diff options
| author | Edwin Wong <edwinwong@google.com> | 2021-03-08 18:46:42 -0800 |
|---|---|---|
| committer | Edwin Wong <edwinwong@google.com> | 2021-04-02 21:50:49 +0000 |
| commit | a4e76aab230a565dd0cef11e2e6e2d782b685327 (patch) | |
| tree | 93febd7f7062bb301ce579f2db939328b88caab9 /identity/support/src/cppbor_parse.cpp | |
| parent | e289b4aa839a1bdfd2c9a25a0e8e11b76f81da4b (diff) | |
[RESTRICT AUTOMERGE] Fix CryptoPlugin use after free vulnerability.
The shared memory buffer used by srcPtr can be freed by another
thread because it is not protected by a mutex. Subsequently,
a use after free AIGABRT can occur in a race condition.
SafetyNet logging is not added to avoid log spamming. The
mutex lock is called to setup for decryption, which is
called frequently.
The crash was reproduced on the device before the fix.
Verified the test passes after the fix.
Test: sts
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-176495665_sts64
Bug: 176495665
Bug: 176444161
Change-Id: I4c83c44873eef960b654f387a3574fcad49c41a9
Diffstat (limited to 'identity/support/src/cppbor_parse.cpp')
0 files changed, 0 insertions, 0 deletions