Fix vulnerability in MemoryIntArray
MemoryIntArray was using the size of the undelying ashmem region to mmap the data but the ashmem size can be changed until the former is memory mapped. Since we use the ashmem region size for boundary checking and memory unmapping if it does not match the size used while mapping an attacker can force the system to unmap memory or to access undefined memory and crash. Also we were passing the memory address where the ashmem region is mapped in the owner process to support cases where the client can pass back the MemoryIntArray instance. This allows an attacker to put invalid address and cause arbitrary memory to be freed. Now we no longer support passing back the instance to the owner process (the passed back instance is read only), so no need to pass the memory adress of the owner's mapping, thus not allowing freeing arbitrary memory. Further, we now check the memory mapped size against the size of the underlying ashmem region after we do the memory mapping (to fix the ahsmem size) and if an attacker changed the size under us we throw. Tests: Updated the tests and they pass. bug:33039926 bug:33042690 Change-Id: Ie267646eb88014034fbd048d7a9bc273420c7eff
Loading
Please register or sign in to comment