verify embedded buffer matches address in parent
Below is a diagram showing what scatter gather would look like where we
have one reference to a buffer, and then we have a single embedded
buffer. For instance, 'a1' might be the hidl_vec object and 'a2' might
be the data pointer in this object. In practice, there might be
arbitrarily many levels (this happens when structures contain vectors
which contain structures etc...).
legend:
"...." - random data we don't care about
"|" - some position in the data
"<a#>" - some constant address
offsets into Parcel's mData:
.....|....<a1>....|.....|....<a2>....|.....
^ ^ ^ ^
| | | \- 'buffer' field of structure
| | |
| | | (binder object structure)
| | \- mObjects[child]
| |
| \- binder object structure 'buffer' field
|
\- mObjects[parent] (binder object structure)
kernel-owned ro buffer @ address a1 ('parent' buffer)
.......<a3>....................
^
\- parent buffer as address + parent offset
(in the example, this would be the data field
of hidl_vec. This should be a2).
kernel-owned ro buffer @ address a2 ('child' buffer)
............................
(any random data)
What was happening here was that by maliciously constructing
mObjects[child] to be null, there would be no child object, so the
kernel wouldn't know to fixup the embedded buffer (<a3>) and it
would be unchanged.
Bug: 179289794
Test: repro w/ POC, and this fixes it
Test: hidl_test
Change-Id: Ia26e0fc902510b90ce5bbd55343fa6ded8e4fcf5
(cherry picked from commit 25614cbc380db86cc3842ac1886b55d92c913e4d)
(cherry picked from commit fcd86bd0d1b4cfea480a2682c354fb40039f0727)
1 file changed
