diff options
author | Mark Salyzyn <salyzyn@google.com> | 2018-03-13 11:06:38 -0700 |
---|---|---|
committer | Mark Salyzyn <salyzyn@google.com> | 2018-03-14 07:26:20 -0700 |
commit | fec2e2c783ff95c1cc42f5f8474e54d9602f713d (patch) | |
tree | 2dc404983f5b3821a0ba1b2aaffdee954b95e1d9 /logd | |
parent | 84379567d3c7d9df0d05b9f02093b1548563450a (diff) | |
download | system_core-fec2e2c783ff95c1cc42f5f8474e54d9602f713d.tar.gz system_core-fec2e2c783ff95c1cc42f5f8474e54d9602f713d.tar.bz2 system_core-fec2e2c783ff95c1cc42f5f8474e54d9602f713d.zip |
logd: identical check access message data out of range
(cherry pick from commit 22712428b825951e8a4b38f0482a7cc397e5cd78)
Discovered while running AddressSanitizer, binary events were fed
into logd that were smaller than the binary event string header.
Fix is to check the buffer sizes before performing the memcmp
operation.
Test: compile
Bug: 74574189
Change-Id: Ic01ef6fb0725258d9f39bbdca582ed648a1adc5d
Diffstat (limited to 'logd')
-rw-r--r-- | logd/LogBuffer.cpp | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/logd/LogBuffer.cpp b/logd/LogBuffer.cpp index b8af2f09b..a78319ff4 100644 --- a/logd/LogBuffer.cpp +++ b/logd/LogBuffer.cpp @@ -171,7 +171,9 @@ static enum match_type identical(LogBufferElement* elem, } // audit message (except sequence number) identical? - if (last->isBinary()) { + if (last->isBinary() && + (lenl > static_cast<ssize_t>(sizeof(android_log_event_string_t))) && + (lenr > static_cast<ssize_t>(sizeof(android_log_event_string_t)))) { if (fastcmp<memcmp>(msgl, msgr, sizeof(android_log_event_string_t) - sizeof(int32_t))) { return DIFFERENT; |