From: Gurchetan Singh Date: Mon, 5 Dec 2016 19:02:55 +0000 (-0800) Subject: minigbm: cros_gralloc: remove unnecessary information from handle X-Git-Url: http://git.osdn.net/view?p=android-x86%2Fexternal-minigbm.git;a=commitdiff_plain;h=9cbb435d984b46da53f59337508dd90737866754 minigbm: cros_gralloc: remove unnecessary information from handle Only include information needed to import in the handle. We were previously including the address space of another process in the handle, which is a potential security risk. BUG=chromium:616275 TEST=arc-cros-gralloc works on oak, minnie, cyan CQ-DEPEND=CL:416399 Change-Id: I10230053e305865db0dde26a596403ec0b9e4f4c Reviewed-on: https://chromium-review.googlesource.com/416400 Commit-Ready: Gurchetan Singh Tested-by: Gurchetan Singh Reviewed-by: Stéphane Marchesin --- diff --git a/cros_gralloc/cros_alloc_device.cc b/cros_gralloc/cros_alloc_device.cc index 9f70dd4..5405744 100644 --- a/cros_gralloc/cros_alloc_device.cc +++ b/cros_gralloc/cros_alloc_device.cc @@ -95,7 +95,6 @@ static struct cros_gralloc_handle *cros_gralloc_handle_from_bo(struct bo *bo) hnd->format = drv_bo_get_format(bo); hnd->magic = cros_gralloc_magic(); - hnd->registrations = 0; hnd->pixel_stride = hnd->strides[0]; hnd->pixel_stride /= drv_stride_from_format(hnd->format, 1, 0); @@ -117,10 +116,10 @@ static int cros_gralloc_alloc(alloc_device_t *dev, int w, int h, int format, hnd->droid_format = static_cast(format); hnd->usage = static_cast(usage); - hnd->bo = reinterpret_cast(bo); + mod->handles[hnd].registrations = 0; + mod->handles[hnd].bo = bo; bo->hnd = hnd; - mod->handles.insert(reinterpret_cast(&hnd->base)); mod->buffers[drv_bo_get_plane_handle(bo->bo, 0).u32] = bo; *stride = static_cast(hnd->pixel_stride); @@ -146,7 +145,7 @@ static int cros_gralloc_free(alloc_device_t *dev, buffer_handle_t handle) return CROS_GRALLOC_ERROR_BAD_HANDLE; } - if (hnd->registrations > 0) { + if (mod->handles[hnd].registrations > 0) { cros_gralloc_error("Deallocating before unregistering."); return CROS_GRALLOC_ERROR_BAD_HANDLE; } diff --git a/cros_gralloc/cros_gralloc.h b/cros_gralloc/cros_gralloc.h index 796f4f7..6cd98dd 100644 --- a/cros_gralloc/cros_gralloc.h +++ b/cros_gralloc/cros_gralloc.h @@ -20,11 +20,16 @@ struct cros_gralloc_bo { void *map_data; }; +struct handle_info { + cros_gralloc_bo *bo; + int32_t registrations; +}; + struct cros_gralloc_module { gralloc_module_t base; struct driver *drv; std::mutex mutex; - std::unordered_set handles; + std::unordered_map handles; std::unordered_map buffers; }; diff --git a/cros_gralloc/cros_gralloc_handle.h b/cros_gralloc/cros_gralloc_handle.h index 1920df3..63b9da9 100644 --- a/cros_gralloc/cros_gralloc_handle.h +++ b/cros_gralloc/cros_gralloc_handle.h @@ -31,11 +31,6 @@ struct cros_gralloc_handle { uint32_t pixel_stride; int32_t droid_format; int32_t usage; /* Android usage. */ - uint64_t bo; /* Pointer to cros_gralloc_bo. */ - int32_t registrations; /* - * Number of times (*register)() has been - * called on this handle. - */ }; #endif diff --git a/cros_gralloc/cros_gralloc_module.cc b/cros_gralloc/cros_gralloc_module.cc index 220e772..470648c 100644 --- a/cros_gralloc/cros_gralloc_module.cc +++ b/cros_gralloc/cros_gralloc_module.cc @@ -13,12 +13,10 @@ int cros_gralloc_validate_reference(struct cros_gralloc_module *mod, struct cros_gralloc_handle *hnd, struct cros_gralloc_bo **bo) { - uint64_t key = reinterpret_cast(&hnd->base); - - if (!mod->handles.count(key)) + if (!mod->handles.count(hnd)) return CROS_GRALLOC_ERROR_BAD_HANDLE; - *bo = reinterpret_cast(hnd->bo); + *bo = mod->handles[hnd].bo; return CROS_GRALLOC_ERROR_NONE; } @@ -35,6 +33,7 @@ int cros_gralloc_decrement_reference_count(struct cros_gralloc_module *mod, drv_bo_destroy(bo->bo); if (bo->hnd) { + mod->handles.erase(bo->hnd); native_handle_close(&bo->hnd->base); delete bo->hnd; } @@ -68,7 +67,7 @@ static int cros_gralloc_register_buffer(struct gralloc_module_t const* module, if (!cros_gralloc_validate_reference(mod, hnd, &bo)) { bo->refcount++; - hnd->registrations++; + mod->handles[hnd].registrations++; return CROS_GRALLOC_ERROR_NONE; } @@ -80,7 +79,6 @@ static int cros_gralloc_register_buffer(struct gralloc_module_t const* module, if (mod->buffers.count(id)) { bo = mod->buffers[id]; bo->refcount++; - hnd->bo = reinterpret_cast(bo); } else { struct drv_import_fd_data data; size_t num_planes = drv_num_planes_from_format(hnd->format); @@ -110,11 +108,10 @@ static int cros_gralloc_register_buffer(struct gralloc_module_t const* module, mod->buffers[id] = bo; bo->refcount = 1; - hnd->bo = reinterpret_cast(bo); } - hnd->registrations = 1; - mod->handles.insert(reinterpret_cast(&hnd->base)); + mod->handles[hnd].bo = bo; + mod->handles[hnd].registrations = 1; return CROS_GRALLOC_ERROR_NONE; } @@ -137,15 +134,15 @@ static int cros_gralloc_unregister_buffer(struct gralloc_module_t const* module, return CROS_GRALLOC_ERROR_BAD_HANDLE; } - if (hnd->registrations <= 0) { + if (mod->handles[hnd].registrations <= 0) { cros_gralloc_error("Handle not registered."); return CROS_GRALLOC_ERROR_BAD_HANDLE; } - hnd->registrations--; + mod->handles[hnd].registrations--; - if (!hnd->registrations) - mod->handles.erase(reinterpret_cast(&hnd->base)); + if (!mod->handles[hnd].registrations) + mod->handles.erase(hnd); return cros_gralloc_decrement_reference_count(mod, bo); }