Fix double close in NativeLibraryHelper.openApkFd.
Prior to this patch, we were taking the file descriptor owned by a
ParcelFileDescriptor, and passing it into ZipFileRO::openFd, which
expects to take ownership of the file descriptor, closing it upon
destruction. This leads to a double-close when the ParcelFileDescriptor
tries to close itself. Switch to passing a duped copy of the file
descriptor to ZipFileRO::openFd.
Test: `pm install foo.apk` with fdsan
Change-Id: Ida4ca4a37b82875dc4eef1f37bf2322c422fe038
(cherry-picked from commit b066087d65b720a5c9ac48f64a856284566df82f)
diff --git a/core/jni/com_android_internal_content_NativeLibraryHelper.cpp b/core/jni/com_android_internal_content_NativeLibraryHelper.cpp
index cc2646c..dc04269 100644
--- a/core/jni/com_android_internal_content_NativeLibraryHelper.cpp
+++ b/core/jni/com_android_internal_content_NativeLibraryHelper.cpp
@@ -27,6 +27,7 @@
#include <zlib.h>
+#include <errno.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
@@ -567,7 +568,14 @@
return 0;
}
- ZipFileRO* zipFile = ZipFileRO::openFd(fd, debugFilePath.c_str());
+ int dupedFd = dup(fd);
+ if (dupedFd == -1) {
+ jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException",
+ "Failed to dup FileDescriptor: %s", strerror(errno));
+ return 0;
+ }
+
+ ZipFileRO* zipFile = ZipFileRO::openFd(dupedFd, debugFilePath.c_str());
return reinterpret_cast<jlong>(zipFile);
}