From 0eb4624b33aeb375ae431a6b1e2b787c959968fe Mon Sep 17 00:00:00 2001 From: Brian Duddie Date: Thu, 15 Feb 2018 15:02:29 -0800 Subject: Add bounds check to sensors direct channel creation Avoids attempting to read a 0-size array during input validation. Adds SafetyNet logging when this is triggered. Also, change the cast for the ashmem size check from int to int64_t to avoid potential conversion to negative number on 32-bit systems. Bug: 70986337 Test: run POC, confirm via logs that function bails early Change-Id: I674285738983f18de3466f9e818d83dabe269b7d --- services/sensorservice/SensorService.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp index d60768c98d..11d1c2a3a9 100644 --- a/services/sensorservice/SensorService.cpp +++ b/services/sensorservice/SensorService.cpp @@ -21,6 +21,7 @@ #include #include #include +#include #include #include #include @@ -986,10 +987,15 @@ sp SensorService::createSensorDirectConnection( // check specific to memory type switch(type) { case SENSOR_DIRECT_MEM_TYPE_ASHMEM: { // channel backed by ashmem + if (resource->numFds < 1) { + ALOGE("Ashmem direct channel requires a memory region to be supplied"); + android_errorWriteLog(0x534e4554, "70986337"); // SafetyNet + return nullptr; + } int fd = resource->data[0]; int size2 = ashmem_get_size_region(fd); // check size consistency - if (size2 < static_cast(size)) { + if (size2 < static_cast(size)) { ALOGE("Ashmem direct channel size %" PRIu32 " greater than shared memory size %d", size, size2); return nullptr; -- cgit v1.2.3-59-g8ed1b