openharmony/communication_ipc
1
0
Fork 0
mirror of https://gitee.com/openharmony/communication_ipc synced 2025-02-17 07:20:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix ReadRemoteObject security bug.

Browse Source 
Signed-off-by: luodonghui <luodonghui@huawei.com>
Change-Id: Ic00f9833273fe6d1c959f50c796c3df0822a544b
This commit is contained in:
luodonghui 2024-10-09 20:19:50 +08:00
parent 2e867da9d4
commit 6c325ba157
1 changed files with 10 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
ipc/native/src/mock/source/binder_invoker.cpp
View File

@ -1502,21 +1502,18 @@ bool BinderInvoker::FlattenObject(Parcel &parcel, const IRemoteObject *object) c
sptr<IRemoteObject> BinderInvoker::UnflattenObject(Parcel &parcel)
{
#ifndef CONFIG_IPC_SINGLE
auto offset = parcel.GetReadPosition();
dbinder_negotiation_data dbinderData;
bool isDBinderObj = UnFlattenDBinderObject(parcel, dbinderData);
auto offset2 = parcel.GetReadPosition();
if (offset != offset2) {
ZLOGW(LABEL, "offset:%{public}zu offset2:%{public}zu isDBinderObj:%{public}d",
offset, offset2, isDBinderObj);
}
#endif
if (!parcel.CheckOffsets()) {
ZLOGE(LABEL, "Parcel CheckOffsets fail");
return nullptr;
}
const uint8_t *buffer = parcel.ReadBuffer(sizeof(flat_binder_object), false);
if (buffer == nullptr) {
ZLOGE(LABEL, "null object buffer");
return nullptr;
}
IPCProcessSkeleton *current = IPCProcessSkeleton::GetCurrent();
if (current == nullptr) {
return nullptr;
@ -1526,7 +1523,12 @@ sptr<IRemoteObject> BinderInvoker::UnflattenObject(Parcel &parcel)
auto *flat = reinterpret_cast<const flat_binder_object *>(buffer);
switch (flat->hdr.type) {
case BINDER_TYPE_BINDER: {
remoteObject = reinterpret_cast<IRemoteObject *>(flat->cookie);
auto stubObject = reinterpret_cast<IRemoteObject *>(flat->cookie);
if (!current->IsContainsObject(stubObject)) {
ZLOGE(LABEL, "invalid binder cookie:%{public}llu", flat->cookie);
return nullptr;
}
remoteObject = stubObject;
break;
}
case BINDER_TYPE_HANDLE: {
@ -1544,10 +1546,6 @@ sptr<IRemoteObject> BinderInvoker::UnflattenObject(Parcel &parcel)
ZLOGE(LABEL, "unknown binder type:%{public}u", flat->hdr.type);
break;
}
if (!current->IsContainsObject(remoteObject)) {
remoteObject = nullptr;
}
return remoteObject;
}