添加IntSan安全编译检查,WriteToAshmem增加防止溢出校验

Signed-off-by: Nwanderer-dl122 <dengliang21@huawei.com>

interfaces/innerkits/ipc_core/BUILD.gn

@@ -25,6 +25,9 @@ config("ipc_all_deps_config") {
 }
 
 ohos_shared_library("ipc_core") {
+  sanitize = {
+    integer_overflow = true
+  }
   version_script = "libipc_core_map"
   include_dirs = [
     "$IPC_CORE_ROOT/c/adapter/access_token/include",

interfaces/innerkits/ipc_napi_common/BUILD.gn

@@ -19,6 +19,9 @@ if (support_jsapi) {
   }
 
   ohos_shared_library("ipc_napi") {
+    sanitize = {
+      integer_overflow = true
+    }
     include_dirs = [
       "include",
       "../../../utils/include",

interfaces/innerkits/ipc_single/BUILD.gn

@@ -23,6 +23,9 @@ config("libipc_single_private_config") {
   ]
 }
 ohos_shared_library("ipc_single") {
+  sanitize = {
+    integer_overflow = true
+  }
   version_script = "libipc_single_map"
   include_dirs = [
     "$IPC_CORE_ROOT/c/adapter/access_token/include",

interfaces/innerkits/libdbinder/BUILD.gn

@@ -39,6 +39,9 @@ config("libdbinder_private_config") {
 }
 
 ohos_shared_library("libdbinder") {
+  sanitize = {
+    integer_overflow = true
+  }
   include_dirs = [
     "$SUBSYSTEM_DIR/ipc/native/c/rpc/include",
     "$SUBSYSTEM_DIR/utils/include",

interfaces/innerkits/rust/BUILD.gn

@@ -48,6 +48,9 @@ config("libipc_c_private_config") {
 }
 
 ohos_shared_library("ipc_c") {
+  sanitize = {
+    integer_overflow = true
+  }
   include_dirs = [
     "$IPC_CORE_ROOT/src/c_wrapper/include",
     "$SUBSYSTEM_DIR/utils/include",

interfaces/kits/js/napi/BUILD.gn

@@ -21,6 +21,9 @@ config("rpc_public_config") {
 }
 
 ohos_shared_library("rpc") {
+  sanitize = {
+    integer_overflow = true
+  }
   version_script = "librpc_map"
   include_dirs = [
     "$SUBSYSTEM_DIR/utils/include",

ipc/native/src/napi_common/source/napi_ashmem.cpp

@@ -14,6 +14,7 @@
  */
 
 #include "napi_ashmem.h"
+#include <limits>
 #include <unistd.h>
 #include "ipc_debug.h"
 #include "log_tags.h"
@@ -598,9 +599,19 @@ napi_value NAPIAshmem::WriteToAshmem(napi_env env, napi_callback_info info)
     NAPIAshmem *napiAshmem = nullptr;
     napi_unwrap(env, thisVar, (void **)&napiAshmem);
     NAPI_ASSERT(env, napiAshmem != nullptr, "napiAshmem is null");
+
     // need check size offset and capacity
-    bool result = napiAshmem->GetAshmem()->WriteToAshmem(array.data(), size * BYTE_SIZE_32, offset * BYTE_SIZE_32);
     napi_value napiValue = nullptr;
+    bool result = true;
+    uint32_t ashmemSize = (uint32_t)(napiAshmem->GetAshmem()->GetAshmemSize());
+    if (size > std::numeric_limits<int32_t>::max() / BYTE_SIZE_32 ||
+        offset > std::numeric_limits<int32_t>::max() / BYTE_SIZE_32 ||
+        (size * BYTE_SIZE_32 + offset * BYTE_SIZE_32) > ashmemSize) {
+        ZLOGE(LOG_LABEL, "invalid parameter.");
+        result = false;
+    } else {
+        result = napiAshmem->GetAshmem()->WriteToAshmem(array.data(), size * BYTE_SIZE_32, offset * BYTE_SIZE_32);
+    }
     NAPI_CALL(env, napi_get_boolean(env, result, &napiValue));
     return napiValue;
 }
@@ -646,7 +657,16 @@ napi_value NAPIAshmem::WriteAshmem(napi_env env, napi_callback_info info)
         ZLOGE(LOG_LABEL, "napiAshmem is null");
         return napiErr.ThrowError(env, OHOS::errorDesc::WRITE_TO_ASHMEM_ERROR);
     }
+
     // need check size offset and capacity
+    uint32_t ashmemSize = (uint32_t)(napiAshmem->GetAshmem()->GetAshmemSize());
+    if (size > std::numeric_limits<int32_t>::max() / BYTE_SIZE_32 ||
+        offset > std::numeric_limits<int32_t>::max() / BYTE_SIZE_32 ||
+        (size * BYTE_SIZE_32 + offset * BYTE_SIZE_32) > ashmemSize) {
+        ZLOGE(LOG_LABEL, "invalid parameter");
+        return napiErr.ThrowError(env, OHOS::errorDesc::WRITE_TO_ASHMEM_ERROR);
+    }
+
     napiAshmem->GetAshmem()->WriteToAshmem(array.data(), size * BYTE_SIZE_32, offset * BYTE_SIZE_32);
     napi_value result = nullptr;
     napi_get_undefined(env, &result);