From abbd4a7aa0a0251dff5bb4eecac5134ac0c4e524 Mon Sep 17 00:00:00 2001 From: Nicolas Geoffray Date: Tue, 29 Oct 2019 15:45:46 +0000 Subject: [PATCH] Add checks to ensure only the ART memfd file is whitelisted. A memfd file can be created with any name, but to protect ourselves from unintended leakage, check that it's the name ART uses. Test: boots Bug: 119800099 Change-Id: Ibc684d09dd05f38933c6808b72fb402fc9d5e4eb --- core/jni/fd_utils.cpp | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/core/jni/fd_utils.cpp b/core/jni/fd_utils.cpp index c0e4e1fe5e7a6..3704ccdfb8ea2 100644 --- a/core/jni/fd_utils.cpp +++ b/core/jni/fd_utils.cpp @@ -59,8 +59,8 @@ FileDescriptorWhitelist* FileDescriptorWhitelist::Get() { return instance_; } -static bool IsMemfd(const std::string& path) { - return android::base::StartsWith(path, "/memfd:"); +static bool IsArtMemfd(const std::string& path) { + return android::base::StartsWith(path, "/memfd:/boot-image-methods.art"); } bool FileDescriptorWhitelist::IsAllowed(const std::string& path) const { @@ -91,8 +91,8 @@ bool FileDescriptorWhitelist::IsAllowed(const std::string& path) const { return true; } - // In-memory files created through memfd_create are allowed. - if (IsMemfd(path)) { + // the in-memory file created by ART through memfd_create is allowed. + if (IsArtMemfd(path)) { return true; } @@ -321,8 +321,8 @@ void FileDescriptorInfo::ReopenOrDetach(fail_fn_t fail_fn) const { return DetachSocket(fail_fn); } - // Children can directly use in-memory files created through memfd_create. - if (IsMemfd(file_path)) { + // Children can directly use the in-memory file created by ART through memfd_create. + if (IsArtMemfd(file_path)) { return; } @@ -545,6 +545,10 @@ FileDescriptorTable::FileDescriptorTable( } void FileDescriptorTable::RestatInternal(std::set& open_fds, fail_fn_t fail_fn) { + // ART creates a file through memfd for optimization purposes. We make sure + // there is at most one being created. + bool art_memfd_seen = false; + // Iterate through the list of file descriptors we've already recorded // and check whether : // @@ -577,6 +581,14 @@ void FileDescriptorTable::RestatInternal(std::set& open_fds, fail_fn_t fail // FD. } + if (IsArtMemfd(it->second->file_path)) { + if (art_memfd_seen) { + fail_fn("ART fd already seen: " + it->second->file_path); + } else { + art_memfd_seen = true; + } + } + ++it; // Finally, remove the FD from the set of open_fds. We do this last because