libcutils: ashmem check fd validity

- collect st_rdev on open, or when required, for /dev/ashmem. - check in all cases if fd is a character device and matches rdev. - requires that we have open, read and write access to /dev/ashmem to check, assumption being that if we can not, then we have no right playing with the associated misdirected file descriptor. NB: ashmem libcutil library entry points can no longer be called in signal context. Bug: 26871259 Change-Id: I9a17e33317a9be795131473a51c16f761b5f7407
author: Mark Salyzyn <salyzyn@google.com> 2016-02-02 08:21:32 -0800
committer: Steve Kondik <steve@cyngn.com> 2016-07-15 12:34:06 -0700
commit: 2895e11453da7afc326864a097ff59833a0bffea (patch)
tree: 19b30dc4ee9f87d469128ebec0312b7cb4028701
parent: b619152148dadeda1acef702420f43c30e7d6d30 (diff)
download: system_core-2895e11453da7afc326864a097ff59833a0bffea.zip
system_core-2895e11453da7afc326864a097ff59833a0bffea.tar.gz
system_core-2895e11453da7afc326864a097ff59833a0bffea.tar.bz2
1 files changed, 107 insertions, 1 deletions
diff --git a/libcutils/ashmem-dev.c b/libcutils/ashmem-dev.c
index a5203e1..77e4d0d 100644
--- a/libcutils/ashmem-dev.c
+++ b/libcutils/ashmem-dev.c
@@ -22,6 +22,7 @@
 
 #include <errno.h>
 #include <fcntl.h>
+#include <pthread.h>
 #include <string.h>
 #include <sys/ioctl.h>
 #include <sys/stat.h>
@@ -34,6 +35,89 @@
 
 #define ASHMEM_DEVICE "/dev/ashmem"
 
+/* ashmem identity */
+static dev_t __ashmem_rdev;
+/*
+ * If we trigger a signal handler in the middle of locked activity and the
+ * signal handler calls ashmem, we could get into a deadlock state.
+ */
+static pthread_mutex_t __ashmem_lock = PTHREAD_MUTEX_INITIALIZER;
+
+/* logistics of getting file descriptor for ashmem */
+static int __ashmem_open_locked()
+{
+    int ret;
+    struct stat st;
+
+    int fd = TEMP_FAILURE_RETRY(open(ASHMEM_DEVICE, O_RDWR));
+    if (fd < 0) {
+        return fd;
+    }
+
+    ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
+    if (ret < 0) {
+        int save_errno = errno;
+        close(fd);
+        errno = save_errno;
+        return ret;
+    }
+    if (!S_ISCHR(st.st_mode) || !st.st_rdev) {
+        close(fd);
+        errno = ENOTTY;
+        return -1;
+    }
+
+    __ashmem_rdev = st.st_rdev;
+    return fd;
+}
+
+static int __ashmem_open()
+{
+    int fd;
+
+    pthread_mutex_lock(&__ashmem_lock);
+    fd = __ashmem_open_locked();
+    pthread_mutex_unlock(&__ashmem_lock);
+
+    return fd;
+}
+
+/* Make sure file descriptor references ashmem, negative number means false */
+static int __ashmem_is_ashmem(int fd)
+{
+    dev_t rdev;
+    struct stat st;
+
+    if (TEMP_FAILURE_RETRY(fstat(fd, &st)) < 0) {
+        return -1;
+    }
+
+    if (S_ISCHR(st.st_mode) && st.st_rdev) {
+        pthread_mutex_lock(&__ashmem_lock);
+        rdev = __ashmem_rdev;
+        if (rdev) {
+            pthread_mutex_unlock(&__ashmem_lock);
+        } else {
+            int fd = __ashmem_open_locked();
+            if (fd < 0) {
+                pthread_mutex_unlock(&__ashmem_lock);
+                return -1;
+            }
+            rdev = __ashmem_rdev;
+            pthread_mutex_unlock(&__ashmem_lock);
+
+            close(fd);
+        }
+
+        if (st.st_rdev == rdev) {
+            return 0;
+        }
+    }
+
+    errno = ENOTTY;
+    return -1;
+}
+
 /*
  * ashmem_create_region - creates a new ashmem region and returns the file
  * descriptor, or <0 on error
@@ -45,7 +129,7 @@ int ashmem_create_region(const char *name, size_t size)
 {
     int ret, save_errno;
 
-    int fd = TEMP_FAILURE_RETRY(open(ASHMEM_DEVICE, O_RDWR));
+    int fd = __ashmem_open();
     if (fd < 0) {
         return fd;
     }
@@ -76,22 +160,44 @@ error:
 
 int ashmem_set_prot_region(int fd, int prot)
 {
+    int ret = __ashmem_is_ashmem(fd);
+    if (ret < 0) {
+        return ret;
+    }
+
     return TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_PROT_MASK, prot));
 }
 
 int ashmem_pin_region(int fd, size_t offset, size_t len)
 {
     struct ashmem_pin pin = { offset, len };
+
+    int ret = __ashmem_is_ashmem(fd);
+    if (ret < 0) {
+        return ret;
+    }
+
     return TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_PIN, &pin));
 }
 
 int ashmem_unpin_region(int fd, size_t offset, size_t len)
 {
     struct ashmem_pin pin = { offset, len };
+
+    int ret = __ashmem_is_ashmem(fd);
+    if (ret < 0) {
+        return ret;
+    }
+
     return TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_UNPIN, &pin));
 }
 
 int ashmem_get_size_region(int fd)
 {
+    int ret = __ashmem_is_ashmem(fd);
+    if (ret < 0) {
+        return ret;
+    }
+
     return TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_GET_SIZE, NULL));
 }
author	Mark Salyzyn <salyzyn@google.com>	2016-02-02 08:21:32 -0800
committer	Steve Kondik <steve@cyngn.com>	2016-07-15 12:34:06 -0700
commit	2895e11453da7afc326864a097ff59833a0bffea (patch)
tree	19b30dc4ee9f87d469128ebec0312b7cb4028701
parent	b619152148dadeda1acef702420f43c30e7d6d30 (diff)
download	system_core-2895e11453da7afc326864a097ff59833a0bffea.zip system_core-2895e11453da7afc326864a097ff59833a0bffea.tar.gz system_core-2895e11453da7afc326864a097ff59833a0bffea.tar.bz2