diff options
| author | 2024-10-14 17:12:30 -0700 | |
|---|---|---|
| committer | 2024-10-21 21:31:41 +0000 | |
| commit | 8010cbb3c706c9448c2820ca97e238b67c6b31d6 (patch) | |
| tree | ee9afe380ee888e2fff9e38c98701df60e1d6e21 /libs/gui/ConsumerBase.cpp | |
| parent | 001bb2fb5c9e995c585e1a9f2dea1c560278562f (diff) | |
binder: fix FD handling in continueWrite
Only close FDs within the truncated part of the parcel.
This change also fixes a bug where a parcel truncated into the middle of
an object would not properly free that object. That could have resulted
in an OOB access in `Parcel::truncateRpcObjects`, so more bounds
checking is added.
The new tests show how to reproduce the bug by appending to or partially
truncating Parcels owned by the kernel. Two cases are disabled because
of a bug in the Parcel fdsan code (b/370824489).
Cherry-pick notes: Add truncateFileDescriptors method instead of
modifying closeFileDescriptors to avoid API change errors. Large diffs
in this branch because it didn't have the disruptive RPC FD support,
main diff is that the closeFileDescriptors call is move out of the
mOwner implementation. Tweaked the test to support older C++ and
android-base libs.
Flag: EXEMPT bugfix
Ignore-AOSP-First: security fix
Bug: 239222407, 359179312
Test: atest binderLibTest
Merged-In: Iadf7e2e98e3eb97c56ec2fed2b49d1e6492af9a3
Change-Id: Iadf7e2e98e3eb97c56ec2fed2b49d1e6492af9a3
Diffstat (limited to 'libs/gui/ConsumerBase.cpp')
0 files changed, 0 insertions, 0 deletions