Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / 884d1a55c6a847ab684dd2131000f15df039fe1a
commit884d1a55c6a847ab684dd2131000f15df039fe1a[log] [tgz]
authorFrederick Mayle <fmayle@google.com>Mon Sep 30 17:42:45 2024 -0700
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Fri Nov 22 16:55:36 2024 +0000
treeb38ebce1c8247a72ea374b520844768cff8684b3
parent344041a29069cf6f88dfabbff2a9c0ea8e22701a [diff]
binder: fix FD handling in continueWrite

Only close FDs within the truncated part of the parcel.

This change also fixes a bug where a parcel truncated into the middle of
an object would not properly free that object. That could have resulted
in an OOB access in `Parcel::truncateRpcObjects`, so more bounds
checking is added.

The new tests show how to reproduce the bug by appending to or partially
truncating Parcels owned by the kernel. Two cases are disabled because
of a bug in the Parcel fdsan code (b/370824489).

Flag: EXEMPT bugfix
Ignore-AOSP-First: security fix
Bug: 239222407, 359179312
Test: atest binderLibTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f2163b846228ded7187358048efb20681614779e)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:348ca016299ba7c22affd16d12d6220753a78e93)
Merged-In: Iadf7e2e98e3eb97c56ec2fed2b49d1e6492af9a3
Change-Id: Iadf7e2e98e3eb97c56ec2fed2b49d1e6492af9a3
3 files changed
tree: b38ebce1c8247a72ea374b520844768cff8684b3
  1. aidl/
  2. build/
  3. cmds/
  4. data/
  5. docs/
  6. headers/
  7. include/
  8. include_sensor/
  9. libs/
  10. opengl/
  11. services/
  12. vulkan/
  13. rustfmt.toml ⇨ ../../build/soong/scripts/rustfmt.toml
  14. .clang-format
  15. .gitignore
  16. Android.bp
  17. CleanSpec.mk
  18. METADATA
  19. MODULE_LICENSE_APACHE2
  20. NOTICE
  21. PREUPLOAD.cfg
  22. TEST_MAPPING