diff options
| author | Marco Nelissen <marcone@google.com> | 2016-09-20 13:36:40 -0700 |
|---|---|---|
| committer | gitbuildkicker <android-build@google.com> | 2016-09-27 15:56:40 -0700 |
| commit | c2dd82bfd6d7aea5b6760efc0712ae11d7a52e6b (patch) | |
| tree | 6891b48c0e898a6f06610d2d7a06cb28f04315bb | |
| parent | 128035617a8cafd4ea717ceb8d6fe56564b07262 (diff) | |
| download | frameworks_av-c2dd82bfd6d7aea5b6760efc0712ae11d7a52e6b.zip frameworks_av-c2dd82bfd6d7aea5b6760efc0712ae11d7a52e6b.tar.gz frameworks_av-c2dd82bfd6d7aea5b6760efc0712ae11d7a52e6b.tar.bz2 | |
Check mprotect result
mprotect can theoretically fail, which could then let one exploit
a vulnerable codec if one exists on the device.
Bug: 31350239
Change-Id: I7b99c190619f0fb2eb93119596e6da0d2deb8ba5
(cherry picked from commit 866c800c0624bb13eee44973cc8a2ecd0012de6e)
| -rw-r--r-- | media/libmedia/IOMX.cpp | 52 |
1 files changed, 28 insertions, 24 deletions
diff --git a/media/libmedia/IOMX.cpp b/media/libmedia/IOMX.cpp index c28eac8..365d9ac 100644 --- a/media/libmedia/IOMX.cpp +++ b/media/libmedia/IOMX.cpp @@ -733,31 +733,35 @@ status_t BnOMX::onTransact( // mark the last page as inaccessible, to avoid exploitation // of codecs that access past the end of the allocation because // they didn't check the size - mprotect((char*)params + allocSize - pageSize, pageSize, PROT_NONE); - switch (code) { - case GET_PARAMETER: - err = getParameter(node, index, params, size); - break; - case SET_PARAMETER: - err = setParameter(node, index, params, size); - break; - case GET_CONFIG: - err = getConfig(node, index, params, size); - break; - case SET_CONFIG: - err = setConfig(node, index, params, size); - break; - case SET_INTERNAL_OPTION: - { - InternalOptionType type = - (InternalOptionType)data.readInt32(); - - err = setInternalOption(node, index, type, params, size); - break; + if (mprotect((char*)params + allocSize - pageSize, pageSize, + PROT_NONE) != 0) { + ALOGE("mprotect failed: %s", strerror(errno)); + } else { + switch (code) { + case GET_PARAMETER: + err = getParameter(node, index, params, size); + break; + case SET_PARAMETER: + err = setParameter(node, index, params, size); + break; + case GET_CONFIG: + err = getConfig(node, index, params, size); + break; + case SET_CONFIG: + err = setConfig(node, index, params, size); + break; + case SET_INTERNAL_OPTION: + { + InternalOptionType type = + (InternalOptionType)data.readInt32(); + + err = setInternalOption(node, index, type, params, size); + break; + } + + default: + TRESPASS(); } - - default: - TRESPASS(); } } } |