ANDROID: rust_binder: check FDA len before allocating

Userspace can currently make Rust Binder attempt to allocate a really large amount of memory with kmalloc, which triggers a WARN_ON inside the allocator. To fix this, validate the length before reserving space. Bug: 415211355 Change-Id: Icc223a7489d9aead227d70c6d8b3749cb4347f55 Signed-off-by: Alice Ryhl <aliceryhl@google.com>
2025-05-22 21:05:13 +00:00
parent 87dbecd2e0
commit 65bb7abf4c
1 changed files with 1 additions and 2 deletions
--- a/drivers/android/binder/thread.rs
+++ b/drivers/android/binder/thread.rs
@@ -909,9 +909,8 @@ impl Thread {
                let num_fds = usize::try_from(obj.num_fds).map_err(|_| EINVAL)?;
                let fds_len = num_fds.checked_mul(size_of::<u32>()).ok_or(EINVAL)?;

-                view.alloc.info_add_fd_reserve(num_fds)?;
-
                let info = sg_state.validate_parent_fixup(parent_index, parent_offset, fds_len)?;
+                view.alloc.info_add_fd_reserve(num_fds)?;

                sg_state.ancestors.truncate(info.num_ancestors);
                let parent_entry = match sg_state.sg_entries.get_mut(info.parent_sg_index) {