Add bounds check to sensors direct channel creation
Avoids attempting to read a 0-size array during input validation. Adds
SafetyNet logging when this is triggered.
Also, change the cast for the ashmem size check from int to int64_t to
avoid potential conversion to negative number on 32-bit systems.
Bug: 70986337
Test: run POC, confirm via logs that function bails early
Change-Id: I674285738983f18de3466f9e818d83dabe269b7d
diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp
index d60768c..11d1c2a 100644
--- a/services/sensorservice/SensorService.cpp
+++ b/services/sensorservice/SensorService.cpp
@@ -21,6 +21,7 @@
#include <cutils/properties.h>
#include <hardware/sensors.h>
#include <hardware_legacy/power.h>
+#include <log/log.h>
#include <openssl/digest.h>
#include <openssl/hmac.h>
#include <openssl/rand.h>
@@ -986,10 +987,15 @@
// check specific to memory type
switch(type) {
case SENSOR_DIRECT_MEM_TYPE_ASHMEM: { // channel backed by ashmem
+ if (resource->numFds < 1) {
+ ALOGE("Ashmem direct channel requires a memory region to be supplied");
+ android_errorWriteLog(0x534e4554, "70986337"); // SafetyNet
+ return nullptr;
+ }
int fd = resource->data[0];
int size2 = ashmem_get_size_region(fd);
// check size consistency
- if (size2 < static_cast<int>(size)) {
+ if (size2 < static_cast<int64_t>(size)) {
ALOGE("Ashmem direct channel size %" PRIu32 " greater than shared memory size %d",
size, size2);
return nullptr;