Google Git
Sign in
android / platform / hardware / google / gfxstream / e135221ec26533d7f00fe27d762511d2e72aab8f^! / . / system / vulkan_enc / ResourceTracker.cpp
commite135221ec26533d7f00fe27d762511d2e72aab8f[log] [tgz]
authorYilong Li <[email protected]>Thu May 19 16:26:11 2022 -0700
committerYilong Li <[email protected]>Thu May 19 16:28:52 2022 -0700
tree3fa7ec66a51d95ad859a2e066e54d3619e587aaf
parent1033564fb898109ae05bf71274951557cd15f9e3 [diff] [blame]
vulkan: vkBindImageMemory() should filter invalid inputs.

In vkBindImageMemory(), if VkImage / VkMemory is null or
invalid handle, it could crash the host emulator. Instead
we would like to return an error value so that the guest
could exit gracefully.

Bug: fxbug.dev/93576
Change-Id: Iabd9eebead37dffb902ffc237adf66406edea5ec

diff --git a/system/vulkan_enc/ResourceTracker.cpp b/system/vulkan_enc/ResourceTracker.cpp
index ed6374b..eafea8f 100644
--- a/system/vulkan_enc/ResourceTracker.cpp
+++ b/system/vulkan_enc/ResourceTracker.cpp

@@ -27,6 +27,7 @@
 
 #include "../OpenglSystemCommon/EmulatorFeatureInfo.h"
 #include "../OpenglSystemCommon/HostConnection.h"
+#include "vulkan/vulkan_core.h"
 
 /// Use installed headers or locally defined Fuchsia-specific bits
 #ifdef VK_USE_PLATFORM_FUCHSIA
@@ -5965,6 +5966,11 @@
         VkDevice device, VkImage image, VkDeviceMemory memory,
         VkDeviceSize memoryOffset) {
         VkEncoder* enc = (VkEncoder*)context;
+        // Do not forward calls with invalid handles to host.
+        if (info_VkDeviceMemory.find(memory) == info_VkDeviceMemory.end() ||
+            info_VkImage.find(image) == info_VkImage.end()) {
+            return VK_ERROR_OUT_OF_DEVICE_MEMORY;
+        }
         return enc->vkBindImageMemory(device, image, memory, memoryOffset, true /* do lock */);
     }
 
@@ -5972,6 +5978,13 @@
         void* context, VkResult,
         VkDevice device, uint32_t bindingCount, const VkBindImageMemoryInfo* pBindInfos) {
         VkEncoder* enc = (VkEncoder*)context;
+        // Do not forward calls with invalid handles to host.
+        if (!pBindInfos ||
+            info_VkDeviceMemory.find(pBindInfos->memory) ==
+                info_VkDeviceMemory.end() ||
+            info_VkImage.find(pBindInfos->image) == info_VkImage.end()) {
+            return VK_ERROR_OUT_OF_DEVICE_MEMORY;
+        }
         return enc->vkBindImageMemory2(device, bindingCount, pBindInfos, true /* do lock */);
     }
 
@@ -5979,6 +5992,13 @@
         void* context, VkResult,
         VkDevice device, uint32_t bindingCount, const VkBindImageMemoryInfo* pBindInfos) {
         VkEncoder* enc = (VkEncoder*)context;
+        // Do not forward calls with invalid handles to host.
+        if (!pBindInfos ||
+            info_VkDeviceMemory.find(pBindInfos->memory) ==
+                info_VkDeviceMemory.end() ||
+            info_VkImage.find(pBindInfos->image) == info_VkImage.end()) {
+            return VK_ERROR_OUT_OF_DEVICE_MEMORY;
+        }
         return enc->vkBindImageMemory2KHR(device, bindingCount, pBindInfos, true /* do lock */);
     }