From 53602ffde5527c476a1d7d39da12ecd7f58917f4 Mon Sep 17 00:00:00 2001
From: forkbomb <keepcalm444@gmail.com>
Date: Thu, 3 Dec 2015 20:34:15 +1100
Subject: [PATCH] libbinder: allow devices to disable ashmem size tracking

The addition of ashmem size tracking can lead to parcel objects
overwriting other values on the stack in old binary blobs.

Change-Id: Ida52cec851a6f9d5a57c8f9130a5875c03dcb094
---
 include/binder/Parcel.h |  2 ++
 libs/binder/Parcel.cpp  | 10 ++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/include/binder/Parcel.h b/include/binder/Parcel.h
index 3ada1e909..dc9757e28 100644
--- a/include/binder/Parcel.h
+++ b/include/binder/Parcel.h
@@ -340,8 +340,10 @@ public:
         inline void* data() { return mData; }
     };
 
+#ifndef DISABLE_ASHMEM_TRACKING
 private:
     size_t mBlobAshmemSize;
+#endif
 
 public:
     size_t getBlobAshmemSize() const;
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 7a4ddc43a..ba41f0fe8 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -922,9 +922,9 @@ status_t Parcel::writeBlob(size_t len, bool mutableCopy, WritableBlob* outBlob)
     ALOGV("writeBlob: write to ashmem");
     int fd = ashmem_create_region("Parcel Blob", len);
     if (fd < 0) return NO_MEMORY;
-
+#ifndef DISABLE_ASHMEM_TRACKING
     mBlobAshmemSize += len;
-
+#endif
     int result = ashmem_set_prot_region(fd, PROT_READ | PROT_WRITE);
     if (result < 0) {
         status = result;
@@ -1890,7 +1890,9 @@ void Parcel::initState()
     mFdsKnown = true;
     mAllowFds = true;
     mOwner = NULL;
+#ifndef DISABLE_ASHMEM_TRACKING
     mBlobAshmemSize = 0;
+#endif
 }
 
 void Parcel::scanForFds() const
@@ -1910,7 +1912,11 @@ void Parcel::scanForFds() const
 
 size_t Parcel::getBlobAshmemSize() const
 {
+#ifndef DISABLE_ASHMEM_TRACKING
     return mBlobAshmemSize;
+#else
+    return 0;
+#endif
 }
 
 // --- Parcel::Blob ---