Evolution-X-Devices/device_xiaomi_sm8450-common
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sm8450-common: sensors: Increase padding of _oem_msg struct to 264 bytes

Browse Source 
It seems that the _oem_msg struct is used for more than 256 bytes
and causes the buffer overflow.

01-02 15:25:44.407  2064  2075 F libc    : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xb400007eda640000 in tid 2075 (HwBinder:2064_1), pid 2064 (sensor-notifier)
01-02 15:25:44.484 16719 16719 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
01-02 15:25:44.484 16719 16719 F DEBUG   : LineageOS Version: '23.0-20251224-UNOFFICIAL-marble'
01-02 15:25:44.484 16719 16719 F DEBUG   : Build fingerprint: 'POCO/marble_global/marble:15/AQ3A.241006.001/OS2.0.211.0.VMRMIXM:user/release-keys'
01-02 15:25:44.484 16719 16719 F DEBUG   : Revision: '0'
01-02 15:25:44.484 16719 16719 F DEBUG   : ABI: 'arm64'
01-02 15:25:44.484 16719 16719 F DEBUG   : Timestamp: 2026-01-02 15:25:44.445943826-0600
01-02 15:25:44.484 16719 16719 F DEBUG   : Process uptime: 1017s
01-02 15:25:44.484 16719 16719 F DEBUG   : Cmdline: /vendor/bin/sensor-notifier
01-02 15:25:44.484 16719 16719 F DEBUG   : pid: 2064, tid: 2075, name: HwBinder:2064_1  >>> /vendor/bin/sensor-notifier <<<
01-02 15:25:44.484 16719 16719 F DEBUG   : uid: 1000
01-02 15:25:44.484 16719 16719 F DEBUG   : tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
01-02 15:25:44.484 16719 16719 F DEBUG   : pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
01-02 15:25:44.484 16719 16719 F DEBUG   : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xb400007eda640000
01-02 15:25:44.484 16719 16719 F DEBUG   : Cause: [GWP-ASan]: Buffer Overflow, 0 bytes right of a 256-byte allocation at 0x7eda63ff00
01-02 15:25:44.484 16719 16719 F DEBUG   :     x0  b400007dd60b1790  x1  0000007c45f70400  x2  b400007eda63ff00  x3  0000000001fa26a7
01-02 15:25:44.484 16719 16719 F DEBUG   :     x4  0000000000000000  x5  8080808080808080  x6  0000000000000010  x7  7f7f7f7f7f7f7f7f
01-02 15:25:44.484 16719 16719 F DEBUG   :     x8  b400007d960ae880  x9  0000000001fa26a7  x10 0000000000000020  x11 0101010101010101
01-02 15:25:44.484 16719 16719 F DEBUG   :     x12 000000000000003a  x13 0000000000000004  x14 ffffffffffffffff  x15 0000000034155555
01-02 15:25:44.484 16719 16719 F DEBUG   :     x16 0000000000000001  x17 0000007ed9e9391c  x18 0000007c45908000  x19 b400007eda63ff00
01-02 15:25:44.484 16719 16719 F DEBUG   :     x20 0000007c45f70f80  x21 0000007c4226fe98  x22 0000007c45f705ac  x23 0000000000000000
01-02 15:25:44.484 16719 16719 F DEBUG   :     x24 0000000000000001  x25 0000000000000000  x26 0000007c45f70f80  x27 0000000000000000
01-02 15:25:44.484 16719 16719 F DEBUG   :     x28 0000000000000810  x29 0000007c45f705d0
01-02 15:25:44.484 16719 16719 F DEBUG   :     lr  005338dc6345a174  sp  0000007c45f70400  pc  0000007c42251860  pst 0000000060001000
01-02 15:25:44.484 16719 16719 F DEBUG   : 12 total frames
01-02 15:25:44.484 16719 16719 F DEBUG   : backtrace:
01-02 15:25:44.484 16719 16719 F DEBUG   :       #00 pc 0000000000030860  /vendor/lib64/libssccalapi@2.0.so (process_msg(_oem_msg*)+280) (BuildId: 9ad00dc25330b7205a59210bb55b0d48)
01-02 15:25:44.484 16719 16719 F DEBUG   :       #01 pc 000000000000a170  /vendor/bin/sensor-notifier (SscCalApiWrapper::processMsg(_oem_msg*)+84) (BuildId: d4a4812927801f7f5d5f040a71989d8c)
01-02 15:25:44.484 16719 16719 F DEBUG   :       #02 pc 000000000000aa4c  /vendor/bin/sensor-notifier ((anonymous namespace)::RawLightSensorCallback::onEvent(android::hardware::sensors::V1_0::Event const&)+84) (BuildId: d4a4812927801f7f5d5f040a71989d8c)
01-02 15:25:44.484 16719 16719 F DEBUG   :       #03 pc 0000000000025cd4  /vendor/lib64/android.frameworks.sensorservice@1.0.so (android::frameworks::sensorservice::V1_0::BnHwEventQueueCallback::_hidl_onEvent(android::hidl::base::V1_0::BnHwBase*, android::hardware::Parcel const&, android::hardware::Parcel*, std::__1::function<void (android::hardware::Parcel&)>)+172) (BuildId: eb1c957b4dc973b9815f20028e2fc932)
01-02 15:25:44.484 16719 16719 F DEBUG   :       #04 pc 0000000000025f18  /vendor/lib64/android.frameworks.sensorservice@1.0.so (android::frameworks::sensorservice::V1_0::BnHwEventQueueCallback::onTransact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+204) (BuildId: eb1c957b4dc973b9815f20028e2fc932)
01-02 15:25:44.484 16719 16719 F DEBUG   :       #05 pc 000000000008eec4  /vendor/lib64/libhidlbase.so (android::hardware::BHwBinder::transact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+96) (BuildId: 1f1b763d02c2ca69f301812ca73907c4)
01-02 15:25:44.484 16719 16719 F DEBUG   :       #06 pc 0000000000041df4  /vendor/lib64/libhidlbase.so (android::hardware::IPCThreadState::joinThreadPool(bool)+1372) (BuildId: 1f1b763d02c2ca69f301812ca73907c4)
01-02 15:25:44.484 16719 16719 F DEBUG   :       #07 pc 0000000000041878  /vendor/lib64/libhidlbase.so (android::hardware::PoolThread::threadLoop()+28) (BuildId: 1f1b763d02c2ca69f301812ca73907c4)
01-02 15:25:44.484 16719 16719 F DEBUG   :       #08 pc 0000000000017444  /vendor/lib64/libutils.so (android::Thread::_threadLoop(void*)+252) (BuildId: 88c08c6057f7bad16889c7c8a07a3364)
01-02 15:25:44.484 16719 16719 F DEBUG   :       #09 pc 0000000000019bb0  /vendor/lib64/libutils.so (libutil_thread_trampoline(void*) (.__uniq.226528677032898775202282855395389835431)+24) (BuildId: 88c08c6057f7bad16889c7c8a07a3364)
01-02 15:25:44.484 16719 16719 F DEBUG   :       #10 pc 0000000000080f70  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+184) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.484 16719 16719 F DEBUG   :       #11 pc 0000000000073730  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.484 16719 16719 F DEBUG   : allocated by thread 2075:
01-02 15:25:44.485 16719 16719 F DEBUG   :       #00 pc 0000000000068874  /apex/com.android.runtime/lib64/bionic/libc.so (gwp_asan::AllocationMetadata::CallSiteInfo::RecordBacktrace(unsigned long (*)(unsigned long*, unsigned long))+84) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #01 pc 0000000000068fc4  /apex/com.android.runtime/lib64/bionic/libc.so (gwp_asan::GuardedPoolAllocator::allocate(unsigned long, unsigned long)+564) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #02 pc 0000000000058e0c  /apex/com.android.runtime/lib64/bionic/libc.so ((anonymous namespace)::gwp_asan_malloc(unsigned long)+184) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #03 pc 00000000000597e4  /apex/com.android.runtime/lib64/bionic/libc.so (malloc+88) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #04 pc 00000000000f8504  /vendor/lib64/libc++.so (operator new(unsigned long)+28) (BuildId: ada37e5198285720b02f7d77fd27626c7782fe29)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #05 pc 000000000000aa18  /vendor/bin/sensor-notifier ((anonymous namespace)::RawLightSensorCallback::onEvent(android::hardware::sensors::V1_0::Event const&)+32) (BuildId: d4a4812927801f7f5d5f040a71989d8c)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #06 pc 0000000000025cd4  /vendor/lib64/android.frameworks.sensorservice@1.0.so (android::frameworks::sensorservice::V1_0::BnHwEventQueueCallback::_hidl_onEvent(android::hidl::base::V1_0::BnHwBase*, android::hardware::Parcel const&, android::hardware::Parcel*, std::__1::function<void (android::hardware::Parcel&)>)+172) (BuildId: eb1c957b4dc973b9815f20028e2fc932)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #07 pc 0000000000025f18  /vendor/lib64/android.frameworks.sensorservice@1.0.so (android::frameworks::sensorservice::V1_0::BnHwEventQueueCallback::onTransact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+204) (BuildId: eb1c957b4dc973b9815f20028e2fc932)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #08 pc 000000000008eec4  /vendor/lib64/libhidlbase.so (android::hardware::BHwBinder::transact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+96) (BuildId: 1f1b763d02c2ca69f301812ca73907c4)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #09 pc 0000000000041df4  /vendor/lib64/libhidlbase.so (android::hardware::IPCThreadState::joinThreadPool(bool)+1372) (BuildId: 1f1b763d02c2ca69f301812ca73907c4)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #10 pc 0000000000041878  /vendor/lib64/libhidlbase.so (android::hardware::PoolThread::threadLoop()+28) (BuildId: 1f1b763d02c2ca69f301812ca73907c4)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #11 pc 0000000000017444  /vendor/lib64/libutils.so (android::Thread::_threadLoop(void*)+252) (BuildId: 88c08c6057f7bad16889c7c8a07a3364)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #12 pc 0000000000019bb0  /vendor/lib64/libutils.so (libutil_thread_trampoline(void*) (.__uniq.226528677032898775202282855395389835431)+24) (BuildId: 88c08c6057f7bad16889c7c8a07a3364)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #13 pc 0000000000080f70  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+184) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.485 16719 16719 F DEBUG   :       #14 pc 0000000000073730  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)

Looking at process_msg() in libssccalapi@2.0.so, it appears the _oem_msg
struct is used up to 264 bytes, so increase padding to 264 bytes. This
should fix the sensor-notifier crash permanently.

Change-Id: I97849cd4e5e41d3b25e8324c0a6ad50469559b8d
Signed-off-by: Fiqri Ardyansyah <fiqri191002@gmail.com>
This commit is contained in:
Fiqri Ardyansyah
2026-01-05 16:37:41 +05:30
committed by Joey
parent 3cf501c195
commit ac311ad69f
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
sensors/sensor-notifier/include/SscCalApi.h
View File

@@ -24,8 +24,8 @@ struct _oem_msg {
float notifyTypeFloat;
float value;
// Add padding up to 256 bytes
float unused[58];
// Add padding up to 264 bytes
float unused[60];
};
typedef void (*init_current_sensors_t)(bool debug);