minigbm: cros_gralloc: remove unnecessary information from handle

Only include information needed to import in the handle. We
were previously including the address space of another process in
the handle, which is a potential security risk.

BUG=chromium:616275
TEST=arc-cros-gralloc works on oak, minnie, cyan
CQ-DEPEND=CL:416399

Change-Id: I10230053e305865db0dde26a596403ec0b9e4f4c
Reviewed-on: https://chromium-review.googlesource.com/416400
Commit-Ready: Gurchetan Singh <gurchetansingh@chromium.org>
Tested-by: Gurchetan Singh <gurchetansingh@chromium.org>
Reviewed-by: Stéphane Marchesin <marcheu@chromium.org>

diff --git a/cros_gralloc/cros_alloc_device.cc b/cros_gralloc/cros_alloc_device.cc
index 9f70dd4..5405744 100644 (file)
--- a/cros_gralloc/cros_alloc_device.cc
+++ b/cros_gralloc/cros_alloc_device.cc
@@ -95,7 +95,6 @@ static struct cros_gralloc_handle *cros_gralloc_handle_from_bo(struct bo *bo)
        hnd->format = drv_bo_get_format(bo);
 
        hnd->magic = cros_gralloc_magic();
-       hnd->registrations = 0;
 
        hnd->pixel_stride = hnd->strides[0];
        hnd->pixel_stride /= drv_stride_from_format(hnd->format, 1, 0);
@@ -117,10 +116,10 @@ static int cros_gralloc_alloc(alloc_device_t *dev, int w, int h, int format,
        hnd->droid_format = static_cast<int32_t>(format);
        hnd->usage = static_cast<int32_t>(usage);
 
-       hnd->bo = reinterpret_cast<uint64_t>(bo);
+       mod->handles[hnd].registrations = 0;
+       mod->handles[hnd].bo = bo;
        bo->hnd = hnd;
 
-       mod->handles.insert(reinterpret_cast<uint64_t>(&hnd->base));
        mod->buffers[drv_bo_get_plane_handle(bo->bo, 0).u32] = bo;
 
        *stride = static_cast<int>(hnd->pixel_stride);
@@ -146,7 +145,7 @@ static int cros_gralloc_free(alloc_device_t *dev, buffer_handle_t handle)
                return CROS_GRALLOC_ERROR_BAD_HANDLE;
        }
 
-       if (hnd->registrations > 0) {
+       if (mod->handles[hnd].registrations > 0) {
                cros_gralloc_error("Deallocating before unregistering.");
                return CROS_GRALLOC_ERROR_BAD_HANDLE;
        }

diff --git a/cros_gralloc/cros_gralloc.h b/cros_gralloc/cros_gralloc.h
index 796f4f7..6cd98dd 100644 (file)
--- a/cros_gralloc/cros_gralloc.h
+++ b/cros_gralloc/cros_gralloc.h
@@ -20,11 +20,16 @@ struct cros_gralloc_bo {
        void *map_data;
 };
 
+struct handle_info {
+       cros_gralloc_bo *bo;
+       int32_t registrations;
+};
+
 struct cros_gralloc_module {
        gralloc_module_t base;
        struct driver *drv;
        std::mutex mutex;
-       std::unordered_set<uint64_t> handles;
+       std::unordered_map<cros_gralloc_handle*, handle_info> handles;
        std::unordered_map<uint32_t, cros_gralloc_bo*> buffers;
 };
 

diff --git a/cros_gralloc/cros_gralloc_handle.h b/cros_gralloc/cros_gralloc_handle.h
index 1920df3..63b9da9 100644 (file)
--- a/cros_gralloc/cros_gralloc_handle.h
+++ b/cros_gralloc/cros_gralloc_handle.h
@@ -31,11 +31,6 @@ struct cros_gralloc_handle {
        uint32_t pixel_stride;
        int32_t droid_format;
        int32_t usage;              /* Android usage. */
-       uint64_t bo;                /* Pointer to cros_gralloc_bo. */
-       int32_t registrations;      /*
-                                    * Number of times (*register)() has been
-                                    * called on this handle.
-                                    */
 };
 
 #endif

diff --git a/cros_gralloc/cros_gralloc_module.cc b/cros_gralloc/cros_gralloc_module.cc
index 220e772..470648c 100644 (file)
--- a/cros_gralloc/cros_gralloc_module.cc
+++ b/cros_gralloc/cros_gralloc_module.cc
@@ -13,12 +13,10 @@ int cros_gralloc_validate_reference(struct cros_gralloc_module *mod,
                                    struct cros_gralloc_handle *hnd,
                                    struct cros_gralloc_bo **bo)
 {
-       uint64_t key = reinterpret_cast<uint64_t>(&hnd->base);
-
-       if (!mod->handles.count(key))
+       if (!mod->handles.count(hnd))
                return CROS_GRALLOC_ERROR_BAD_HANDLE;
 
-       *bo = reinterpret_cast<cros_gralloc_bo*>(hnd->bo);
+       *bo = mod->handles[hnd].bo;
        return CROS_GRALLOC_ERROR_NONE;
 }
 
@@ -35,6 +33,7 @@ int cros_gralloc_decrement_reference_count(struct cros_gralloc_module *mod,
                drv_bo_destroy(bo->bo);
 
                if (bo->hnd) {
+                       mod->handles.erase(bo->hnd);
                        native_handle_close(&bo->hnd->base);
                        delete bo->hnd;
                }
@@ -68,7 +67,7 @@ static int cros_gralloc_register_buffer(struct gralloc_module_t const* module,
 
        if (!cros_gralloc_validate_reference(mod, hnd, &bo)) {
                bo->refcount++;
-               hnd->registrations++;
+               mod->handles[hnd].registrations++;
                return CROS_GRALLOC_ERROR_NONE;
        }
 
@@ -80,7 +79,6 @@ static int cros_gralloc_register_buffer(struct gralloc_module_t const* module,
        if (mod->buffers.count(id)) {
                bo = mod->buffers[id];
                bo->refcount++;
-               hnd->bo = reinterpret_cast<uint64_t>(bo);
        } else {
                struct drv_import_fd_data data;
                size_t num_planes = drv_num_planes_from_format(hnd->format);
@@ -110,11 +108,10 @@ static int cros_gralloc_register_buffer(struct gralloc_module_t const* module,
                mod->buffers[id] = bo;
 
                bo->refcount = 1;
-               hnd->bo = reinterpret_cast<uint64_t>(bo);
        }
 
-       hnd->registrations = 1;
-       mod->handles.insert(reinterpret_cast<uint64_t>(&hnd->base));
+       mod->handles[hnd].bo = bo;
+       mod->handles[hnd].registrations = 1;
 
        return CROS_GRALLOC_ERROR_NONE;
 }
@@ -137,15 +134,15 @@ static int cros_gralloc_unregister_buffer(struct gralloc_module_t const* module,
                return CROS_GRALLOC_ERROR_BAD_HANDLE;
        }
 
-       if (hnd->registrations <= 0) {
+       if (mod->handles[hnd].registrations <= 0) {
                cros_gralloc_error("Handle not registered.");
                return CROS_GRALLOC_ERROR_BAD_HANDLE;
        }
 
-       hnd->registrations--;
+       mod->handles[hnd].registrations--;
 
-       if (!hnd->registrations)
-               mod->handles.erase(reinterpret_cast<uint64_t>(&hnd->base));
+       if (!mod->handles[hnd].registrations)
+               mod->handles.erase(hnd);
 
        return cros_gralloc_decrement_reference_count(mod, bo);
 }