commit d7614beb884779655e043db0daa58981b483d084
author Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Thu Jul 01 11:04:05 2021 +0000
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Thu Jul 01 11:04:05 2021 +0000
tree a42c3cd33bbb295e97d4ea65091ff38651faea8e
parent a07762f712b742269463a8afcb191642cd77d4ea
parent 1ceff7ddf887eda6d8975cf4cbbce7e4bde0529f

Merge cherrypicks of [15172584, 15172286, 15172594, 15172385, 15172631, 15172632, 15172633, 15172634, 15171221, 15171222, 15171223, 15171541, 15171542, 15171668, 15172342, 15170823, 15170824, 15170825, 15170826, 15170827, 15170828, 15170829, 15172650, 15172651, 15172652, 15172653, 15172654, 15172655, 15172656, 15172657, 15172658, 15172659, 15172660, 15172661, 15172386, 15172387, 15172388, 15172389, 15172670, 15172553, 15172589, 15172343, 15172617, 15172618, 15172619, 15172620, 15172690, 15172691, 15172692, 15172693, 15172694, 15172695, 15172696, 15172697, 15171708, 15171709, 15172554, 15172555, 15172710, 15172621, 15172635, 15172636, 15172698, 15172699, 15172700, 15171543, 15172701, 15172702, 15172703, 15172704, 15171669, 15172622] into rvc-d2-release

Change-Id: I0e8ff6d351dd19e1db834d86b725585fd766f3fa

Parcel.cpp

diff --git a/Parcel.cpp b/Parcel.cpp
index f1d6dbd..2c6bf5d 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -1342,6 +1342,19 @@
                   static_cast<uint64_t>(buffer_obj->parent_offset), parentOffset);
             return false;
         }
+
+        binder_buffer_object *parentBuffer =
+            reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent]);
+        void* bufferInParent = *reinterpret_cast<void**>(
+            reinterpret_cast<uint8_t*>(parentBuffer->buffer) + parentOffset);
+        void* childBuffer = reinterpret_cast<void*>(buffer_obj->buffer);
+
+        if (bufferInParent != childBuffer) {
+              ALOGE("Buffer in parent %p differs from embedded buffer %p",
+                    bufferInParent, childBuffer);
+              android_errorWriteLog(0x534e4554, "179289794");
+              return false;
+        }
     }
 
     return true;
@@ -1427,12 +1440,31 @@
                                                size_t parent_buffer_handle,
                                                size_t parent_offset) const
 {
-    status_t status;
     uint64_t nativeHandleSize;
-    size_t fdaParent;
+    status_t status = readUint64(&nativeHandleSize);
+    if (status != OK) {
+        return BAD_VALUE;
+    }
 
-    status = readUint64(&nativeHandleSize);
-    if (status != OK || nativeHandleSize == 0) {
+    if (nativeHandleSize == 0) {
+        // If !embedded, then parent_* vars are 0 and don't actually correspond
+        // to anything. In that case, we're actually reading this data into
+        // writable memory, and the handle returned from here will actually be
+        // used (rather than be ignored).
+        if (embedded) {
+            binder_buffer_object *parentBuffer =
+                reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent_buffer_handle]);
+
+            void* bufferInParent = *reinterpret_cast<void**>(
+                reinterpret_cast<uint8_t*>(parentBuffer->buffer) + parent_offset);
+
+            if (bufferInParent != nullptr) {
+                  ALOGE("Buffer in (handle) parent %p is not nullptr.", bufferInParent);
+                  android_errorWriteLog(0x534e4554, "179289794");
+                  return BAD_VALUE;
+            }
+        }
+
         *handle = nullptr;
         return status;
     }
@@ -1442,6 +1474,7 @@
         return BAD_VALUE;
     }
 
+    size_t fdaParent;
     if (embedded) {
         status = readNullableEmbeddedBuffer(nativeHandleSize, &fdaParent,
                                             parent_buffer_handle, parent_offset,