[RESTRICT AUTOMERGE] Fix CryptoPlugin use after free vulnerability. am: a4e76aab23

Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/13812193 Change-Id: I59565fec934a5be32b5c5f32b6586965a7d9a932
author: Edwin Wong <edwinwong@google.com> 2021-04-06 21:49:14 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2021-04-06 21:49:14 +0000
commit: 6effd16a8b75cac0bd42e0639ebccc3f8b5d214a (patch)
tree: 1fcd877fcbcdbf827c4335b1ec8860d479053e81 /drm/1.0/default/CryptoPlugin.cpp
parent: 217962707889edcd9cc40080a3b3ab1cb3e95c0a (diff)
parent: a4e76aab230a565dd0cef11e2e6e2d782b685327 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp
index 17a2f241b4..8dea7e9324 100644
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp
@@ -53,6 +53,8 @@ namespace implementation {
             uint32_t bufferId) {
         sp<IMemory> hidlMemory = mapMemory(base);
 
+        std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock);
+
         // allow mapMemory to return nullptr
         mSharedBufferMap[bufferId] = hidlMemory;
         return Void();
@@ -65,7 +67,7 @@ namespace implementation {
             const SharedBuffer& source, uint64_t offset,
             const DestinationBuffer& destination,
             decrypt_cb _hidl_cb) {
-
+        std::unique_lock<std::mutex> shared_buffer_lock(mSharedBufferLock);
         if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {
             _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "source decrypt buffer base not set");
             return Void();
@@ -173,6 +175,10 @@ namespace implementation {
             _hidl_cb(Status::BAD_VALUE, 0, "invalid destination type");
             return Void();
         }
+
+        // release mSharedBufferLock
+        shared_buffer_lock.unlock();
+
         ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(),
                 legacyMode, legacyPattern, srcPtr, legacySubSamples.get(),
                 subSamples.size(), destPtr, &detailMessage);
author	Edwin Wong <edwinwong@google.com>	2021-04-06 21:49:14 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2021-04-06 21:49:14 +0000
commit	6effd16a8b75cac0bd42e0639ebccc3f8b5d214a (patch)
tree	1fcd877fcbcdbf827c4335b1ec8860d479053e81 /drm/1.0/default/CryptoPlugin.cpp
parent	217962707889edcd9cc40080a3b3ab1cb3e95c0a (diff)
parent	a4e76aab230a565dd0cef11e2e6e2d782b685327 (diff)