From 30b2cd8091e0600743e6d0442c7a94127887df82 Mon Sep 17 00:00:00 2001 From: "T.J. Mercier" Date: Mon, 11 Dec 2023 18:50:46 +0000 Subject: Throw exception for negative UIDs/GIDs UIDs and GIDs are unsigned on linux. Badly behaved callers are occasionally passing negative integers for UIDs through JNI to uid_t which is unsigned. Prevent this by throwing a JNI exception. 12-08 23:15:34.542 1000 3354 3388 I ActivityManager: Force stopping com.android.cts.install.lib.testapp.A appid=10109 user=-1: deletePackageX 12-08 23:15:34.543 1000 3354 3388 E libprocessgroup: No such cgroup attribute: /sys/fs/cgroup/uid_4294877405/cgroup.freeze 12-08 23:15:34.543 1000 3354 3388 W libprocessgroup: Failed to apply Frozen process profile: No such file or directory Test: 12-11 18:43:23.145 3432 3466 I ActivityManager: Force stopping com.android.cts.install.lib.testapp.A appid=10109 user=-1: deletePackageX Test: 12-11 18:43:23.146 3432 3466 E ActivityManager: Unable to freeze cgroup uid: -89891: java.lang.IllegalArgumentException: uid is negative: -89891 Test: 12-11 18:43:23.147 3432 3466 E ActivityManager: Unable to unfreeze cgroup uid: -89891: java.lang.IllegalArgumentException: uid is negative: -89891 Bug: 316198981 Change-Id: I24cb1e65e502ef6e09226538efe6ed54c8db7cdd --- core/jni/android_util_Process.cpp | 40 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 37 insertions(+), 3 deletions(-) diff --git a/core/jni/android_util_Process.cpp b/core/jni/android_util_Process.cpp index 91dfc6023e42..55100a5347fd 100644 --- a/core/jni/android_util_Process.cpp +++ b/core/jni/android_util_Process.cpp @@ -282,6 +282,11 @@ void android_os_Process_setProcessGroup(JNIEnv* env, jobject clazz, int pid, jin void android_os_Process_setProcessFrozen( JNIEnv *env, jobject clazz, jint pid, jint uid, jboolean freeze) { + if (uid < 0) { + jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException", "uid is negative: %d", uid); + return; + } + bool success = true; if (freeze) { @@ -305,6 +310,11 @@ jint android_os_Process_getProcessGroup(JNIEnv* env, jobject clazz, jint pid) } jint android_os_Process_createProcessGroup(JNIEnv* env, jobject clazz, jint uid, jint pid) { + if (uid < 0) { + return jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException", + "uid is negative: %d", uid); + } + return createProcessGroup(uid, pid); } @@ -590,12 +600,21 @@ void android_os_Process_setArgV0(JNIEnv* env, jobject clazz, jstring name) jint android_os_Process_setUid(JNIEnv* env, jobject clazz, jint uid) { + if (uid < 0) { + return jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException", + "uid is negative: %d", uid); + } + return setuid(uid) == 0 ? 0 : errno; } -jint android_os_Process_setGid(JNIEnv* env, jobject clazz, jint uid) -{ - return setgid(uid) == 0 ? 0 : errno; +jint android_os_Process_setGid(JNIEnv* env, jobject clazz, jint gid) { + if (gid < 0) { + return jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException", + "gid is negative: %d", gid); + } + + return setgid(gid) == 0 ? 0 : errno; } static int pid_compare(const void* v1, const void* v2) @@ -1235,11 +1254,21 @@ jintArray android_os_Process_getPidsForCommands(JNIEnv* env, jobject clazz, jint android_os_Process_killProcessGroup(JNIEnv* env, jobject clazz, jint uid, jint pid) { + if (uid < 0) { + return jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException", + "uid is negative: %d", uid); + } + return killProcessGroup(uid, pid, SIGKILL); } jint android_os_Process_sendSignalToProcessGroup(JNIEnv* env, jobject clazz, jint uid, jint pid, jint signal) { + if (uid < 0) { + return jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException", + "uid is negative: %d", uid); + } + return sendSignalToProcessGroup(uid, pid, signal); } @@ -1258,6 +1287,11 @@ static jint android_os_Process_nativePidFdOpen(JNIEnv* env, jobject, jint pid, j } void android_os_Process_freezeCgroupUID(JNIEnv* env, jobject clazz, jint uid, jboolean freeze) { + if (uid < 0) { + jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException", "uid is negative: %d", uid); + return; + } + bool success = true; if (freeze) { -- cgit v1.2.3-59-g8ed1b