On Mon, Dec 29, 2025 at 04:45:44PM +0000, Gary Guo wrote:
On Mon, 29 Dec 2025 15:38:14 +0000 Alice Ryhl aliceryhl@google.com wrote:
Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error. The previous implementation used `skip == 0` to mean "this is a pointer fixup", but 0 is also the correct skip length for an empty FDA. If the FDA is at the end of the buffer, then this results in an attempt to write 8-bytes out of bounds. This is caught and results in an EINVAL error being returned to userspace.
The pattern of using `skip == 0` as a special value originates from the C-implementation of Binder. As part of fixing this bug, this pattern is replaced with a Rust enum.
I was curious and checked the C binder implementation. Apparently the C binder implementation returns early when translating a FD array with length 0.
Would it still make sense to do something similar in the Rust binder? The enum change is still good to make, though.
Based on where the early return is, that'd be equivalent in wrapping this:
parent_entry .pointer_fixups .push( PointerFixupEntry::Skip { skip: fds_len, target_offset: info.target_offset, }, GFP_KERNEL, ) .map_err(|_| ENOMEM)?;
in an `if fds_len > 0 {}` block. I don't believe it makes any difference, but not having a special case may be cleaner?
Alice