Please review - security patch CVE-2015-1474

Mon, 30 Mar 2015 08:56:13 -0700

I've merged the patch from here: https://android.googlesource.com/platform/frameworks/native/+/38803268570f90e97452cd9a30ac831661829091 to the Replicant sources and successfully recompiled Replicant after that for my device.
After flashing the patched Replicant, I've tested my productive device several weeks without any misbehavior. And of course I have successfully checked, that Replicant isn't vulnerale to the "GraphicBuffer overflow vulnerability - CVE-2015-1474" anymore. 

Ticket reference (Bug #1251): http://redmine.replicant.us/issues/1251
Please review the patch attached and apply it, if you like.
From f646417e25194d7d1bbea7e12f35c5132d3c712f Mon Sep 17 00:00:00 2001
From: Michael Lentine <[email protected]>
Date: Fri, 31 Oct 2014 15:25:03 -0700
Subject: [PATCH] Fix for corruption when numFds or numInts is too large.

Bug: 18076253
Change-Id: I4c5935440013fc755e1d123049290383f4659fb6
(cherry picked from commit dfd06b89a4b77fc75eb85a3c1c700da3621c0118)
Signed-off-by: Michael Lentine <[email protected]> Signed-off-by: Moritz Bandemer <[email protected]>
---
 libs/ui/GraphicBuffer.cpp | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/libs/ui/GraphicBuffer.cpp b/libs/ui/GraphicBuffer.cpp
index 219375e..4069fbc 100644
--- a/libs/ui/GraphicBuffer.cpp
+++ b/libs/ui/GraphicBuffer.cpp
@@ -272,10 +272,20 @@ status_t GraphicBuffer::unflatten(void const* buffer, size_t size,
     const size_t numFds  = buf[6];
     const size_t numInts = buf[7];
 
+    const size_t maxNumber = UINT_MAX / sizeof(int);
+    if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {
+        width = height = stride = format = usage = 0;
+        handle = NULL;
+        ALOGE("unflatten: numFds or numInts is too large: %d, %d",
+                numFds, numInts);
+        return BAD_VALUE;
+    }
+
+
     const size_t sizeNeeded = (8 + numInts) * sizeof(int);
     if (size < sizeNeeded) return NO_MEMORY;
 
-    size_t fdCountNeeded = 0;
+    size_t fdCountNeeded = numFds;
     if (count < fdCountNeeded) return NO_MEMORY;
 
     if (handle) {
@@ -290,6 +300,12 @@ status_t GraphicBuffer::unflatten(void const* buffer, size_t size,
         format = buf[4];
         usage  = buf[5];
         native_handle* h = native_handle_create(numFds, numInts);
+        if (!h) {
+            width = height = stride = format = usage = 0;
+            handle = NULL;
+            ALOGE("unflatten: native_handle_create failed");
+            return NO_MEMORY;
+        }
         memcpy(h->data,          fds,     numFds*sizeof(int));
         memcpy(h->data + numFds, &buf[8], numInts*sizeof(int));
         handle = h;
-- 
1.9.1


_______________________________________________
Replicant mailing list
[email protected]
http://lists.osuosl.org/mailman/listinfo/replicant






















					Reply via email to