sm8450-common: sensors: Increase padding of _oem_msg struct to 264 bytes
It seems that the _oem_msg struct is used for more than 256 bytes
and causes the buffer overflow.
01-02 15:25:44.407 2064 2075 F libc : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xb400007eda640000 in tid 2075 (HwBinder:2064_1), pid 2064 (sensor-notifier)
01-02 15:25:44.484 16719 16719 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
01-02 15:25:44.484 16719 16719 F DEBUG : LineageOS Version: '23.0-20251224-UNOFFICIAL-marble'
01-02 15:25:44.484 16719 16719 F DEBUG : Build fingerprint: 'POCO/marble_global/marble:15/AQ3A.241006.001/OS2.0.211.0.VMRMIXM:user/release-keys'
01-02 15:25:44.484 16719 16719 F DEBUG : Revision: '0'
01-02 15:25:44.484 16719 16719 F DEBUG : ABI: 'arm64'
01-02 15:25:44.484 16719 16719 F DEBUG : Timestamp: 2026-01-02 15:25:44.445943826-0600
01-02 15:25:44.484 16719 16719 F DEBUG : Process uptime: 1017s
01-02 15:25:44.484 16719 16719 F DEBUG : Cmdline: /vendor/bin/sensor-notifier
01-02 15:25:44.484 16719 16719 F DEBUG : pid: 2064, tid: 2075, name: HwBinder:2064_1 >>> /vendor/bin/sensor-notifier <<<
01-02 15:25:44.484 16719 16719 F DEBUG : uid: 1000
01-02 15:25:44.484 16719 16719 F DEBUG : tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
01-02 15:25:44.484 16719 16719 F DEBUG : pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
01-02 15:25:44.484 16719 16719 F DEBUG : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xb400007eda640000
01-02 15:25:44.484 16719 16719 F DEBUG : Cause: [GWP-ASan]: Buffer Overflow, 0 bytes right of a 256-byte allocation at 0x7eda63ff00
01-02 15:25:44.484 16719 16719 F DEBUG : x0 b400007dd60b1790 x1 0000007c45f70400 x2 b400007eda63ff00 x3 0000000001fa26a7
01-02 15:25:44.484 16719 16719 F DEBUG : x4 0000000000000000 x5 8080808080808080 x6 0000000000000010 x7 7f7f7f7f7f7f7f7f
01-02 15:25:44.484 16719 16719 F DEBUG : x8 b400007d960ae880 x9 0000000001fa26a7 x10 0000000000000020 x11 0101010101010101
01-02 15:25:44.484 16719 16719 F DEBUG : x12 000000000000003a x13 0000000000000004 x14 ffffffffffffffff x15 0000000034155555
01-02 15:25:44.484 16719 16719 F DEBUG : x16 0000000000000001 x17 0000007ed9e9391c x18 0000007c45908000 x19 b400007eda63ff00
01-02 15:25:44.484 16719 16719 F DEBUG : x20 0000007c45f70f80 x21 0000007c4226fe98 x22 0000007c45f705ac x23 0000000000000000
01-02 15:25:44.484 16719 16719 F DEBUG : x24 0000000000000001 x25 0000000000000000 x26 0000007c45f70f80 x27 0000000000000000
01-02 15:25:44.484 16719 16719 F DEBUG : x28 0000000000000810 x29 0000007c45f705d0
01-02 15:25:44.484 16719 16719 F DEBUG : lr 005338dc6345a174 sp 0000007c45f70400 pc 0000007c42251860 pst 0000000060001000
01-02 15:25:44.484 16719 16719 F DEBUG : 12 total frames
01-02 15:25:44.484 16719 16719 F DEBUG : backtrace:
01-02 15:25:44.484 16719 16719 F DEBUG : #00 pc 0000000000030860 /vendor/lib64/libssccalapi@2.0.so (process_msg(_oem_msg*)+280) (BuildId: 9ad00dc25330b7205a59210bb55b0d48)
01-02 15:25:44.484 16719 16719 F DEBUG : #01 pc 000000000000a170 /vendor/bin/sensor-notifier (SscCalApiWrapper::processMsg(_oem_msg*)+84) (BuildId: d4a4812927801f7f5d5f040a71989d8c)
01-02 15:25:44.484 16719 16719 F DEBUG : #02 pc 000000000000aa4c /vendor/bin/sensor-notifier ((anonymous namespace)::RawLightSensorCallback::onEvent(android::hardware::sensors::V1_0::Event const&)+84) (BuildId: d4a4812927801f7f5d5f040a71989d8c)
01-02 15:25:44.484 16719 16719 F DEBUG : #03 pc 0000000000025cd4 /vendor/lib64/android.frameworks.sensorservice@1.0.so (android::frameworks::sensorservice::V1_0::BnHwEventQueueCallback::_hidl_onEvent(android::hidl::base::V1_0::BnHwBase*, android::hardware::Parcel const&, android::hardware::Parcel*, std::__1::function<void (android::hardware::Parcel&)>)+172) (BuildId: eb1c957b4dc973b9815f20028e2fc932)
01-02 15:25:44.484 16719 16719 F DEBUG : #04 pc 0000000000025f18 /vendor/lib64/android.frameworks.sensorservice@1.0.so (android::frameworks::sensorservice::V1_0::BnHwEventQueueCallback::onTransact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+204) (BuildId: eb1c957b4dc973b9815f20028e2fc932)
01-02 15:25:44.484 16719 16719 F DEBUG : #05 pc 000000000008eec4 /vendor/lib64/libhidlbase.so (android::hardware::BHwBinder::transact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+96) (BuildId: 1f1b763d02c2ca69f301812ca73907c4)
01-02 15:25:44.484 16719 16719 F DEBUG : #06 pc 0000000000041df4 /vendor/lib64/libhidlbase.so (android::hardware::IPCThreadState::joinThreadPool(bool)+1372) (BuildId: 1f1b763d02c2ca69f301812ca73907c4)
01-02 15:25:44.484 16719 16719 F DEBUG : #07 pc 0000000000041878 /vendor/lib64/libhidlbase.so (android::hardware::PoolThread::threadLoop()+28) (BuildId: 1f1b763d02c2ca69f301812ca73907c4)
01-02 15:25:44.484 16719 16719 F DEBUG : #08 pc 0000000000017444 /vendor/lib64/libutils.so (android::Thread::_threadLoop(void*)+252) (BuildId: 88c08c6057f7bad16889c7c8a07a3364)
01-02 15:25:44.484 16719 16719 F DEBUG : #09 pc 0000000000019bb0 /vendor/lib64/libutils.so (libutil_thread_trampoline(void*) (.__uniq.226528677032898775202282855395389835431)+24) (BuildId: 88c08c6057f7bad16889c7c8a07a3364)
01-02 15:25:44.484 16719 16719 F DEBUG : #10 pc 0000000000080f70 /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+184) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.484 16719 16719 F DEBUG : #11 pc 0000000000073730 /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.484 16719 16719 F DEBUG : allocated by thread 2075:
01-02 15:25:44.485 16719 16719 F DEBUG : #00 pc 0000000000068874 /apex/com.android.runtime/lib64/bionic/libc.so (gwp_asan::AllocationMetadata::CallSiteInfo::RecordBacktrace(unsigned long (*)(unsigned long*, unsigned long))+84) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.485 16719 16719 F DEBUG : #01 pc 0000000000068fc4 /apex/com.android.runtime/lib64/bionic/libc.so (gwp_asan::GuardedPoolAllocator::allocate(unsigned long, unsigned long)+564) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.485 16719 16719 F DEBUG : #02 pc 0000000000058e0c /apex/com.android.runtime/lib64/bionic/libc.so ((anonymous namespace)::gwp_asan_malloc(unsigned long)+184) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.485 16719 16719 F DEBUG : #03 pc 00000000000597e4 /apex/com.android.runtime/lib64/bionic/libc.so (malloc+88) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.485 16719 16719 F DEBUG : #04 pc 00000000000f8504 /vendor/lib64/libc++.so (operator new(unsigned long)+28) (BuildId: ada37e5198285720b02f7d77fd27626c7782fe29)
01-02 15:25:44.485 16719 16719 F DEBUG : #05 pc 000000000000aa18 /vendor/bin/sensor-notifier ((anonymous namespace)::RawLightSensorCallback::onEvent(android::hardware::sensors::V1_0::Event const&)+32) (BuildId: d4a4812927801f7f5d5f040a71989d8c)
01-02 15:25:44.485 16719 16719 F DEBUG : #06 pc 0000000000025cd4 /vendor/lib64/android.frameworks.sensorservice@1.0.so (android::frameworks::sensorservice::V1_0::BnHwEventQueueCallback::_hidl_onEvent(android::hidl::base::V1_0::BnHwBase*, android::hardware::Parcel const&, android::hardware::Parcel*, std::__1::function<void (android::hardware::Parcel&)>)+172) (BuildId: eb1c957b4dc973b9815f20028e2fc932)
01-02 15:25:44.485 16719 16719 F DEBUG : #07 pc 0000000000025f18 /vendor/lib64/android.frameworks.sensorservice@1.0.so (android::frameworks::sensorservice::V1_0::BnHwEventQueueCallback::onTransact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+204) (BuildId: eb1c957b4dc973b9815f20028e2fc932)
01-02 15:25:44.485 16719 16719 F DEBUG : #08 pc 000000000008eec4 /vendor/lib64/libhidlbase.so (android::hardware::BHwBinder::transact(unsigned int, android::hardware::Parcel const&, android::hardware::Parcel*, unsigned int, std::__1::function<void (android::hardware::Parcel&)>)+96) (BuildId: 1f1b763d02c2ca69f301812ca73907c4)
01-02 15:25:44.485 16719 16719 F DEBUG : #09 pc 0000000000041df4 /vendor/lib64/libhidlbase.so (android::hardware::IPCThreadState::joinThreadPool(bool)+1372) (BuildId: 1f1b763d02c2ca69f301812ca73907c4)
01-02 15:25:44.485 16719 16719 F DEBUG : #10 pc 0000000000041878 /vendor/lib64/libhidlbase.so (android::hardware::PoolThread::threadLoop()+28) (BuildId: 1f1b763d02c2ca69f301812ca73907c4)
01-02 15:25:44.485 16719 16719 F DEBUG : #11 pc 0000000000017444 /vendor/lib64/libutils.so (android::Thread::_threadLoop(void*)+252) (BuildId: 88c08c6057f7bad16889c7c8a07a3364)
01-02 15:25:44.485 16719 16719 F DEBUG : #12 pc 0000000000019bb0 /vendor/lib64/libutils.so (libutil_thread_trampoline(void*) (.__uniq.226528677032898775202282855395389835431)+24) (BuildId: 88c08c6057f7bad16889c7c8a07a3364)
01-02 15:25:44.485 16719 16719 F DEBUG : #13 pc 0000000000080f70 /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+184) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
01-02 15:25:44.485 16719 16719 F DEBUG : #14 pc 0000000000073730 /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68) (BuildId: cbe71727ecbc12f0ff67ea4610ee3521)
Looking at process_msg() in libssccalapi@2.0.so, it appears the _oem_msg
struct is used up to 264 bytes, so increase padding to 264 bytes. This
should fix the sensor-notifier crash permanently.
Change-Id: I97849cd4e5e41d3b25e8324c0a6ad50469559b8d
Signed-off-by: Fiqri Ardyansyah <fiqri191002@gmail.com>
ac311ad69f