From daae469749cfa86ab57e7d9770f64ced2933b640 Mon Sep 17 00:00:00 2001 From: Alice Ryhl Date: Thu, 1 May 2025 13:55:59 +0000 Subject: [PATCH] ANDROID: rust_binder: handle read/write_consumed > read/write_size Currently you will get a panic if userspace provides a read_consumed or write_consumed value that is bigger than the corresponding read_size or write_size. This should be fixed. We treat this case as read_consumed == read_size for consistency with C Binder. Bug: 414749521 Change-Id: I8eb14eba367652f8fc6d462882aa2dca485d90e2 Signed-off-by: Alice Ryhl --- drivers/android/binder/thread.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/android/binder/thread.rs b/drivers/android/binder/thread.rs index bd18179b37f9..08074bd3fa89 100644 --- a/drivers/android/binder/thread.rs +++ b/drivers/android/binder/thread.rs @@ -1408,7 +1408,7 @@ impl Thread { fn write(self: &Arc, req: &mut BinderWriteRead) -> Result { let write_start = req.write_buffer.wrapping_add(req.write_consumed); - let write_len = req.write_size - req.write_consumed; + let write_len = req.write_size.saturating_sub(req.write_consumed); let mut reader = UserSlice::new(write_start as _, write_len as _).reader(); while reader.len() >= size_of::() && self.inner.lock().return_work.is_unused() { @@ -1497,7 +1497,7 @@ impl Thread { fn read(self: &Arc, req: &mut BinderWriteRead, wait: bool) -> Result { let read_start = req.read_buffer.wrapping_add(req.read_consumed); - let read_len = req.read_size - req.read_consumed; + let read_len = req.read_size.saturating_sub(req.read_consumed); let mut writer = BinderReturnWriter::new( UserSlice::new(read_start as _, read_len as _).writer(), self,