mapMemory: Do not map if size is > SIZE_MAX Bug: 79376389 Test: hidl_test Test: POC in bug Change-Id: Ibaced858aa07bfd7ab6e938cc1339b974b0de14f Merged-In: Ibaced858aa07bfd7ab6e938cc1339b974b0de14f

commit: 694bd8d1b43b9e60623cb3d5bd3f21662680dd7c [log] [tgz]
author: Yifan Hong <[email protected]> Fri May 11 14:19:42 2018 -0700
committer: Yifan Hong <[email protected]> Mon May 14 20:53:13 2018 +0000
tree: 3307c0fd2951f5fc6ee32575c55c35814a89a270
parent: 3671d6c58e6fba347a096391586da957c5d15143 [diff] [blame]
diff --git a/libhidlmemory/mapping.cpp b/libhidlmemory/mapping.cpp
index 3cb6485..8f0bcf4 100644
--- a/libhidlmemory/mapping.cpp
+++ b/libhidlmemory/mapping.cpp

@@ -24,6 +24,7 @@
 #include <android-base/logging.h>
 #include <android/hidl/memory/1.0/IMapper.h>
 #include <hidl/HidlSupport.h>
+#include <log/log.h>
 
 using android::sp;
 using android::hidl::memory::V1_0::IMemory;
@@ -63,6 +64,15 @@
         return nullptr;
     }
 
+    // hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map
+    // size in size_t. If size is over SIZE_MAX, mapMemory could succeed
+    // but the mapped memory's actual size will be smaller than the reported size.
+    if (memory.size() > SIZE_MAX) {
+        LOG(ERROR) << "Cannot map " << memory.size() << " bytes of memory because it is too large.";
+        android_errorWriteLog(0x534e4554, "79376389");
+        return nullptr;
+    }
+
     Return<sp<IMemory>> ret = mapper->mapMemory(memory);
 
     if (!ret.isOk()) {
commit	694bd8d1b43b9e60623cb3d5bd3f21662680dd7c	[log] [tgz]
author	Yifan Hong <[email protected]>	Fri May 11 14:19:42 2018 -0700
committer	Yifan Hong <[email protected]>	Mon May 14 20:53:13 2018 +0000
tree	3307c0fd2951f5fc6ee32575c55c35814a89a270
parent	3671d6c58e6fba347a096391586da957c5d15143 [diff] [blame]