From c5fe5044f44d0bcbba3ea56cc4d17e80e4b74ef9 Mon Sep 17 00:00:00 2001
From: Dan Stoza <stoza@google.com>
Date: Mon, 1 May 2017 16:31:53 -0700
Subject: [PATCH 1/3] libgui: Check slot received from IGBP in Surface

Checks that the slot number received from mGraphicBufferProducer in
Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to
protect against a malicious BnGraphicBufferProducer.

Bug: 36991414
AOSP-Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa
(cherry picked from commit 90ce2a9c1d3af422c66b4061805831cb208263d8)

CVE-2017-0665

Change-Id: If0fd4864b9fc4ea5a1c83d10adef26cdabb0f7e8
---
 libs/gui/Surface.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libs/gui/Surface.cpp b/libs/gui/Surface.cpp
index 1abb6c375..2e78a6b6f 100644
--- a/libs/gui/Surface.cpp
+++ b/libs/gui/Surface.cpp
@@ -237,6 +237,12 @@ int Surface::dequeueBuffer(android_native_buffer_t** buffer, int* fenceFd) {
         return result;
     }
 
+    if (buf < 0 || buf >= NUM_BUFFER_SLOTS) {
+        ALOGE("dequeueBuffer: IGraphicBufferProducer returned invalid slot number %d", buf);
+        android_errorWriteLog(0x534e4554, "36991414"); // SafetyNet logging
+        return FAILED_TRANSACTION;
+    }
+
     Mutex::Autolock lock(mMutex);
 
     sp<GraphicBuffer>& gbuf(mSlots[buf].buffer);

From a3a09ef6b40ffc44c6d17a2d8d798fbd19456c59 Mon Sep 17 00:00:00 2001
From: Chris Forbes <chrisforbes@google.com>
Date: Wed, 10 May 2017 13:12:00 -0700
Subject: [PATCH 2/3] ui: Fix bad size check in Fence::unflatten

Differs slightly from mnc+ patch: GetFlattenedSize was fixed in mnc.

Test: Boot device, run poc from bug, observe no longer crashes
Bug: 37285689
AOSP-Change-Id: Id8b851733b088cce0d07493fbf76e7e24f9299ad
(cherry picked from commit 9809602ac32dcb7bceaa5bc34df5b7fb68aacd38)

CVE-2017-0666

Change-Id: I778c82b363ca0409d534f255cc5d17b39e751986
---
 libs/ui/Fence.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libs/ui/Fence.cpp b/libs/ui/Fence.cpp
index bf24ffb7e..1b2f34dfa 100644
--- a/libs/ui/Fence.cpp
+++ b/libs/ui/Fence.cpp
@@ -157,7 +157,7 @@ status_t Fence::unflatten(void const*& buffer, size_t& size, int const*& fds, si
         return INVALID_OPERATION;
     }
 
-    if (size < 1) {
+    if (size < getFlattenedSize()) {
         return NO_MEMORY;
     }
 

From ea0521baee31e4b98caeab665e39610f67c3f035 Mon Sep 17 00:00:00 2001
From: Chia-I Wu <olv@google.com>
Date: Mon, 15 May 2017 10:32:27 -0700
Subject: [PATCH 3/3] libgui: check for invalid slot in attachBuffer

Bug: 37478824
Test: manual
AOSP-Change-Id: I369337d53539bf7f7e3d925bccdae4045da1b404
(cherry picked from commit c79a29689c1046f1f0301c75df9b9a67cba8bf04)

CVE-2017-0667

Change-Id: I15290a700c2e0f0da9a44bb3131c4e38cadbaed3
---
 libs/gui/IGraphicBufferProducer.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libs/gui/IGraphicBufferProducer.cpp b/libs/gui/IGraphicBufferProducer.cpp
index c3c62358f..51eedab3d 100644
--- a/libs/gui/IGraphicBufferProducer.cpp
+++ b/libs/gui/IGraphicBufferProducer.cpp
@@ -26,6 +26,7 @@
 #include <binder/Parcel.h>
 #include <binder/IInterface.h>
 
+#include <gui/BufferQueueDefs.h>
 #include <gui/IGraphicBufferProducer.h>
 #include <gui/IProducerListener.h>
 
@@ -170,8 +171,16 @@ public:
         if (result != NO_ERROR) {
             return result;
         }
+
         *slot = reply.readInt32();
         result = reply.readInt32();
+        if (result == NO_ERROR &&
+                (*slot < 0 || *slot >= BufferQueueDefs::NUM_BUFFER_SLOTS)) {
+            ALOGE("attachBuffer returned invalid slot %d", *slot);
+            android_errorWriteLog(0x534e4554, "37478824");
+            return UNKNOWN_ERROR;
+        }
+
         return result;
     }