logger: validate hdr_size field in logger entry

- check hdr_size to make sure it is in the expected range
  from sizeof entry_v1 to entry (entry_v4).
- alter msg() method to report NULL on invalid hdr_size
- alter all users of msg() method.

Bug: 30947841
Change-Id: I9bc1740d7aa9f37df5be966c18de1fb9de63d5dd
This commit is contained in:
Mark Salyzyn 2016-08-18 14:59:41 -07:00
parent 82b67fff06
commit 305374cf0f
8 changed files with 86 additions and 24 deletions

View File

@ -539,6 +539,10 @@ static void dump_log_file(
if (!hdr_size) {
hdr_size = sizeof(log_entry.entry_v1);
}
if ((hdr_size < sizeof(log_entry.entry_v1)) ||
(hdr_size > sizeof(log_entry.entry))) {
continue;
}
char* msg = reinterpret_cast<char*>(log_entry.buf) + hdr_size;
char timeBuf[32];

View File

@ -143,7 +143,14 @@ struct log_msg {
}
char *msg()
{
return entry.hdr_size ? (char *) buf + entry.hdr_size : entry_v1.msg;
unsigned short hdr_size = entry.hdr_size;
if (!hdr_size) {
hdr_size = sizeof(entry_v1);
}
if ((hdr_size < sizeof(entry_v1)) || (hdr_size > sizeof(entry))) {
return NULL;
}
return (char *) buf + hdr_size;
}
unsigned int len()
{

View File

@ -367,6 +367,10 @@ static int android_transport_read(struct android_log_logger_list *logger_list,
if (log_msg->entry_v2.hdr_size == 0) {
log_msg->entry_v2.hdr_size = sizeof(struct logger_entry);
}
if ((log_msg->entry_v2.hdr_size < sizeof(log_msg->entry_v1)) ||
(log_msg->entry_v2.hdr_size > sizeof(log_msg->entry))) {
return -EINVAL;
}
/* len validation */
if (ret <= log_msg->entry_v2.hdr_size) {

View File

@ -496,6 +496,11 @@ LIBLOG_ABI_PUBLIC int android_log_processLogBuffer(
char *msg = buf->msg;
struct logger_entry_v2 *buf2 = (struct logger_entry_v2 *)buf;
if (buf2->hdr_size) {
if ((buf2->hdr_size < sizeof(((struct log_msg *)NULL)->entry_v1)) ||
(buf2->hdr_size > sizeof(((struct log_msg *)NULL)->entry))) {
fprintf(stderr, "+++ LOG: entry illegal hdr_size\n");
return -1;
}
msg = ((char *)buf2) + buf2->hdr_size;
if (buf2->hdr_size >= sizeof(struct logger_entry_v4)) {
entry->uid = ((struct logger_entry_v4 *)buf)->uid;
@ -775,6 +780,11 @@ LIBLOG_ABI_PUBLIC int android_log_processBinaryLogBuffer(
eventData = (const unsigned char*) buf->msg;
struct logger_entry_v2 *buf2 = (struct logger_entry_v2 *)buf;
if (buf2->hdr_size) {
if ((buf2->hdr_size < sizeof(((struct log_msg *)NULL)->entry_v1)) ||
(buf2->hdr_size > sizeof(((struct log_msg *)NULL)->entry))) {
fprintf(stderr, "+++ LOG: entry illegal hdr_size\n");
return -1;
}
eventData = ((unsigned char *)buf2) + buf2->hdr_size;
if ((buf2->hdr_size >= sizeof(struct logger_entry_v3)) &&
(((struct logger_entry_v3 *)buf)->lid == LOG_ID_SECURITY)) {

View File

@ -343,6 +343,10 @@ LIBLOG_ABI_PRIVATE ssize_t __android_log_pmsg_file_read(
char *msg = (char *)&transp.logMsg + hdr_size;
char *split = NULL;
if ((hdr_size < sizeof(transp.logMsg.entry_v1)) ||
(hdr_size > sizeof(transp.logMsg.entry))) {
continue;
}
/* Check for invalid sequence number */
if ((transp.logMsg.entry.nsec % ANDROID_LOG_PMSG_FILE_SEQUENCE) ||
((transp.logMsg.entry.nsec / ANDROID_LOG_PMSG_FILE_SEQUENCE) >=

View File

@ -542,7 +542,7 @@ static void BM_log_latency(int iters) {
char* eventData = log_msg.msg();
if (eventData[4] != EVENT_TYPE_LONG) {
if (!eventData || (eventData[4] != EVENT_TYPE_LONG)) {
continue;
}
log_time tx(eventData + 4 + 1);
@ -622,7 +622,7 @@ static void BM_log_delay(int iters) {
char* eventData = log_msg.msg();
if (eventData[4] != EVENT_TYPE_LONG) {
if (!eventData || (eventData[4] != EVENT_TYPE_LONG)) {
continue;
}
log_time tx(eventData + 4 + 1);

View File

@ -154,7 +154,7 @@ TEST(liblog, __android_log_btwrite__android_logger_list_read) {
char *eventData = log_msg.msg();
if (eventData[4] != EVENT_TYPE_LONG) {
if (!eventData || (eventData[4] != EVENT_TYPE_LONG)) {
continue;
}
@ -227,7 +227,7 @@ static void bswrite_test(const char *message) {
char *eventData = log_msg.msg();
if (eventData[4] != EVENT_TYPE_STRING) {
if (!eventData || (eventData[4] != EVENT_TYPE_STRING)) {
continue;
}
@ -506,7 +506,7 @@ TEST(liblog, __security_buffer) {
char *eventData = log_msg.msg();
if (eventData[4] != EVENT_TYPE_LONG) {
if (!eventData || (eventData[4] != EVENT_TYPE_LONG)) {
continue;
}
@ -637,7 +637,7 @@ TEST(liblog, android_logger_list_read__cpu_signal) {
char *eventData = log_msg.msg();
if (eventData[4] != EVENT_TYPE_LONG) {
if (!eventData || (eventData[4] != EVENT_TYPE_LONG)) {
continue;
}
@ -788,7 +788,7 @@ TEST(liblog, android_logger_list_read__cpu_thread) {
char *eventData = log_msg.msg();
if (eventData[4] != EVENT_TYPE_LONG) {
if (!eventData || (eventData[4] != EVENT_TYPE_LONG)) {
continue;
}
@ -990,9 +990,9 @@ TEST(liblog, max_payload) {
continue;
}
char *data = log_msg.msg() + 1;
char *data = log_msg.msg();
if (strcmp(data, tag)) {
if (!data || strcmp(++data, tag)) {
continue;
}
@ -1107,9 +1107,9 @@ TEST(liblog, too_big_payload) {
continue;
}
char *data = log_msg.msg() + 1;
char *data = log_msg.msg();
if (strcmp(data, tag)) {
if (!data || strcmp(++data, tag)) {
continue;
}
@ -1606,6 +1606,9 @@ TEST(liblog, android_errorWriteWithInfoLog__android_logger_list_read__typical) {
}
char *eventData = log_msg.msg();
if (!eventData) {
continue;
}
// Tag
int tag = get4LE(eventData);
@ -1687,6 +1690,10 @@ TEST(liblog, android_errorWriteWithInfoLog__android_logger_list_read__data_too_l
}
char *eventData = log_msg.msg();
if (!eventData) {
continue;
}
char *original = eventData;
// Tag
@ -1774,6 +1781,9 @@ TEST(liblog, android_errorWriteWithInfoLog__android_logger_list_read__null_data)
}
char *eventData = log_msg.msg();
if (!eventData) {
continue;
}
// Tag
int tag = get4LE(eventData);
@ -1817,6 +1827,9 @@ TEST(liblog, android_errorWriteWithInfoLog__android_logger_list_read__subtag_too
}
char *eventData = log_msg.msg();
if (!eventData) {
continue;
}
// Tag
int tag = get4LE(eventData);
@ -1904,6 +1917,9 @@ TEST(liblog, android_errorWriteLog__android_logger_list_read__success) {
}
char *eventData = log_msg.msg();
if (!eventData) {
continue;
}
// Tag
int tag = get4LE(eventData);
@ -1961,6 +1977,9 @@ TEST(liblog, android_errorWriteLog__android_logger_list_read__null_subtag) {
}
char *eventData = log_msg.msg();
if (!eventData) {
continue;
}
// Tag
int tag = get4LE(eventData);
@ -2449,16 +2468,19 @@ static void create_android_logger(const char *(*fn)(uint32_t tag, size_t &expect
android_log_format_free(logformat);
// test buffer reading API
snprintf(msgBuf, sizeof(msgBuf), "I/[%d]", get4LE(eventData));
print_barrier();
fprintf(stderr, "%-10s(%5u): ", msgBuf, pid);
memset(msgBuf, 0, sizeof(msgBuf));
int buffer_to_string = android_log_buffer_to_string(
eventData + sizeof(uint32_t),
log_msg.entry.len - sizeof(uint32_t),
msgBuf, sizeof(msgBuf));
fprintf(stderr, "%s\n", msgBuf);
print_barrier();
int buffer_to_string = -1;
if (eventData) {
snprintf(msgBuf, sizeof(msgBuf), "I/[%d]", get4LE(eventData));
print_barrier();
fprintf(stderr, "%-10s(%5u): ", msgBuf, pid);
memset(msgBuf, 0, sizeof(msgBuf));
buffer_to_string = android_log_buffer_to_string(
eventData + sizeof(uint32_t),
log_msg.entry.len - sizeof(uint32_t),
msgBuf, sizeof(msgBuf));
fprintf(stderr, "%s\n", msgBuf);
print_barrier();
}
EXPECT_EQ(0, buffer_to_string);
EXPECT_EQ(strlen(expected_string), strlen(msgBuf));
EXPECT_EQ(0, strcmp(expected_string, msgBuf));

View File

@ -213,9 +213,15 @@ static void dump_log_msg(const char *prefix,
version = 1;
break;
case sizeof(msg->entry_v2):
case sizeof(msg->entry_v2): /* PLUS case sizeof(msg->entry_v3): */
if (version == 0) {
version = 2;
version = (msg->entry_v3.lid < LOG_ID_MAX) ? 3 : 2;
}
break;
case sizeof(msg->entry_v4):
if (version == 0) {
version = 4;
}
break;
}
@ -269,6 +275,11 @@ static void dump_log_msg(const char *prefix,
unsigned int len = msg->entry.len;
fprintf(stderr, "msg[%u]={", len);
unsigned char *cp = reinterpret_cast<unsigned char *>(msg->msg());
if (!cp) {
static const unsigned char garbage[] = "<INVALID>";
cp = const_cast<unsigned char *>(garbage);
len = strlen(reinterpret_cast<const char *>(garbage));
}
while(len) {
unsigned char *p = cp;
while (*p && (((' ' <= *p) && (*p < 0x7F)) || (*p == '\n'))) {