[mojo-core] Validate data pipe endpoint metadata

Ensures that we don't blindly trust specified buffer size and offset metadata when deserializing data pipe consumer and producer handles. Bug: 877182 Change-Id: I30f3eceafb5cee06284c2714d08357ef911d6fd9 Reviewed-on: https://chromium-review.googlesource.com/1192922 Reviewed-by: Reilly Grant <reillyg@chromium.org> Commit-Queue: Ken Rockot <rockot@chromium.org> Cr-Commit-Position: refs/heads/master@{#586704}
qweri0p · Aug 28, 2018 · 66e24a8 · 66e24a8
1 parent f21eb69
commit 66e24a8
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/mojo/core/data_pipe_consumer_dispatcher.cc b/mojo/core/data_pipe_consumer_dispatcher.cc
@@ -371,7 +371,9 @@ DataPipeConsumerDispatcher::Deserialize(const void* data,
 
   const SerializedState* state = static_cast<const SerializedState*>(data);
   if (!state->options.capacity_num_bytes || !state->options.element_num_bytes ||
-      state->options.capacity_num_bytes < state->options.element_num_bytes) {
+      state->options.capacity_num_bytes < state->options.element_num_bytes ||
+      state->read_offset >= state->options.capacity_num_bytes ||
+      state->bytes_available > state->options.capacity_num_bytes) {
     return nullptr;
   }
 
@@ -408,6 +410,10 @@ DataPipeConsumerDispatcher::Deserialize(const void* data,
     dispatcher->peer_closed_ = state->flags & kFlagPeerClosed;
     if (!dispatcher->InitializeNoLock())
       return nullptr;
+    if (state->options.capacity_num_bytes >
+        dispatcher->ring_buffer_mapping_.mapped_size()) {
+      return nullptr;
+    }
     dispatcher->UpdateSignalsStateNoLock();
   }
 

diff --git a/mojo/core/data_pipe_producer_dispatcher.cc b/mojo/core/data_pipe_producer_dispatcher.cc
@@ -332,7 +332,9 @@ DataPipeProducerDispatcher::Deserialize(const void* data,
 
   const SerializedState* state = static_cast<const SerializedState*>(data);
   if (!state->options.capacity_num_bytes || !state->options.element_num_bytes ||
-      state->options.capacity_num_bytes < state->options.element_num_bytes) {
+      state->options.capacity_num_bytes < state->options.element_num_bytes ||
+      state->write_offset >= state->options.capacity_num_bytes ||
+      state->available_capacity > state->options.capacity_num_bytes) {
     return nullptr;
   }
 
@@ -368,6 +370,10 @@ DataPipeProducerDispatcher::Deserialize(const void* data,
     dispatcher->peer_closed_ = state->flags & kFlagPeerClosed;
     if (!dispatcher->InitializeNoLock())
       return nullptr;
+    if (state->options.capacity_num_bytes >
+        dispatcher->ring_buffer_mapping_.mapped_size()) {
+      return nullptr;
+    }
     dispatcher->UpdateSignalsStateNoLock();
   }