From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pawan Wagh <waghpawan@google.com>
Date: Tue, 13 Jun 2023 17:37:26 +0000
Subject: [PATCH] Use readUniqueFileDescriptor in incidentd service

readFileDescriptor doesn't provide ownership of the fds. fdopen
needs ownership of the fds. Fds read from parcel should be duped
in this scenario and readUniqueFileDescriptor dups fds internally.

Test: m incidentd_service_fuzzer && adb sync data && adb shell /data/fuzz/x86_64/incidentd_service_fuzzer/incidentd_service_fuzzer
Test: atest incidentd_test
Bug: 286931110
Bug: 283699145
(cherry picked from commit ba78ef276951269f7b024baebdf1b8fa40bedb23)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b4aaf180ee8f3e375c7ab411f03cf9c24c1d8055)
Merged-In: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e
Change-Id: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e
---
 cmds/incidentd/src/IncidentService.cpp | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/cmds/incidentd/src/IncidentService.cpp b/cmds/incidentd/src/IncidentService.cpp
index e305b5462b77..5610a40b7891 100644
--- a/cmds/incidentd/src/IncidentService.cpp
+++ b/cmds/incidentd/src/IncidentService.cpp
@@ -258,12 +258,21 @@ Status IncidentService::systemRunning() {
 status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* reply,
                                      uint32_t flags) {
     status_t err;
+    status_t status;
 
     switch (code) {
         case SHELL_COMMAND_TRANSACTION: {
-            int in = data.readFileDescriptor();
-            int out = data.readFileDescriptor();
-            int err = data.readFileDescriptor();
+            unique_fd in, out, err;
+
+            status = data.readUniqueFileDescriptor(&in);
+            if (status != OK) return status;
+
+            status = data.readUniqueFileDescriptor(&out);
+            if (status != OK) return status;
+
+            status = data.readUniqueFileDescriptor(&err);
+            if (status != OK) return status;
+
             int argc = data.readInt32();
             Vector<String8> args;
             for (int i = 0; i < argc && data.dataAvail() > 0; i++) {
@@ -273,15 +282,15 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel*
             sp<IResultReceiver> resultReceiver =
                     IResultReceiver::asInterface(data.readStrongBinder());
 
-            FILE* fin = fdopen(in, "r");
-            FILE* fout = fdopen(out, "w");
-            FILE* ferr = fdopen(err, "w");
+            FILE* fin = fdopen(in.release(), "r");
+            FILE* fout = fdopen(out.release(), "w");
+            FILE* ferr = fdopen(err.release(), "w");
 
             if (fin == NULL || fout == NULL || ferr == NULL) {
                 resultReceiver->send(NO_MEMORY);
             } else {
-                err = command(fin, fout, ferr, args);
-                resultReceiver->send(err);
+                status_t result = command(fin, fout, ferr, args);
+                resultReceiver->send(result);
             }
 
             if (fin != NULL) {