From 28a83d4206e97c149a72408bc76c6487f57ed1b4 Mon Sep 17 00:00:00 2001
From: Pablo Ceballos <pceballos@google.com>
Date: Thu, 11 Feb 2016 18:01:49 -0800
Subject: BQ: Add permission check to BufferQueueConsumer::dump

Bug 27046057

Change-Id: Id7bd8cf95045b497943ea39dde49e877aa6f5c4e
---
 libs/gui/BufferQueueConsumer.cpp | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/libs/gui/BufferQueueConsumer.cpp b/libs/gui/BufferQueueConsumer.cpp
index bb3e1b0..158eeb4 100644
--- a/libs/gui/BufferQueueConsumer.cpp
+++ b/libs/gui/BufferQueueConsumer.cpp
@@ -26,6 +26,10 @@
 #include <gui/IConsumerListener.h>
 #include <gui/IProducerListener.h>
 
+#include <binder/IPCThreadState.h>
+#include <binder/PermissionCache.h>
+#include <private/android_filesystem_config.h>
+
 namespace android {
 
 BufferQueueConsumer::BufferQueueConsumer(const sp<BufferQueueCore>& core) :
@@ -572,7 +576,17 @@ sp<NativeHandle> BufferQueueConsumer::getSidebandStream() const {
 }
 
 void BufferQueueConsumer::dump(String8& result, const char* prefix) const {
-    mCore->dump(result, prefix);
+    const IPCThreadState* ipc = IPCThreadState::self();
+    const pid_t pid = ipc->getCallingPid();
+    const uid_t uid = ipc->getCallingUid();
+    if ((uid != AID_SHELL)
+            && !PermissionCache::checkPermission(String16(
+            "android.permission.DUMP"), pid, uid)) {
+        result.appendFormat("Permission Denial: can't dump BufferQueueConsumer "
+                "from pid=%d, uid=%d\n", pid, uid);
+    } else {
+        mCore->dump(result, prefix);
+    }
 }
 
 } // namespace android
-- 
cgit v1.1


From a5d2913b0744054cacf3cbf66bd629fdc8105e07 Mon Sep 17 00:00:00 2001
From: Christopher Tate <ctate@google.com>
Date: Fri, 5 Feb 2016 19:02:56 -0800
Subject: Sanity check IMemory access versus underlying mmap

Bug 26877992

Change-Id: Ibbf4b1061e4675e4e96bc944a865b53eaf6984fe
---
 libs/binder/IMemory.cpp | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/libs/binder/IMemory.cpp b/libs/binder/IMemory.cpp
index e9891a8..fb8d620 100644
--- a/libs/binder/IMemory.cpp
+++ b/libs/binder/IMemory.cpp
@@ -26,6 +26,7 @@
 #include <sys/mman.h>
 
 #include <binder/IMemory.h>
+#include <cutils/log.h>
 #include <utils/KeyedVector.h>
 #include <utils/threads.h>
 #include <utils/Atomic.h>
@@ -187,15 +188,26 @@ sp<IMemoryHeap> BpMemory::getMemory(ssize_t* offset, size_t* size) const
             if (heap != 0) {
                 mHeap = interface_cast<IMemoryHeap>(heap);
                 if (mHeap != 0) {
-                    mOffset = o;
-                    mSize = s;
+                    size_t heapSize = mHeap->getSize();
+                    if (s <= heapSize
+                            && o >= 0
+                            && (static_cast<size_t>(o) <= heapSize - s)) {
+                        mOffset = o;
+                        mSize = s;
+                    } else {
+                        // Hm.
+                        android_errorWriteWithInfoLog(0x534e4554,
+                            "26877992", -1, NULL, 0);
+                        mOffset = 0;
+                        mSize = 0;
+                    }
                 }
             }
         }
     }
     if (offset) *offset = mOffset;
     if (size) *size = mSize;
-    return mHeap;
+    return (mSize > 0) ? mHeap : 0;
 }
 
 // ---------------------------------------------------------------------------
-- 
cgit v1.1


From a93a31018795eab0b031ebc66475f46a79b7c7ab Mon Sep 17 00:00:00 2001
From: Pablo Ceballos <pceballos@google.com>
Date: Sat, 20 Feb 2016 11:26:13 -0800
Subject: Add SN logging

Bug 27046057

Change-Id: Iede7c92e59e60795df1ec7768ebafd6b090f1c27
---
 libs/gui/BufferQueueConsumer.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libs/gui/BufferQueueConsumer.cpp b/libs/gui/BufferQueueConsumer.cpp
index 158eeb4..7504ed4 100644
--- a/libs/gui/BufferQueueConsumer.cpp
+++ b/libs/gui/BufferQueueConsumer.cpp
@@ -584,6 +584,7 @@ void BufferQueueConsumer::dump(String8& result, const char* prefix) const {
             "android.permission.DUMP"), pid, uid)) {
         result.appendFormat("Permission Denial: can't dump BufferQueueConsumer "
                 "from pid=%d, uid=%d\n", pid, uid);
+        android_errorWriteWithInfoLog(0x534e4554, "27046057", uid, NULL, 0);
     } else {
         mCore->dump(result, prefix);
     }
-- 
cgit v1.1