diff options
| author | Edwin Wong <edwinwong@google.com> | 2021-04-06 23:06:28 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-04-06 23:06:28 +0000 |
| commit | 2e056f192323f4f8c71582c4b4c51bc44f80c2a3 (patch) | |
| tree | 886346c1448e64e59aca38dffd74f1e247f6d3ce | |
| parent | 8e3741aac87ecd2ca4bf43bcc6095d2c4a0fdf03 (diff) | |
| parent | abb7ad47b00ae158eded8813801345d91d2b2671 (diff) | |
[RESTRICT AUTOMERGE] Fix clearkey CryptoPlugin use after free vulnerability. am: abb7ad47b0
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13499528
Change-Id: I6d702cef4ea2063a4e3d57213c8d2ec36bacd7e9
| -rw-r--r-- | drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp | 6 | ||||
| -rw-r--r-- | drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h | 7 |
2 files changed, 11 insertions, 2 deletions
diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp index 005e551383..302dd39ddc 100644 --- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp +++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp @@ -37,6 +37,8 @@ Return<void> CryptoPlugin::setSharedBufferBase( sp<IMemory> hidlMemory = mapMemory(base); ALOGE_IF(hidlMemory == nullptr, "mapMemory returns nullptr"); + std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock); + // allow mapMemory to return nullptr mSharedBufferMap[bufferId] = hidlMemory; return Void(); @@ -94,6 +96,7 @@ Return<void> CryptoPlugin::decrypt_1_2( return Void(); } + std::unique_lock<std::mutex> shared_buffer_lock(mSharedBufferLock); if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) { _hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0, "source decrypt buffer base not set"); @@ -151,6 +154,9 @@ Return<void> CryptoPlugin::decrypt_1_2( } destPtr = static_cast<void*>(base + destination.nonsecureMemory.offset); + // release mSharedBufferLock + shared_buffer_lock.unlock(); + // Calculate the output buffer size and determine if any subsamples are // encrypted. size_t destSize = 0; diff --git a/drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h b/drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h index 8680f0ca54..23a64fac50 100644 --- a/drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h +++ b/drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h @@ -20,6 +20,8 @@ #include <android/hardware/drm/1.2/ICryptoPlugin.h> #include <android/hidl/memory/1.0/IMemory.h> +#include <mutex> + #include "ClearKeyTypes.h" #include "Session.h" #include "Utils.h" @@ -93,7 +95,7 @@ struct CryptoPlugin : public drm::V1_2::ICryptoPlugin { const SharedBuffer& source, uint64_t offset, const DestinationBuffer& destination, - decrypt_1_2_cb _hidl_cb); + decrypt_1_2_cb _hidl_cb) NO_THREAD_SAFETY_ANALYSIS; // use unique_lock Return<void> setSharedBufferBase(const hidl_memory& base, uint32_t bufferId); @@ -105,7 +107,8 @@ struct CryptoPlugin : public drm::V1_2::ICryptoPlugin { private: CLEARKEY_DISALLOW_COPY_AND_ASSIGN(CryptoPlugin); - std::map<uint32_t, sp<IMemory> > mSharedBufferMap; + std::mutex mSharedBufferLock; + std::map<uint32_t, sp<IMemory>> mSharedBufferMap GUARDED_BY(mSharedBufferLock); sp<Session> mSession; Status mInitStatus; }; |