diff options
| author | Edwin Wong <edwinwong@google.com> | 2021-01-23 17:25:14 -0800 |
|---|---|---|
| committer | Edwin Wong <edwinwong@google.com> | 2021-03-30 15:42:34 -0700 |
| commit | ae1c624ba44ccc43dc8371328a4b3caa017c0ff8 (patch) | |
| tree | f03143b1b1ded16fb11adc3e63b2a6a01892b107 /identity/support/src/cppbor_parse.cpp | |
| parent | ef66293e9a9d84c8592eae82978842767359ccf6 (diff) | |
[RESTRICT AUTOMERGE] Fix CryptoPlugin use after free vulnerability.
The shared memory buffer used by srcPtr can be freed by another
thread because it is not protected by a mutex. Subsequently,
a use after free AIGABRT can occur in a race condition.
SafetyNet logging is not added to avoid log spamming. The
mutex lock is called to setup for decryption, which is
called frequently.
Test is run on rvc-dev branch, using target_hwasan-userdebug build.
Test: sts
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-176495665_sts64
Bug: 176495665
Bug: 176444161
Change-Id: I3ec33cd444183f40ee76bec4c88dec0dac859cd3
Diffstat (limited to 'identity/support/src/cppbor_parse.cpp')
0 files changed, 0 insertions, 0 deletions