From 2aec032c0826ad68cd94c100173b99167bfcb10d Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Wed, 2 Oct 2024 00:37:59 +0000
Subject: libbinder: Parcel: validate read data before write

This is slow, but it's required to prevent memory
corruption.

Ignore-AOSP-First: security
Bug: 370840874
Test: fuzzer
Merged-In: Ibc5566ade0389221690dc90324f93394cf7fc9a5
Change-Id: Ibc5566ade0389221690dc90324f93394cf7fc9a5
(cherry picked from commit c54dad65317f851ce9d016bd90ec6a7a04da09fc)
---
 libs/binder/Parcel.cpp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 617708f3d4..0670307e48 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -796,6 +796,10 @@ restart_write:
         //printf("Writing %ld bytes, padded to %ld\n", len, padded);
         uint8_t* const data = mData+mDataPos;
 
+        if (status_t status = validateReadData(mDataPos + padded); status != OK) {
+            return nullptr; // drops status
+        }
+
         // Need to pad at end?
         if (padded != len) {
 #if BYTE_ORDER == BIG_ENDIAN
@@ -1313,6 +1317,10 @@ status_t Parcel::writeObject(const flat_binder_object& val, bool nullMetaData)
     const bool enoughObjects = mObjectsSize < mObjectsCapacity;
     if (enoughData && enoughObjects) {
 restart_write:
+        if (status_t status = validateReadData(mDataPos + sizeof(val)); status != OK) {
+            return status;
+        }
+
         *reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;
 
         // remember if it's a file descriptor
@@ -1505,6 +1513,10 @@ status_t Parcel::writeAligned(T val) {
 
     if ((mDataPos+sizeof(val)) <= mDataCapacity) {
 restart_write:
+        if (status_t status = validateReadData(mDataPos + sizeof(val)); status != OK) {
+            return status;
+        }
+
         *reinterpret_cast<T*>(mData+mDataPos) = val;
         return finishWrite(sizeof(val));
     }
-- 
cgit v1.2.3-59-g8ed1b