StatsdStats.cpp
index 6e89038f4152..14b967a11830 100644
--- a/cmds/statsd/src/guardrail/StatsdStats.cpp
+++ b/cmds/statsd/src/guardrail/StatsdStats.cpp
@@ -459,9 +459,12 @@ void StatsdStats::notePullExceedMaxDelay(int pullAtomId) {
 void StatsdStats::noteAtomLogged(int atomId, int32_t timeSec) {
     lock_guard<std::mutex> lock(mLock);
 
-    if (atomId <= kMaxPushedAtomId) {
+    if (atomId >= 0 && atomId <= kMaxPushedAtomId) {
         mPushedAtomStats[atomId]++;
     } else {
+        if (atomId < 0) {
+            android_errorWriteLog(0x534e4554, "187957589");
+        }
         if (mNonPlatformPushedAtomStats.size() < kMaxNonPlatformPushedAtoms) {
             mNonPlatformPushedAtomStats[atomId]++;
         }
author	Tej Singh <singhtejinder@google.com>	2021-05-19 20:12:46 -0700
committer	Tej Singh <singhtejinder@google.com>	2021-05-20 22:42:01 +0000
commit	cc0bba36c7c326e2fb75f1531547d2ed861d392c (patch)
tree	0106137e5ba7980d1f6ec4ed60e82feb56a63a9b
parent	e159dbb07ff554c9dc4c593d8eb53a60b0006403 (diff)