From 39fdbd097a147b5c719dac9ad2759e6c44eb3a4e Mon Sep 17 00:00:00 2001 From: Kevin Rocard Date: Mon, 13 Nov 2017 11:15:27 -0800 Subject: [PATCH] IAudioPolicyService: Add attribute tags sanitization When audio_attributes_t was read from the binder parcel, the string tags field was copied without checking that it contained a '\0'. This could lead to read past the end when tags were used. This patch always adds a '\0' at the end of the buffer when deserializing. Bug: 68953950 Test: manual playback/record Test: send binder payload without \0 in tags attribute, check that only AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1 char are printed. Change-Id: I285258cbf7cfaf26b191d1f31b3b1e2d724c4934 Merged-In: I285258cbf7cfaf26b191d1f31b3b1e2d724c4934 Signed-off-by: Kevin Rocard --- media/libaudioclient/IAudioPolicyService.cpp | 12 ++++++++++++ .../include/media/IAudioPolicyService.h | 2 ++ 2 files changed, 14 insertions(+) diff --git a/media/libaudioclient/IAudioPolicyService.cpp b/media/libaudioclient/IAudioPolicyService.cpp index ceba211466..d838975fba 100644 --- a/media/libaudioclient/IAudioPolicyService.cpp +++ b/media/libaudioclient/IAudioPolicyService.cpp @@ -960,6 +960,7 @@ status_t BnAudioPolicyService::onTransact( bool hasAttributes = data.readInt32() != 0; if (hasAttributes) { data.read(&attr, sizeof(audio_attributes_t)); + sanetizeAudioAttributes(&attr); } audio_session_t session = (audio_session_t)data.readInt32(); audio_stream_type_t stream = AUDIO_STREAM_DEFAULT; @@ -1025,6 +1026,7 @@ status_t BnAudioPolicyService::onTransact( CHECK_INTERFACE(IAudioPolicyService, data, reply); audio_attributes_t attr; data.read(&attr, sizeof(audio_attributes_t)); + sanetizeAudioAttributes(&attr); audio_io_handle_t input = (audio_io_handle_t)data.readInt32(); audio_session_t session = (audio_session_t)data.readInt32(); pid_t pid = (pid_t)data.readInt32(); @@ -1400,6 +1402,7 @@ status_t BnAudioPolicyService::onTransact( data.read(&source, sizeof(struct audio_port_config)); audio_attributes_t attributes; data.read(&attributes, sizeof(audio_attributes_t)); + sanetizeAudioAttributes(&attributes); audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; status_t status = startAudioSource(&source, &attributes, &handle); reply->writeInt32(status); @@ -1450,6 +1453,15 @@ status_t BnAudioPolicyService::onTransact( } } +void BnAudioPolicyService::sanetizeAudioAttributes(audio_attributes_t* attr) +{ + const size_t tagsMaxSize = AUDIO_ATTRIBUTES_TAGS_MAX_SIZE; + if (strnlen(attr->tags, tagsMaxSize) >= tagsMaxSize) { + android_errorWriteLog(0x534e4554, "68953950"); // SafetyNet logging + } + attr->tags[tagsMaxSize - 1] = '\0'; +} + // ---------------------------------------------------------------------------- } // namespace android diff --git a/media/libaudioclient/include/media/IAudioPolicyService.h b/media/libaudioclient/include/media/IAudioPolicyService.h index 9b3e35ea57..60ba4ba28b 100644 --- a/media/libaudioclient/include/media/IAudioPolicyService.h +++ b/media/libaudioclient/include/media/IAudioPolicyService.h @@ -183,6 +183,8 @@ public: const Parcel& data, Parcel* reply, uint32_t flags = 0); +private: + void sanetizeAudioAttributes(audio_attributes_t* attr); }; // ----------------------------------------------------------------------------