tmakin/ack-tegra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ANDROID: rust_binder: handle read/write_consumed > read/write_size

Browse Source 
Currently you will get a panic if userspace provides a read_consumed or
write_consumed value that is bigger than the corresponding read_size or
write_size. This should be fixed. We treat this case as read_consumed ==
read_size for consistency with C Binder.

Bug: 414749521
Change-Id: I8eb14eba367652f8fc6d462882aa2dca485d90e2
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
This commit is contained in:
Alice Ryhl
2025-05-01 13:55:59 +00:00
committed by Matthew Maurer
parent b23e338263
commit daae469749
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/android/binder/thread.rs
View File

@@ -1408,7 +1408,7 @@ impl Thread {
fn write(self: &Arc<Self>, req: &mut BinderWriteRead) -> Result {
let write_start = req.write_buffer.wrapping_add(req.write_consumed);
let write_len = req.write_size - req.write_consumed;
let write_len = req.write_size.saturating_sub(req.write_consumed);
let mut reader = UserSlice::new(write_start as _, write_len as _).reader();
while reader.len() >= size_of::<u32>() && self.inner.lock().return_work.is_unused() {
@@ -1497,7 +1497,7 @@ impl Thread {
fn read(self: &Arc<Self>, req: &mut BinderWriteRead, wait: bool) -> Result {
let read_start = req.read_buffer.wrapping_add(req.read_consumed);
let read_len = req.read_size - req.read_consumed;
let read_len = req.read_size.saturating_sub(req.read_consumed);
let mut writer = BinderReturnWriter::new(
UserSlice::new(read_start as _, read_len as _).writer(),
self,