summaryrefslogtreecommitdiff
path: root/graphics/java/android/renderscript/ProgramFragmentFixedFunction.java
diff options
context:
space:
mode:
authorTej Singh <singhtejinder@google.com>2019-09-20 19:28:53 -0700
committerBryan Ferris <bferris@google.com>2019-12-18 12:58:02 -0800
commit0c4a21e4eaef1b60a1860d889bc37c81437cb055 (patch)
treeb860653c60495dfe08e79e3015e375bcf4f8cfaa /graphics/java/android/renderscript/ProgramFragmentFixedFunction.java
parentad00dc0482b80a76e4de22193721f35d02a1cffe (diff)
Security Fix: Race Condition + NPE
ShellSubscriber is lazily initialized, and multiple threads can attempt to write the same pointer since it is not initialized in threadsafe code. Additionally, there is an NPE that crashes statsd when a null ResultReceiver is passed in, which allows an attacker to repeatedly crash statsd until the race condition occurs. More details, including a proof of concept attack, are in the bug. Bug: 141243101 Test: repro steps in bug no longer crash statsd Test: with only the lock on iniitiallizing mShellSubscriber, statsd still crashed but after ~7 minutes, no race condition occurred. Change-Id: Ib56f888620497fb41d1627c07867693eb251738e
Diffstat (limited to 'graphics/java/android/renderscript/ProgramFragmentFixedFunction.java')
0 files changed, 0 insertions, 0 deletions