diff options
| author | Edwin Wong <edwinwong@google.com> | 2021-04-06 21:49:14 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-04-06 21:49:14 +0000 |
| commit | c5dc2536b9af56b347c6f9d3977e27e4900f5c49 (patch) | |
| tree | f93e421e2d80c8984953d319ceb530ccc44598dd | |
| parent | 2e13f4a3ec5fa24dd1efdad97efa1b2216f3cf22 (diff) | |
| parent | 79a6ffbdaf14cfbb597efd8545ba401f1da28a4f (diff) | |
[RESTRICT AUTOMERGE]Fix CryptoPlugin use after free vulnerability. am: 79a6ffbdaf
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13808809
Change-Id: I05e0d7f0260cb4686e7333d1cf8f9afa440b23a0
| -rw-r--r-- | drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp | 6 | ||||
| -rw-r--r-- | drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h | 7 |
2 files changed, 11 insertions, 2 deletions
diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp index 005e551383..302dd39ddc 100644 --- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp +++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp @@ -37,6 +37,8 @@ Return<void> CryptoPlugin::setSharedBufferBase( sp<IMemory> hidlMemory = mapMemory(base); ALOGE_IF(hidlMemory == nullptr, "mapMemory returns nullptr"); + std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock); + // allow mapMemory to return nullptr mSharedBufferMap[bufferId] = hidlMemory; return Void(); @@ -94,6 +96,7 @@ Return<void> CryptoPlugin::decrypt_1_2( return Void(); } + std::unique_lock<std::mutex> shared_buffer_lock(mSharedBufferLock); if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) { _hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0, "source decrypt buffer base not set"); @@ -151,6 +154,9 @@ Return<void> CryptoPlugin::decrypt_1_2( } destPtr = static_cast<void*>(base + destination.nonsecureMemory.offset); + // release mSharedBufferLock + shared_buffer_lock.unlock(); + // Calculate the output buffer size and determine if any subsamples are // encrypted. size_t destSize = 0; diff --git a/drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h b/drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h index 8680f0ca54..23a64fac50 100644 --- a/drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h +++ b/drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h @@ -20,6 +20,8 @@ #include <android/hardware/drm/1.2/ICryptoPlugin.h> #include <android/hidl/memory/1.0/IMemory.h> +#include <mutex> + #include "ClearKeyTypes.h" #include "Session.h" #include "Utils.h" @@ -93,7 +95,7 @@ struct CryptoPlugin : public drm::V1_2::ICryptoPlugin { const SharedBuffer& source, uint64_t offset, const DestinationBuffer& destination, - decrypt_1_2_cb _hidl_cb); + decrypt_1_2_cb _hidl_cb) NO_THREAD_SAFETY_ANALYSIS; // use unique_lock Return<void> setSharedBufferBase(const hidl_memory& base, uint32_t bufferId); @@ -105,7 +107,8 @@ struct CryptoPlugin : public drm::V1_2::ICryptoPlugin { private: CLEARKEY_DISALLOW_COPY_AND_ASSIGN(CryptoPlugin); - std::map<uint32_t, sp<IMemory> > mSharedBufferMap; + std::mutex mSharedBufferLock; + std::map<uint32_t, sp<IMemory>> mSharedBufferMap GUARDED_BY(mSharedBufferLock); sp<Session> mSession; Status mInitStatus; }; |