Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 88805d55c555ad04acfcb7048074d3d58b307f50^! / . / vm_payload / src / api.rs
commit88805d55c555ad04acfcb7048074d3d58b307f50[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Fri Dec 16 16:07:33 2022 +0000
committerAlan Stokes <alanstokes@google.com>Fri Dec 16 16:53:45 2022 +0000
tree6860bb8c15a47126283da2fdf536519bd6a0120e
parente9d6cfb333cb4b9bd8013ddb5b668ad113e7c745 [diff] [blame]
Native API fixes

Port is always 32 bits, move it to uint32_t.

Add _Nullable / _Nonnull annotations in the headers. That initially
triggered a warning because we deliberately pass null to the
getDiceAttestation* functions to get the size needed. Which led me to
notice that our Rust code technically had undefined behavior, because
a null pointer is never valid even for size 0. Added a guard for that,
and documented that null is only allowed for size 0.

Bug: 262415211
Test: atest MicrodroidTests
Change-Id: I44bb2946989f7254e581d885542b41399c3ee059

diff --git a/vm_payload/src/api.rs b/vm_payload/src/api.rs
index 66c8ef7..a9b3abb 100644
--- a/vm_payload/src/api.rs
+++ b/vm_payload/src/api.rs

@@ -206,7 +206,7 @@
 ///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
-/// * `data` must be [valid] for writes of `size` bytes.
+/// * `data` must be [valid] for writes of `size` bytes, if size > 0.
 ///
 /// [valid]: ptr#safety
 #[no_mangle]
@@ -214,9 +214,13 @@
     initialize_logging();
 
     let chain = unwrap_or_abort(try_get_dice_attestation_chain());
-    // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
-    // the length of either buffer, and `chain` cannot overlap `data` because we just allocated it.
-    unsafe { ptr::copy_nonoverlapping(chain.as_ptr(), data, std::cmp::min(chain.len(), size)) };
+    if size != 0 {
+        // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
+        // the length of either buffer, and `chain` cannot overlap `data` because we just allocated
+        // it. We allow data to be null, which is never valid, but only if size == 0 which is
+        // checked above.
+        unsafe { ptr::copy_nonoverlapping(chain.as_ptr(), data, std::cmp::min(chain.len(), size)) };
+    }
     chain.len()
 }
 
@@ -231,7 +235,7 @@
 ///
 /// Behavior is undefined if any of the following conditions are violated:
 ///
-/// * `data` must be [valid] for writes of `size` bytes.
+/// * `data` must be [valid] for writes of `size` bytes, if size > 0.
 ///
 /// [valid]: ptr#safety
 #[no_mangle]
@@ -239,9 +243,13 @@
     initialize_logging();
 
     let cdi = unwrap_or_abort(try_get_dice_attestation_cdi());
-    // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
-    // the length of either buffer, and `cdi` cannot overlap `data` because we just allocated it.
-    unsafe { ptr::copy_nonoverlapping(cdi.as_ptr(), data, std::cmp::min(cdi.len(), size)) };
+    if size != 0 {
+        // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
+        // the length of either buffer, and `cdi` cannot overlap `data` because we just allocated
+        // it. We allow data to be null, which is never valid, but only if size == 0 which is
+        // checked above.
+        unsafe { ptr::copy_nonoverlapping(cdi.as_ptr(), data, std::cmp::min(cdi.len(), size)) };
+    }
     cdi.len()
 }