From d70043eaf41b911c464cf62d5f79aac8697aeb6b Mon Sep 17 00:00:00 2001 From: Mark Salyzyn Date: Wed, 27 Jan 2016 08:02:48 -0800 Subject: system_server BINDER_TYPE_FD sockets using ashmem accessors check if device is a character device, before calling ashmem_get_size_region. We do not check if the st_rdev matches /dev/ashmem. So this at least eliminates making this call when associated with a socket. Bug: 26374183 Change-Id: I68ed9d1c2cd4c47228ed065e3e18eb4151f038f4 --- libs/binder/Parcel.cpp | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 1aaee92..56890a2 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -42,6 +42,9 @@ #include #include #include +#include +#include +#include #ifndef INT32_MAX #define INT32_MAX ((int32_t)(2147483647)) @@ -123,8 +126,10 @@ void acquire_object(const sp& proc, return; } case BINDER_TYPE_FD: { - if (obj.cookie != 0) { - if (outAshmemSize != NULL) { + if ((obj.cookie != 0) && (outAshmemSize != NULL)) { + struct stat st; + int ret = fstat(obj.handle, &st); + if (!ret && S_ISCHR(st.st_mode)) { // If we own an ashmem fd, keep track of how much memory it refers to. int size = ashmem_get_size_region(obj.handle); if (size > 0) { @@ -175,9 +180,13 @@ static void release_object(const sp& proc, case BINDER_TYPE_FD: { if (obj.cookie != 0) { // owned if (outAshmemSize != NULL) { - int size = ashmem_get_size_region(obj.handle); - if (size > 0) { - *outAshmemSize -= size; + struct stat st; + int ret = fstat(obj.handle, &st); + if (!ret && S_ISCHR(st.st_mode)) { + int size = ashmem_get_size_region(obj.handle); + if (size > 0) { + *outAshmemSize -= size; + } } } close(obj.handle); -- cgit v1.1