gralloc: Fix issue with mmap/munmap meta due to reserved size

Fix possible security issue which can happen if client changes reserved size in meta data. This can cause wrong size munmap. Change-Id: I5d2b55272d1b5df217e71c45ecdece9ed9eaae97
author: Baldev Sahu <quic_c_bsahu@quicinc.com> 2022-03-17 11:10:58 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2022-04-22 18:21:17 -0700
commit: 478d48f33581f55b5689be5e392b252cca554c6b (patch)
tree: 3ecbdc2a46fa5dfe3cda427787d17c0193772027
parent: 1b7aa2b630912174d23c39edd0b265bdfc154585 (diff)
2 files changed, 86 insertions, 6 deletions
diff --git a/gralloc/QtiGrallocPriv.h b/gralloc/QtiGrallocPriv.h
index 9d04903b..3c9bbaec 100644
--- a/gralloc/QtiGrallocPriv.h
+++ b/gralloc/QtiGrallocPriv.h
@@ -27,6 +27,43 @@
  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+/*
+* Changes from Qualcomm Innovation Center are provided under the following license:
+*
+* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted (subject to the limitations in the
+* disclaimer below) provided that the following conditions are met:
+*
+*    * Redistributions of source code must retain the above copyright
+*      notice, this list of conditions and the following disclaimer.
+*
+*    * Redistributions in binary form must reproduce the above
+*      copyright notice, this list of conditions and the following
+*      disclaimer in the documentation and/or other materials provided
+*      with the distribution.
+*
+*    * Neither the name of Qualcomm Innovation Center, Inc. nor the
+*      names of its contributors may be used to endorse or promote
+*      products derived from this software without specific prior
+*      written permission.
+*
+* NO EXPRESS OR IMPLIED LICENSES TO ANY PARTY'S PATENT RIGHTS ARE
+* GRANTED BY THIS LICENSE. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
+* HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+* IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+* IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+* IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
 #ifndef __QTIGRALLOCPRIV_H__
 #define __QTIGRALLOCPRIV_H__
 
@@ -131,6 +168,7 @@ struct private_handle_t : public native_handle_t {
   uint64_t base;
   uint64_t base_metadata;
   uint64_t gpuaddr;
+  unsigned int reserved_size;
   static const int kNumFds = 2;
   static const int kMagic = 'gmsm';
 
@@ -158,7 +196,8 @@ struct private_handle_t : public native_handle_t {
         offset_metadata(0),
         base(0),
         base_metadata(0),
-        gpuaddr(0) {
+        gpuaddr(0),
+        reserved_size(0) {
     version = static_cast<int>(sizeof(native_handle));
     numInts = NumInts();
     numFds = kNumFds;
@@ -192,9 +231,10 @@ struct private_handle_t : public native_handle_t {
   static void Dump(const private_handle_t *hnd) {
     ALOGD("handle id:%" PRIu64
           " wxh:%dx%d uwxuh:%dx%d size: %d fd:%d fd_meta:%d flags:0x%x "
-          "usage:0x%" PRIx64 "  format:0x%x layer_count: %d",
+          "usage:0x%" PRIx64 "  format:0x%x layer_count: %d reserved_size = %d",
           hnd->id, hnd->width, hnd->height, hnd->unaligned_width, hnd->unaligned_height, hnd->size,
-          hnd->fd, hnd->fd_metadata, hnd->flags, hnd->usage, hnd->format, hnd->layer_count);
+          hnd->fd, hnd->fd_metadata, hnd->flags, hnd->usage, hnd->format, hnd->layer_count,
+          hnd->reserved_size);
   }
 };
 #pragma pack(pop)
diff --git a/gralloc/gr_priv_handle.h b/gralloc/gr_priv_handle.h
index 98f9f694..a53fdf59 100644
--- a/gralloc/gr_priv_handle.h
+++ b/gralloc/gr_priv_handle.h
@@ -17,6 +17,43 @@
  * limitations under the License.
  */
 
+/*
+* Changes from Qualcomm Innovation Center are provided under the following license:
+*
+* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted (subject to the limitations in the
+* disclaimer below) provided that the following conditions are met:
+*
+*    * Redistributions of source code must retain the above copyright
+*      notice, this list of conditions and the following disclaimer.
+*
+*    * Redistributions in binary form must reproduce the above
+*      copyright notice, this list of conditions and the following
+*      disclaimer in the documentation and/or other materials provided
+*      with the distribution.
+*
+*    * Neither the name of Qualcomm Innovation Center, Inc. nor the
+*      names of its contributors may be used to endorse or promote
+*      products derived from this software without specific prior
+*      written permission.
+*
+* NO EXPRESS OR IMPLIED LICENSES TO ANY PARTY'S PATENT RIGHTS ARE
+* GRANTED BY THIS LICENSE. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
+* HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+* IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+* IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+* IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
 #ifndef __GR_PRIV_HANDLE_H__
 #define __GR_PRIV_HANDLE_H__
 
@@ -92,6 +129,7 @@ struct private_handle_t {
   uint64_t base;
   uint64_t base_metadata;
   uint64_t gpuaddr;
+  unsigned int reserved_size;
 #ifdef __cplusplus
   static const int kNumFds = 2;
   static const int kMagic = 'gmsm';
@@ -120,7 +158,8 @@ struct private_handle_t {
         offset_metadata(0),
         base(0),
         base_metadata(0),
-        gpuaddr(0) {
+        gpuaddr(0),
+        reserved_size(0) {
     version = static_cast<int>(sizeof(native_handle));
     numInts = NumInts();
     numFds = kNumFds;
@@ -161,9 +200,10 @@ struct private_handle_t {
   static void Dump(const private_handle_t *hnd) {
     ALOGD("handle id:%" PRIu64
           " wxh:%dx%d uwxuh:%dx%d size: %d fd:%d fd_meta:%d flags:0x%x "
-          "usage:0x%" PRIx64 "  format:0x%x layer_count: %d",
+          "usage:0x%" PRIx64 "  format:0x%x layer_count: %d reserved_size = %d",
           hnd->id, hnd->width, hnd->height, hnd->unaligned_width, hnd->unaligned_height, hnd->size,
-          hnd->fd, hnd->fd_metadata, hnd->flags, hnd->usage, hnd->format, hnd->layer_count);
+          hnd->fd, hnd->fd_metadata, hnd->flags, hnd->usage, hnd->format, hnd->layer_count,
+          hnd->reserved_size);
   }
 
   int GetUnalignedWidth() const { return unaligned_width; }
author	Baldev Sahu <quic_c_bsahu@quicinc.com>	2022-03-17 11:10:58 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2022-04-22 18:21:17 -0700
commit	478d48f33581f55b5689be5e392b252cca554c6b (patch)
tree	3ecbdc2a46fa5dfe3cda427787d17c0193772027
parent	1b7aa2b630912174d23c39edd0b265bdfc154585 (diff)