From a568a9144f1a804e4ac136522dfcd1f8aaae81a3 Mon Sep 17 00:00:00 2001 From: Chris Wailes Date: Thu, 18 Apr 2019 18:25:57 -0700 Subject: [PATCH] Adds additional sanitization for Zygote command arguments. Previously we were only insuring that the arguments provided to the Zygote didn't contain any newlines. This adds additional checks for carriage returns and standalone integer arguments to protect against malicious argument and packet injection respectively. Bug: 130164289 Test: m & flash & boot & check logs Change-Id: I4055c50d52db0047c02c11096710fd07b429660c Merged-In: I4055c50d52db0047c02c11096710fd07b429660c (cherry picked from commit c99198249f8bb79487d4f9f0f45b5b2fefaba41a) --- core/java/android/os/ZygoteProcess.java | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java index 6994033a963a8..904ec46859fa4 100644 --- a/core/java/android/os/ZygoteProcess.java +++ b/core/java/android/os/ZygoteProcess.java @@ -16,6 +16,7 @@ package android.os; +import android.annotation.NonNull; import android.net.LocalSocket; import android.net.LocalSocketAddress; import android.util.Log; @@ -278,15 +279,19 @@ private static String getAbiList(BufferedWriter writer, DataInputStream inputStr */ @GuardedBy("mLock") private static Process.ProcessStartResult zygoteSendArgsAndGetResult( - ZygoteState zygoteState, ArrayList args) + ZygoteState zygoteState, @NonNull ArrayList args) throws ZygoteStartFailedEx { try { // Throw early if any of the arguments are malformed. This means we can // avoid writing a partial response to the zygote. int sz = args.size(); for (int i = 0; i < sz; i++) { + // Making two indexOf calls here is faster than running a manually fused loop due + // to the fact that indexOf is a optimized intrinsic. if (args.get(i).indexOf('\n') >= 0) { - throw new ZygoteStartFailedEx("embedded newlines not allowed"); + throw new ZygoteStartFailedEx("Embedded newlines not allowed"); + } else if (args.get(i).indexOf('\r') >= 0) { + throw new ZygoteStartFailedEx("Embedded carriage returns not allowed"); } }