am 35ab6119: am 3e03bf8a: am fd2dcf90: am f4770dcf: am 0de7c611: Validate asec names.
* commit '35ab611925aea29fc4088b5c3de7c8c77d956b8b':
Validate asec names.
diff --git a/CommandListener.cpp b/CommandListener.cpp
index 3b5d2bf..2986cac 100644
--- a/CommandListener.cpp
+++ b/CommandListener.cpp
@@ -274,7 +274,7 @@
}
size_t dirent_len = offsetof(struct dirent, d_name) +
- pathconf(directory, _PC_NAME_MAX) + 1;
+ fpathconf(dirfd(d), _PC_NAME_MAX) + 1;
struct dirent *dent = (struct dirent *) malloc(dirent_len);
if (dent == NULL) {
diff --git a/Devmapper.cpp b/Devmapper.cpp
index 7c11d12..6f43ac0 100644
--- a/Devmapper.cpp
+++ b/Devmapper.cpp
@@ -124,7 +124,7 @@
io->version[2] = 0;
io->flags = flags;
if (name) {
- int ret = strlcpy(io->name, name, sizeof(io->name));
+ size_t ret = strlcpy(io->name, name, sizeof(io->name));
if (ret >= sizeof(io->name))
abort();
}
diff --git a/DirectVolume.h b/DirectVolume.h
index de1ed8b..c0139d4 100644
--- a/DirectVolume.h
+++ b/DirectVolume.h
@@ -27,7 +27,7 @@
class DirectVolume : public Volume {
public:
- static const int MAX_PARTITIONS = 4;
+ static const int MAX_PARTITIONS = 32;
protected:
PathCollection *mPaths;
int mDiskMajor;
@@ -37,7 +37,7 @@
int mOrigDiskMinor;
int mOrigPartMinors[MAX_PARTITIONS];
int mDiskNumParts;
- unsigned char mPendingPartMap;
+ unsigned int mPendingPartMap;
int mIsDecrypted;
int mFlags;
diff --git a/Ext4.cpp b/Ext4.cpp
index 290489e..613d623 100644
--- a/Ext4.cpp
+++ b/Ext4.cpp
@@ -31,7 +31,6 @@
#include <sys/mount.h>
#include <linux/kdev_t.h>
-#include <linux/fs.h>
#define LOG_TAG "Vold"
@@ -67,16 +66,18 @@
return rc;
}
-int Ext4::format(const char *fsPath) {
+int Ext4::format(const char *fsPath, const char *mountpoint) {
int fd;
- const char *args[4];
+ const char *args[6];
int rc;
args[0] = MKEXT4FS_PATH;
args[1] = "-J";
- args[2] = fsPath;
- args[3] = NULL;
- rc = logwrap(3, args, 1);
+ args[2] = "-a";
+ args[3] = mountpoint;
+ args[4] = fsPath;
+ args[5] = NULL;
+ rc = logwrap(5, args, 1);
if (rc == 0) {
SLOGI("Filesystem (ext4) formatted OK");
diff --git a/Ext4.h b/Ext4.h
index a09b576..c5ab78a 100644
--- a/Ext4.h
+++ b/Ext4.h
@@ -23,7 +23,7 @@
public:
static int doMount(const char *fsPath, const char *mountPoint, bool ro, bool remount,
bool executable);
- static int format(const char *fsPath);
+ static int format(const char *fsPath, const char *mountpoint);
};
#endif
diff --git a/Fat.cpp b/Fat.cpp
index 82a3f7a..a7fcc28 100644
--- a/Fat.cpp
+++ b/Fat.cpp
@@ -31,7 +31,6 @@
#include <sys/mount.h>
#include <linux/kdev_t.h>
-#include <linux/fs.h>
#define LOG_TAG "Vold"
diff --git a/Volume.cpp b/Volume.cpp
index 0be2e81..4a00ccc 100644
--- a/Volume.cpp
+++ b/Volume.cpp
@@ -28,7 +28,6 @@
#include <sys/param.h>
#include <linux/kdev_t.h>
-#include <linux/fs.h>
#include <cutils/properties.h>
diff --git a/VolumeManager.cpp b/VolumeManager.cpp
index 5a4ccd5..70f2b13 100644
--- a/VolumeManager.cpp
+++ b/VolumeManager.cpp
@@ -191,7 +191,11 @@
}
memset(mountPath, 0, mountPathLen);
- snprintf(mountPath, mountPathLen, "%s/%s", Volume::LOOPDIR, idHash);
+ int written = snprintf(mountPath, mountPathLen, "%s/%s", Volume::LOOPDIR, idHash);
+ if ((written < 0) || (written >= mountPathLen)) {
+ errno = EINVAL;
+ return -1;
+ }
if (access(mountPath, F_OK)) {
errno = ENOENT;
@@ -221,7 +225,13 @@
return -1;
}
- snprintf(buffer, maxlen, "%s/%s", Volume::ASECDIR, id);
+ int written = snprintf(buffer, maxlen, "%s/%s", Volume::ASECDIR, id);
+ if ((written < 0) || (written >= maxlen)) {
+ SLOGE("getAsecMountPath failed for %s: couldn't construct path in buffer", id);
+ errno = EINVAL;
+ return -1;
+ }
+
return 0;
}
@@ -245,7 +255,12 @@
return -1;
}
- snprintf(buffer, maxlen, "%s", asecFileName);
+ int written = snprintf(buffer, maxlen, "%s", asecFileName);
+ if ((written < 0) || (written >= maxlen)) {
+ errno = EINVAL;
+ return -1;
+ }
+
return 0;
}
@@ -299,7 +314,11 @@
const char *asecDir = isExternal ? Volume::SEC_ASECDIR_EXT : Volume::SEC_ASECDIR_INT;
- snprintf(asecFileName, sizeof(asecFileName), "%s/%s.asec", asecDir, id);
+ int written = snprintf(asecFileName, sizeof(asecFileName), "%s/%s.asec", asecDir, id);
+ if ((written < 0) || (size_t(written) >= sizeof(asecFileName))) {
+ errno = EINVAL;
+ return -1;
+ }
if (!access(asecFileName, F_OK)) {
SLOGE("ASEC file '%s' currently exists - destroy it first! (%s)",
@@ -397,8 +416,21 @@
if (wantFilesystem) {
int formatStatus;
+ char mountPoint[255];
+
+ int written = snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id);
+ if ((written < 0) || (size_t(written) >= sizeof(mountPoint))) {
+ SLOGE("ASEC fs format failed: couldn't construct mountPoint");
+ if (cleanupDm) {
+ Devmapper::destroy(idHash);
+ }
+ Loop::destroyByDevice(loopDevice);
+ unlink(asecFileName);
+ return -1;
+ }
+
if (usingExt4) {
- formatStatus = Ext4::format(dmDevice);
+ formatStatus = Ext4::format(dmDevice, mountPoint);
} else {
formatStatus = Fat::format(dmDevice, numImgSectors);
}
@@ -413,9 +445,6 @@
return -1;
}
- char mountPoint[255];
-
- snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id);
if (mkdir(mountPoint, 0000)) {
if (errno != EEXIST) {
SLOGE("Mountpoint creation failed (%s)", strerror(errno));
@@ -498,7 +527,11 @@
return -1;
}
- snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id);
+ int written = snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id);
+ if ((written < 0) || (size_t(written) >= sizeof(mountPoint))) {
+ SLOGE("ASEC finalize failed: couldn't construct mountPoint");
+ return -1;
+ }
int result = 0;
if (sb.c_opts & ASEC_SB_C_OPTS_EXT4) {
@@ -557,7 +590,11 @@
return -1;
}
- snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id);
+ int written = snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id);
+ if ((written < 0) || (size_t(written) >= sizeof(mountPoint))) {
+ SLOGE("Unable remount to fix permissions for %s: couldn't construct mountpoint", id);
+ return -1;
+ }
int result = 0;
if ((sb.c_opts & ASEC_SB_C_OPTS_EXT4) == 0) {
@@ -662,14 +699,24 @@
asprintf(&asecFilename2, "%s/%s.asec", dir, id2);
- snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id1);
+ int written = snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id1);
+ if ((written < 0) || (size_t(written) >= sizeof(mountPoint))) {
+ SLOGE("Rename failed: couldn't construct mountpoint");
+ goto out_err;
+ }
+
if (isMountpointMounted(mountPoint)) {
SLOGW("Rename attempt when src mounted");
errno = EBUSY;
goto out_err;
}
- snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id2);
+ written = snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id2);
+ if ((written < 0) || (size_t(written) >= sizeof(mountPoint))) {
+ SLOGE("Rename failed: couldn't construct mountpoint2");
+ goto out_err;
+ }
+
if (isMountpointMounted(mountPoint)) {
SLOGW("Rename attempt when dst mounted");
errno = EBUSY;
@@ -712,7 +759,11 @@
return -1;
}
- snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id);
+ int written = snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id);
+ if ((written < 0) || (size_t(written) >= sizeof(mountPoint))) {
+ SLOGE("ASEC unmount failed for %s: couldn't construct mountpoint", id);
+ return -1;
+ }
char idHash[33];
if (!asecHash(id, idHash, sizeof(idHash))) {
@@ -732,7 +783,11 @@
return -1;
}
- snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::LOOPDIR, idHash);
+ int written = snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::LOOPDIR, idHash);
+ if ((written < 0) || (size_t(written) >= sizeof(mountPoint))) {
+ SLOGE("OBB unmount failed for %s: couldn't construct mountpoint", fileName);
+ return -1;
+ }
return unmountLoopImage(fileName, idHash, fileName, mountPoint, force);
}
@@ -834,7 +889,11 @@
return -1;
}
- snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id);
+ int written = snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id);
+ if ((written < 0) || (size_t(written) >= sizeof(mountPoint))) {
+ SLOGE("ASEC destroy failed for %s: couldn't construct mountpoint", id);
+ return -1;
+ }
if (isMountpointMounted(mountPoint)) {
if (mDebug) {
@@ -940,7 +999,8 @@
if (asecPath != NULL) {
int written = snprintf(asecPath, asecPathLen, "%s/%s", dir, asecName);
- if (written < 0 || static_cast<size_t>(written) >= asecPathLen) {
+ if ((written < 0) || (size_t(written) >= asecPathLen)) {
+ SLOGE("findAsec failed for %s: couldn't construct ASEC path", id);
free(asecName);
return -1;
}
@@ -965,7 +1025,11 @@
return -1;
}
- snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id);
+ int written = snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::ASECDIR, id);
+ if ((written < 0) || (size_t(written) >= sizeof(mountPoint))) {
+ SLOGE("ASEC mount failed: couldn't construct mountpoint", id);
+ return -1;
+ }
if (isMountpointMounted(mountPoint)) {
SLOGE("ASEC %s already mounted", id);
@@ -1108,7 +1172,11 @@
return -1;
}
- snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::LOOPDIR, idHash);
+ int written = snprintf(mountPoint, sizeof(mountPoint), "%s/%s", Volume::LOOPDIR, idHash);
+ if ((written < 0) || (size_t(written) >= sizeof(mountPoint))) {
+ SLOGE("OBB mount failed: couldn't construct mountpoint", img);
+ return -1;
+ }
if (isMountpointMounted(mountPoint)) {
SLOGE("Image %s already mounted", img);
@@ -1320,10 +1388,15 @@
int fd;
char nodepath[255];
- snprintf(nodepath,
+ int written = snprintf(nodepath,
sizeof(nodepath), "/dev/block/vold/%d:%d",
MAJOR(d), MINOR(d));
+ if ((written < 0) || (size_t(written) >= sizeof(nodepath))) {
+ SLOGE("shareVolume failed: couldn't construct nodepath");
+ return -1;
+ }
+
if ((fd = open(MASS_STORAGE_FILE_PATH, O_WRONLY)) < 0) {
SLOGE("Unable to open ums lunfile (%s)", strerror(errno));
return -1;
@@ -1496,7 +1569,7 @@
}
size_t dirent_len = offsetof(struct dirent, d_name) +
- pathconf(directory, _PC_NAME_MAX) + 1;
+ fpathconf(dirfd(d), _PC_NAME_MAX) + 1;
struct dirent *dent = (struct dirent *) malloc(dirent_len);
if (dent == NULL) {
diff --git a/vdc.c b/vdc.c
index 7dad143..59f34d6 100644
--- a/vdc.c
+++ b/vdc.c
@@ -57,7 +57,7 @@
static int do_cmd(int sock, int argc, char **argv) {
char final_cmd[255] = "0 "; /* 0 is a (now required) sequence number */
int i;
- int ret;
+ size_t ret;
for (i = 1; i < argc; i++) {
char *cmp;