1 files changed, 52 insertions, 10 deletions

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 4f539a8..65e67d6 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -18,6 +18,8 @@
 //#define LOG_NDEBUG 0
 
 #include <binder/Parcel.h>
+#include <fcntl.h>
+#include <pthread.h>
 
 #include <binder/IPCThreadState.h>
 #include <binder/Binder.h>
@@ -42,6 +44,9 @@
 #include <stdlib.h>
 #include <stdint.h>
 #include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
 
 #ifndef INT32_MAX
 #define INT32_MAX ((int32_t)(2147483647))
@@ -95,6 +100,32 @@ enum {
     BLOB_ASHMEM_MUTABLE = 2,
 };
 
+static dev_t ashmem_rdev()
+{
+    static dev_t __ashmem_rdev;
+    static pthread_mutex_t __ashmem_rdev_lock = PTHREAD_MUTEX_INITIALIZER;
+
+    pthread_mutex_lock(&__ashmem_rdev_lock);
+
+    dev_t rdev = __ashmem_rdev;
+    if (!rdev) {
+        int fd = TEMP_FAILURE_RETRY(open("/dev/ashmem", O_RDONLY));
+        if (fd >= 0) {
+            struct stat st;
+
+            int ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
+            close(fd);
+            if ((ret >= 0) && S_ISCHR(st.st_mode)) {
+                rdev = __ashmem_rdev = st.st_rdev;
+            }
+        }
+    }
+
+    pthread_mutex_unlock(&__ashmem_rdev_lock);
+
+    return rdev;
+}
+
 void acquire_object(const sp<ProcessState>& proc,
     const flat_binder_object& obj, const void* who, size_t* outAshmemSize)
 {
@@ -123,8 +154,10 @@ void acquire_object(const sp<ProcessState>& proc,
             return;
         }
         case BINDER_TYPE_FD: {
-            if (obj.cookie != 0) {
-                if (outAshmemSize != NULL) {
+            if ((obj.cookie != 0) && (outAshmemSize != NULL)) {
+                struct stat st;
+                int ret = fstat(obj.handle, &st);
+                if (!ret && S_ISCHR(st.st_mode) && (st.st_rdev == ashmem_rdev())) {
                     // If we own an ashmem fd, keep track of how much memory it refers to.
                     int size = ashmem_get_size_region(obj.handle);
                     if (size > 0) {
@@ -173,15 +206,18 @@ static void release_object(const sp<ProcessState>& proc,
             return;
         }
         case BINDER_TYPE_FD: {
-            if (outAshmemSize != NULL) {
-                if (obj.cookie != 0) {
-                    int size = ashmem_get_size_region(obj.handle);
-                    if (size > 0) {
-                        *outAshmemSize -= size;
+            if (obj.cookie != 0) { // owned
+                if (outAshmemSize != NULL) {
+                    struct stat st;
+                    int ret = fstat(obj.handle, &st);
+                    if (!ret && S_ISCHR(st.st_mode) && (st.st_rdev == ashmem_rdev())) {
+                        int size = ashmem_get_size_region(obj.handle);
+                        if (size > 0) {
+                            *outAshmemSize -= size;
+                        }
                     }
-
-                    close(obj.handle);
                 }
+            close(obj.handle);
 #ifdef DISABLE_ASHMEM_TRACKING
             } else if (obj.cookie != 0) {
                 close(obj.handle);
@@ -1389,7 +1425,13 @@ native_handle* Parcel::readNativeHandle() const
 
     for (int i=0 ; err==NO_ERROR && i<numFds ; i++) {
         h->data[i] = dup(readFileDescriptor());
-        if (h->data[i] < 0) err = BAD_VALUE;
+        if (h->data[i] < 0) {
+            for (int j = 0; j < i; j++) {
+                close(h->data[j]);
+            }
+            native_handle_delete(h);
+            return 0;
+        }
     }
     err = read(h->data + numFds, sizeof(int)*numInts);
     if (err != NO_ERROR) {