diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-06 12:40:36 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-12 07:43:30 +0000 |
commit | 38b701b44f54ff5e5b8b772d5cabe0e59569d032 (patch) | |
tree | d89fbfd120b91c05152264e2191272abf65d5bb9 | |
parent | c92e99aa5f826d890cc22bc709039986a27968db (diff) |
[Backport] CVE-2018-16068
[mojo-core] Validate data pipe endpoint metadata
Ensures that we don't blindly trust specified buffer size and offset
metadata when deserializing data pipe consumer and producer handles.
TBR=rockot@chromium.org
(cherry picked from commit 66e24a8793615bd9d5c238b1745b093090e1f72d)
Bug: 877182
Change-Id: I10572a0627c282825593956b04ef235adb4add43
Reviewed-on: https://chromium-review.googlesource.com/1192922
Reviewed-on: https://chromium-review.googlesource.com/1196554
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
-rw-r--r-- | chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc | 8 | ||||
-rw-r--r-- | chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc | 8 |
2 files changed, 14 insertions, 2 deletions
diff --git a/chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc b/chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc index e1ecc853c25..03c1c2fcdf4 100644 --- a/chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc +++ b/chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc @@ -370,7 +370,9 @@ DataPipeConsumerDispatcher::Deserialize(const void* data, const SerializedState* state = static_cast<const SerializedState*>(data); if (!state->options.capacity_num_bytes || !state->options.element_num_bytes || - state->options.capacity_num_bytes < state->options.element_num_bytes) { + state->options.capacity_num_bytes < state->options.element_num_bytes || + state->read_offset >= state->options.capacity_num_bytes || + state->bytes_available > state->options.capacity_num_bytes) { return nullptr; } @@ -404,6 +406,10 @@ DataPipeConsumerDispatcher::Deserialize(const void* data, dispatcher->peer_closed_ = state->flags & kFlagPeerClosed; if (!dispatcher->InitializeNoLock()) return nullptr; + if (state->options.capacity_num_bytes > + dispatcher->ring_buffer_mapping_->GetLength()) { + return nullptr; + } dispatcher->UpdateSignalsStateNoLock(); } diff --git a/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc b/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc index de0b768b63b..add4c004423 100644 --- a/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc +++ b/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc @@ -333,7 +333,9 @@ DataPipeProducerDispatcher::Deserialize(const void* data, const SerializedState* state = static_cast<const SerializedState*>(data); if (!state->options.capacity_num_bytes || !state->options.element_num_bytes || - state->options.capacity_num_bytes < state->options.element_num_bytes) { + state->options.capacity_num_bytes < state->options.element_num_bytes || + state->write_offset >= state->options.capacity_num_bytes || + state->available_capacity > state->options.capacity_num_bytes) { return nullptr; } @@ -366,6 +368,10 @@ DataPipeProducerDispatcher::Deserialize(const void* data, dispatcher->peer_closed_ = state->flags & kFlagPeerClosed; if (!dispatcher->InitializeNoLock()) return nullptr; + if (state->options.capacity_num_bytes > + dispatcher->ring_buffer_mapping_->GetLength()) { + return nullptr; + } dispatcher->UpdateSignalsStateNoLock(); } |