Add bounds check to sensors direct channel creation

Avoids attempting to read a 0-size array during input validation. Adds
SafetyNet logging when this is triggered.

Also, change the cast for the ashmem size check from int to int64_t to
avoid potential conversion to negative number on 32-bit systems.

Bug: 70986337
Test: run POC, confirm via logs that function bails early
Change-Id: I674285738983f18de3466f9e818d83dabe269b7d
(cherry picked from commit 0eb4624b33aeb375ae431a6b1e2b787c959968fe)

diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp
index dc491d9..e5b6dcf 100644 (file)
--- a/services/sensorservice/SensorService.cpp
+++ b/services/sensorservice/SensorService.cpp
@@ -21,6 +21,7 @@
 #include <cutils/properties.h>
 #include <hardware/sensors.h>
 #include <hardware_legacy/power.h>
+#include <log/log.h>
 #include <openssl/digest.h>
 #include <openssl/hmac.h>
 #include <openssl/rand.h>
@@ -993,10 +994,15 @@ sp<ISensorEventConnection> SensorService::createSensorDirectConnection(
     // check specific to memory type
     switch(type) {
         case SENSOR_DIRECT_MEM_TYPE_ASHMEM: { // channel backed by ashmem
+            if (resource->numFds < 1) {
+                ALOGE("Ashmem direct channel requires a memory region to be supplied");
+                android_errorWriteLog(0x534e4554, "70986337");  // SafetyNet
+                return nullptr;
+            }
             int fd = resource->data[0];
             int size2 = ashmem_get_size_region(fd);
             // check size consistency
-            if (size2 < static_cast<int>(size)) {
+            if (size2 < static_cast<int64_t>(size)) {
                 ALOGE("Ashmem direct channel size %" PRIu32 " greater than shared memory size %d",
                       size, size2);
                 return nullptr;