libbinder: allow devices to disable ashmem size tracking
The addition of ashmem size tracking can lead to parcel objects overwriting other values on the stack in old binary blobs. Change-Id: Ife8514be1ba639c4061de38b59794c46bcc2d7f8
This commit is contained in:
forkbomb
Simon Shields
parent
d40a35f61d
commit
7cacf26abb
|
|
@ -340,8 +340,10 @@ public:
|
|||
inline void* data() { return mData; }
|
||||
};
|
||||
|
||||
#ifndef DISABLE_ASHMEM_TRACKING
|
||||
private:
|
||||
size_t mOpenAshmemSize;
|
||||
#endif
|
||||
|
||||
public:
|
||||
// TODO: Remove once ABI can be changed.
|
||||
|
|
|
|||
|
|
@ -182,6 +182,10 @@ static void release_object(const sp<ProcessState>& proc,
|
|||
|
||||
close(obj.handle);
|
||||
}
|
||||
#ifdef DISABLE_ASHMEM_TRACKING
|
||||
} else if (obj.cookie != 0) {
|
||||
close(obj.handle);
|
||||
#endif
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
|
@ -532,7 +536,11 @@ status_t Parcel::appendFrom(const Parcel *parcel, size_t offset, size_t len)
|
|||
|
||||
flat_binder_object* flat
|
||||
= reinterpret_cast<flat_binder_object*>(mData + off);
|
||||
#ifndef DISABLE_ASHMEM_TRACKING
|
||||
acquire_object(proc, *flat, this, &mOpenAshmemSize);
|
||||
#else
|
||||
acquire_object(proc, *flat, this);
|
||||
#endif
|
||||
|
||||
if (flat->type == BINDER_TYPE_FD) {
|
||||
// If this is a file descriptor, we need to dup it so the
|
||||
|
|
@ -1052,7 +1060,11 @@ restart_write:
|
|||
// Need to write meta-data?
|
||||
if (nullMetaData || val.binder != 0) {
|
||||
mObjects[mObjectsSize] = mDataPos;
|
||||
#ifndef DISABLE_ASHMEM_TRACKING
|
||||
acquire_object(ProcessState::self(), val, this, &mOpenAshmemSize);
|
||||
#else
|
||||
acquire_object(ProcessState::self(), val, this);
|
||||
#endif
|
||||
mObjectsSize++;
|
||||
}
|
||||
|
||||
|
|
@ -1635,7 +1647,11 @@ void Parcel::releaseObjects()
|
|||
i--;
|
||||
const flat_binder_object* flat
|
||||
= reinterpret_cast<flat_binder_object*>(data+objects[i]);
|
||||
#ifndef DISABLE_ASHMEM_TRACKING
|
||||
release_object(proc, *flat, this, &mOpenAshmemSize);
|
||||
#else
|
||||
release_object(proc, *flat, this);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1649,7 +1665,11 @@ void Parcel::acquireObjects()
|
|||
i--;
|
||||
const flat_binder_object* flat
|
||||
= reinterpret_cast<flat_binder_object*>(data+objects[i]);
|
||||
#ifndef DISABLE_ASHMEM_TRACKING
|
||||
acquire_object(proc, *flat, this, &mOpenAshmemSize);
|
||||
#else
|
||||
acquire_object(proc, *flat, this);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1831,7 +1851,11 @@ status_t Parcel::continueWrite(size_t desired)
|
|||
// will need to rescan because we may have lopped off the only FDs
|
||||
mFdsKnown = false;
|
||||
}
|
||||
#ifndef DISABLE_ASHMEM_TRACKING
|
||||
release_object(proc, *flat, this, &mOpenAshmemSize);
|
||||
#else
|
||||
release_object(proc, *flat, this);
|
||||
#endif
|
||||
}
|
||||
binder_size_t* objects =
|
||||
(binder_size_t*)realloc(mObjects, objectsSize*sizeof(binder_size_t));
|
||||
|
|
@ -1916,7 +1940,9 @@ void Parcel::initState()
|
|||
mFdsKnown = true;
|
||||
mAllowFds = true;
|
||||
mOwner = NULL;
|
||||
#ifndef DISABLE_ASHMEM_TRACKING
|
||||
mOpenAshmemSize = 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
void Parcel::scanForFds() const
|
||||
|
|
@ -1939,12 +1965,20 @@ size_t Parcel::getBlobAshmemSize() const
|
|||
// This used to return the size of all blobs that were written to ashmem, now we're returning
|
||||
// the ashmem currently referenced by this Parcel, which should be equivalent.
|
||||
// TODO: Remove method once ABI can be changed.
|
||||
#ifndef DISABLE_ASHMEM_TRACKING
|
||||
return mOpenAshmemSize;
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
size_t Parcel::getOpenAshmemSize() const
|
||||
{
|
||||
#ifndef DISABLE_ASHMEM_TRACKING
|
||||
return mOpenAshmemSize;
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
// --- Parcel::Blob ---
|
||||
|
|
|
|||
Loading…
Reference in New Issue