| Revision | e31f6eb5c49e0e638585243ac36ce139b60a6fb1 (tree) |
|---|---|
| Time | 2018-08-11 05:32:14 |
| Author | android-build-team Robot <android-build-team-robot@goog...> |
| Commiter | android-build-team Robot |
Merge cherrypicks of [4741663, 4741664, 4741665, 4741666, 4743080, 4743081, 4743082, 4743083, 4741262, 4741263, 4741264, 4741265, 4741266, 4741667, 4743084, 4741242, 4741243, 4741741, 4741742, 4741743, 4741744, 4741822, 4743085, 4741668, 4741338, 4743055, 4743056, 4743070, 4743073, 4743075, 4743076, 4743078, 4743079, 4743161, 4743162, 4743164, 4743165, 4743167, 4743168, 4743169, 4743170, 4741681, 4741682, 4741683, 4741684, 4741685, 4741686, 4741687, 4741688, 4741689, 4741690, 4741691, 4741692, 4741693, 4741694, 4741695, 4741696, 4741697, 4741698, 4741699, 4743240, 4743241, 4743242, 4743243, 4741745, 4741823, 4741824, 4741825, 4741267, 4741268, 4743244, 4743280, 4743281, 4743224, 4743203, 4743204, 4743205, 4741746, 4741747, 4743245, 4741826, 4741827, 4741828, 4741829, 4741748, 4741749, 4741750, 4743233, 4743282, 4741244, 4741245, 4741246, 4741247, 4743206, 4743207, 4743208, 4743209, 4743210, 4743211, 4743212, 4743213, 4743214, 4743215, 4743216, 4743217, 4743218, 4743219, 4743360, 4743361, 4743362, 4743363, 4743364, 4743365, 4743366, 4743367, 4743368, 4743369, 4743370, 4743371, 4743372, 4743373, 4743374, 4743375, 4743376, 4743377, 4743283, 4743284, 4741830, 4742501, 4743246, 4743086, 4743087, 4743378, 4743379, 4741751] into sparse-4749909-L04200000199131547
Change-Id: Iead43bb0deac18379a0a05dff4cadc3a86e59d1b
libs/binder/Parcel.cpp (diff)
libs/binder/include/binder/Parcel.h (diff)| @@ -433,6 +433,7 @@ void Parcel::setDataPosition(size_t pos) const | ||
| 433 | 433 | |
| 434 | 434 | mDataPos = pos; |
| 435 | 435 | mNextObjectHint = 0; |
| 436 | + mObjectsSorted = false; | |
| 436 | 437 | } |
| 437 | 438 | |
| 438 | 439 | status_t Parcel::setDataCapacity(size_t size) |
| @@ -1276,7 +1277,7 @@ status_t Parcel::write(const FlattenableHelperInterface& val) | ||
| 1276 | 1277 | if (err) return err; |
| 1277 | 1278 | |
| 1278 | 1279 | // payload |
| 1279 | - void* const buf = this->writeInplace(pad_size(len)); | |
| 1280 | + void* const buf = this->writeInplace(len); | |
| 1280 | 1281 | if (buf == NULL) |
| 1281 | 1282 | return BAD_VALUE; |
| 1282 | 1283 |
| @@ -1469,6 +1470,59 @@ void Parcel::remove(size_t /*start*/, size_t /*amt*/) | ||
| 1469 | 1470 | LOG_ALWAYS_FATAL("Parcel::remove() not yet implemented!"); |
| 1470 | 1471 | } |
| 1471 | 1472 | |
| 1473 | +status_t Parcel::validateReadData(size_t upperBound) const | |
| 1474 | +{ | |
| 1475 | + // Don't allow non-object reads on object data | |
| 1476 | + if (mObjectsSorted || mObjectsSize <= 1) { | |
| 1477 | +data_sorted: | |
| 1478 | + // Expect to check only against the next object | |
| 1479 | + if (mNextObjectHint < mObjectsSize && upperBound > mObjects[mNextObjectHint]) { | |
| 1480 | + // For some reason the current read position is greater than the next object | |
| 1481 | + // hint. Iterate until we find the right object | |
| 1482 | + size_t nextObject = mNextObjectHint; | |
| 1483 | + do { | |
| 1484 | + if (mDataPos < mObjects[nextObject] + sizeof(flat_binder_object)) { | |
| 1485 | + // Requested info overlaps with an object | |
| 1486 | + ALOGE("Attempt to read from protected data in Parcel %p", this); | |
| 1487 | + return PERMISSION_DENIED; | |
| 1488 | + } | |
| 1489 | + nextObject++; | |
| 1490 | + } while (nextObject < mObjectsSize && upperBound > mObjects[nextObject]); | |
| 1491 | + mNextObjectHint = nextObject; | |
| 1492 | + } | |
| 1493 | + return NO_ERROR; | |
| 1494 | + } | |
| 1495 | + // Quickly determine if mObjects is sorted. | |
| 1496 | + binder_size_t* currObj = mObjects + mObjectsSize - 1; | |
| 1497 | + binder_size_t* prevObj = currObj; | |
| 1498 | + while (currObj > mObjects) { | |
| 1499 | + prevObj--; | |
| 1500 | + if(*prevObj > *currObj) { | |
| 1501 | + goto data_unsorted; | |
| 1502 | + } | |
| 1503 | + currObj--; | |
| 1504 | + } | |
| 1505 | + mObjectsSorted = true; | |
| 1506 | + goto data_sorted; | |
| 1507 | + | |
| 1508 | +data_unsorted: | |
| 1509 | + // Insertion Sort mObjects | |
| 1510 | + // Great for mostly sorted lists. If randomly sorted or reverse ordered mObjects become common, | |
| 1511 | + // switch to std::sort(mObjects, mObjects + mObjectsSize); | |
| 1512 | + for (binder_size_t* iter0 = mObjects + 1; iter0 < mObjects + mObjectsSize; iter0++) { | |
| 1513 | + binder_size_t temp = *iter0; | |
| 1514 | + binder_size_t* iter1 = iter0 - 1; | |
| 1515 | + while (iter1 >= mObjects && *iter1 > temp) { | |
| 1516 | + *(iter1 + 1) = *iter1; | |
| 1517 | + iter1--; | |
| 1518 | + } | |
| 1519 | + *(iter1 + 1) = temp; | |
| 1520 | + } | |
| 1521 | + mNextObjectHint = 0; | |
| 1522 | + mObjectsSorted = true; | |
| 1523 | + goto data_sorted; | |
| 1524 | +} | |
| 1525 | + | |
| 1472 | 1526 | status_t Parcel::read(void* outData, size_t len) const |
| 1473 | 1527 | { |
| 1474 | 1528 | if (len > INT32_MAX) { |
| @@ -1479,6 +1533,15 @@ status_t Parcel::read(void* outData, size_t len) const | ||
| 1479 | 1533 | |
| 1480 | 1534 | if ((mDataPos+pad_size(len)) >= mDataPos && (mDataPos+pad_size(len)) <= mDataSize |
| 1481 | 1535 | && len <= pad_size(len)) { |
| 1536 | + if (mObjectsSize > 0) { | |
| 1537 | + status_t err = validateReadData(mDataPos + pad_size(len)); | |
| 1538 | + if(err != NO_ERROR) { | |
| 1539 | + // Still increment the data position by the expected length | |
| 1540 | + mDataPos += pad_size(len); | |
| 1541 | + ALOGV("read Setting data pos of %p to %zu", this, mDataPos); | |
| 1542 | + return err; | |
| 1543 | + } | |
| 1544 | + } | |
| 1482 | 1545 | memcpy(outData, mData+mDataPos, len); |
| 1483 | 1546 | mDataPos += pad_size(len); |
| 1484 | 1547 | ALOGV("read Setting data pos of %p to %zu", this, mDataPos); |
| @@ -1497,6 +1560,16 @@ const void* Parcel::readInplace(size_t len) const | ||
| 1497 | 1560 | |
| 1498 | 1561 | if ((mDataPos+pad_size(len)) >= mDataPos && (mDataPos+pad_size(len)) <= mDataSize |
| 1499 | 1562 | && len <= pad_size(len)) { |
| 1563 | + if (mObjectsSize > 0) { | |
| 1564 | + status_t err = validateReadData(mDataPos + pad_size(len)); | |
| 1565 | + if(err != NO_ERROR) { | |
| 1566 | + // Still increment the data position by the expected length | |
| 1567 | + mDataPos += pad_size(len); | |
| 1568 | + ALOGV("readInplace Setting data pos of %p to %zu", this, mDataPos); | |
| 1569 | + return NULL; | |
| 1570 | + } | |
| 1571 | + } | |
| 1572 | + | |
| 1500 | 1573 | const void* data = mData+mDataPos; |
| 1501 | 1574 | mDataPos += pad_size(len); |
| 1502 | 1575 | ALOGV("readInplace Setting data pos of %p to %zu", this, mDataPos); |
| @@ -1510,6 +1583,15 @@ status_t Parcel::readAligned(T *pArg) const { | ||
| 1510 | 1583 | COMPILE_TIME_ASSERT_FUNCTION_SCOPE(PAD_SIZE_UNSAFE(sizeof(T)) == sizeof(T)); |
| 1511 | 1584 | |
| 1512 | 1585 | if ((mDataPos+sizeof(T)) <= mDataSize) { |
| 1586 | + if (mObjectsSize > 0) { | |
| 1587 | + status_t err = validateReadData(mDataPos + sizeof(T)); | |
| 1588 | + if(err != NO_ERROR) { | |
| 1589 | + // Still increment the data position by the expected length | |
| 1590 | + mDataPos += sizeof(T); | |
| 1591 | + return err; | |
| 1592 | + } | |
| 1593 | + } | |
| 1594 | + | |
| 1513 | 1595 | const void* data = mData+mDataPos; |
| 1514 | 1596 | mDataPos += sizeof(T); |
| 1515 | 1597 | *pArg = *reinterpret_cast<const T*>(data); |
| @@ -2366,6 +2448,7 @@ void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize, | ||
| 2366 | 2448 | mObjects = const_cast<binder_size_t*>(objects); |
| 2367 | 2449 | mObjectsSize = mObjectsCapacity = objectsCount; |
| 2368 | 2450 | mNextObjectHint = 0; |
| 2451 | + mObjectsSorted = false; | |
| 2369 | 2452 | mOwner = relFunc; |
| 2370 | 2453 | mOwnerCookie = relCookie; |
| 2371 | 2454 | for (size_t i = 0; i < mObjectsSize; i++) { |
| @@ -2524,6 +2607,7 @@ status_t Parcel::restartWrite(size_t desired) | ||
| 2524 | 2607 | mObjects = NULL; |
| 2525 | 2608 | mObjectsSize = mObjectsCapacity = 0; |
| 2526 | 2609 | mNextObjectHint = 0; |
| 2610 | + mObjectsSorted = false; | |
| 2527 | 2611 | mHasFds = false; |
| 2528 | 2612 | mFdsKnown = true; |
| 2529 | 2613 | mAllowFds = true; |
| @@ -2610,6 +2694,7 @@ status_t Parcel::continueWrite(size_t desired) | ||
| 2610 | 2694 | mDataCapacity = desired; |
| 2611 | 2695 | mObjectsSize = mObjectsCapacity = objectsSize; |
| 2612 | 2696 | mNextObjectHint = 0; |
| 2697 | + mObjectsSorted = false; | |
| 2613 | 2698 | |
| 2614 | 2699 | } else if (mData) { |
| 2615 | 2700 | if (objectsSize < mObjectsSize) { |
| @@ -2631,6 +2716,7 @@ status_t Parcel::continueWrite(size_t desired) | ||
| 2631 | 2716 | } |
| 2632 | 2717 | mObjectsSize = objectsSize; |
| 2633 | 2718 | mNextObjectHint = 0; |
| 2719 | + mObjectsSorted = false; | |
| 2634 | 2720 | } |
| 2635 | 2721 | |
| 2636 | 2722 | // We own the data, so we can just do a realloc(). |
| @@ -2703,6 +2789,7 @@ void Parcel::initState() | ||
| 2703 | 2789 | mObjectsSize = 0; |
| 2704 | 2790 | mObjectsCapacity = 0; |
| 2705 | 2791 | mNextObjectHint = 0; |
| 2792 | + mObjectsSorted = false; | |
| 2706 | 2793 | mHasFds = false; |
| 2707 | 2794 | mFdsKnown = true; |
| 2708 | 2795 | mAllowFds = true; |
| @@ -417,6 +417,7 @@ private: | ||
| 417 | 417 | void freeDataNoInit(); |
| 418 | 418 | void initState(); |
| 419 | 419 | void scanForFds() const; |
| 420 | + status_t validateReadData(size_t len) const; | |
| 420 | 421 | |
| 421 | 422 | template<class T> |
| 422 | 423 | status_t readAligned(T *pArg) const; |
| @@ -463,6 +464,7 @@ private: | ||
| 463 | 464 | size_t mObjectsSize; |
| 464 | 465 | size_t mObjectsCapacity; |
| 465 | 466 | mutable size_t mNextObjectHint; |
| 467 | + mutable bool mObjectsSorted; | |
| 466 | 468 | |
| 467 | 469 | mutable bool mFdsKnown; |
| 468 | 470 | mutable bool mHasFds; |
Android-x86
Fork