Fix vulnerability where large GPS XTRA data can be injected. -Can potentially crash system with OOM. Bug: 29555864 am: dde12c6923 am: 3462e52676 am: 5a6b11114a am: 655361b2b1 am: 62783bde30

am: 8788a2413c Change-Id: If9d5385d7d949e85932e5586d4884ffe84d51d47
2016-08-24 20:30:06 +00:00
parent 975879a18d 8788a2413c
commit af369f6e66
1 changed files with 15 additions and 6 deletions
--- a/core/java/android/os/Process.java
+++ b/core/java/android/os/Process.java
@@ -537,6 +537,15 @@ public class Process {
            ZygoteState zygoteState, ArrayList<String> args)
            throws ZygoteStartFailedEx {
        try {
+            // Throw early if any of the arguments are malformed. This means we can
+            // avoid writing a partial response to the zygote.
+            int sz = args.size();
+            for (int i = 0; i < sz; i++) {
+                if (args.get(i).indexOf('\n') >= 0) {
+                    throw new ZygoteStartFailedEx("embedded newlines not allowed");
+                }
+            }
+
            /**
             * See com.android.internal.os.ZygoteInit.readArgumentList()
             * Presently the wire format to the zygote process is:
@@ -553,13 +562,8 @@ public class Process {
            writer.write(Integer.toString(args.size()));
            writer.newLine();

-            int sz = args.size();
            for (int i = 0; i < sz; i++) {
                String arg = args.get(i);
-                if (arg.indexOf('\n') >= 0) {
-                    throw new ZygoteStartFailedEx(
-                            "embedded newlines not allowed");
-                }
                writer.write(arg);
                writer.newLine();
            }
@@ -568,11 +572,16 @@ public class Process {

            // Should there be a timeout on this?
            ProcessStartResult result = new ProcessStartResult();
+
+            // Always read the entire result from the input stream to avoid leaving
+            // bytes in the stream for future process starts to accidentally stumble
+            // upon.
            result.pid = inputStream.readInt();
+            result.usingWrapper = inputStream.readBoolean();
+
            if (result.pid < 0) {
                throw new ZygoteStartFailedEx("fork() failed");
            }
-            result.usingWrapper = inputStream.readBoolean();
            return result;
        } catch (IOException ex) {
            zygoteState.close();