From dbe7183d0493cba5f53f9f0248a7576cc35b4100 Mon Sep 17 00:00:00 2001 From: Steven Moreland Date: Wed, 12 May 2021 23:31:00 +0000 Subject: libbinder: RPC cap transaction size at 100KB Why? - Android code uses -fno-exceptions and generally doesn't check for OOM conditions (unlike the Linux kernel itself!). Even if we check for allocation success, a successful allocation here may mean even a 1 byte allocation on another thread or by the server will cause a failure. - kernel binder can have by default 1MB of concurrent transactions at a time. A transaction of size 100KB is already exceedingly dangerous to the runtime, since in a big process, this could cause other processes to reach the limit. In the future, we could increase this cap (lowering is potentially difficult) or make it customizable. Bug: 167966510 Test: binderRpcTest, binderRpcBenchmark, binder_rpc_fuzzer Change-Id: Ia215f1a00412654ce08e6bced14d4da4a0a46987 --- libs/binder/RpcState.cpp | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) (limited to 'libs/binder/RpcState.cpp') diff --git a/libs/binder/RpcState.cpp b/libs/binder/RpcState.cpp index 20fdbfe954..2ba9fa2bd5 100644 --- a/libs/binder/RpcState.cpp +++ b/libs/binder/RpcState.cpp @@ -182,6 +182,27 @@ void RpcState::terminate() { } } +RpcState::CommandData::CommandData(size_t size) : mSize(size) { + // The maximum size for regular binder is 1MB for all concurrent + // transactions. A very small proportion of transactions are even + // larger than a page, but we need to avoid allocating too much + // data on behalf of an arbitrary client, or we could risk being in + // a position where a single additional allocation could run out of + // memory. + // + // Note, this limit may not reflect the total amount of data allocated for a + // transaction (in some cases, additional fixed size amounts are added), + // though for rough consistency, we should avoid cases where this data type + // is used for multiple dynamic allocations for a single transaction. + constexpr size_t kMaxTransactionAllocation = 100 * 1000; + if (size == 0) return; + if (size > kMaxTransactionAllocation) { + ALOGW("Transaction requested too much data allocation %zu", size); + return; + } + mData.reset(new (std::nothrow) uint8_t[size]); +} + bool RpcState::rpcSend(const base::unique_fd& fd, const char* what, const void* data, size_t size) { LOG_RPC_DETAIL("Sending %s on fd %d: %s", what, fd.get(), hexString(data, size).c_str()); @@ -326,7 +347,7 @@ status_t RpcState::transact(const base::unique_fd& fd, const RpcAddress& address .asyncNumber = asyncNumber, }; - ByteVec transactionData(sizeof(RpcWireTransaction) + data.dataSize()); + CommandData transactionData(sizeof(RpcWireTransaction) + data.dataSize()); if (!transactionData.valid()) { return NO_MEMORY; } @@ -383,7 +404,7 @@ status_t RpcState::waitForReply(const base::unique_fd& fd, const sp& if (status != OK) return status; } - ByteVec data(command.bodySize); + CommandData data(command.bodySize); if (!data.valid()) { return NO_MEMORY; } @@ -469,7 +490,7 @@ status_t RpcState::processTransact(const base::unique_fd& fd, const sp& session, - ByteVec transactionData) { + CommandData transactionData) { if (transactionData.size() < sizeof(RpcWireTransaction)) { ALOGE("Expecting %zu but got %zu bytes for RpcWireTransaction. Terminating!", sizeof(RpcWireTransaction), transactionData.size()); @@ -640,7 +661,7 @@ status_t RpcState::processTransactInternal(const base::unique_fd& fd, const sp(it->second.asyncTodo.top()).data); it->second.asyncTodo.pop(); _l.unlock(); @@ -654,7 +675,7 @@ status_t RpcState::processTransactInternal(const base::unique_fd& fd, const sp