Revert "binder: Remove ashmem validitiy checks"
This reverts commit b62b05640eec88cdbfa2d828d6786f24aa836d7d.
Reason for revert: Makes certain devices unbootable.
Bug: 111426334
Change-Id: If20f6ab9e2a63556e28c7bf659b2565462e42d2a
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index d3351c8..87c9842 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -129,7 +129,7 @@
return;
}
case BINDER_TYPE_FD: {
- if ((obj.cookie != 0) && (outAshmemSize != nullptr)) {
+ if ((obj.cookie != 0) && (outAshmemSize != nullptr) && ashmem_valid(obj.handle)) {
// If we own an ashmem fd, keep track of how much memory it refers to.
int size = ashmem_get_size_region(obj.handle);
if (size > 0) {
@@ -178,7 +178,7 @@
}
case BINDER_TYPE_FD: {
if (obj.cookie != 0) { // owned
- if ((outAshmemSize != nullptr)) {
+ if ((outAshmemSize != nullptr) && ashmem_valid(obj.handle)) {
int size = ashmem_get_size_region(obj.handle);
if (size > 0) {
*outAshmemSize -= size;
@@ -2307,9 +2307,13 @@
int fd = readFileDescriptor();
if (fd == int(BAD_TYPE)) return BAD_VALUE;
+ if (!ashmem_valid(fd)) {
+ ALOGE("invalid fd");
+ return BAD_VALUE;
+ }
int size = ashmem_get_size_region(fd);
if (size < 0 || size_t(size) < len) {
- ALOGE("invalid fd or request size %zu does not match fd size %d", len, size);
+ ALOGE("request size %zu does not match fd size %d", len, size);
return BAD_VALUE;
}
void* ptr = ::mmap(nullptr, len, isMutable ? PROT_READ | PROT_WRITE : PROT_READ,