Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dab37c25 authored Jun 21, 2022 by Edwin Wong

RESTRICT AUTOMERGE - [Fix vulnerability] setSecurityLevel in clearkey

Potential race condition in clearkey setSecurityLevel.

POC test in http://go/ag/19083795

Test: sts-tradefed run sts-dynamic-develop -m StsHostTestCases -t android.security.sts.CVE_2022_2209#testPocCVE_2022_2209

Bug: 235601882
Change-Id: I6447fb539ef0cb395772c61e6f3e1504ccde331b

parent 5ee38243

drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

+2 −0

Original line number	Diff line number	Diff line
		@@ -610,6 +610,7 @@ Return<void> DrmPlugin::getSecurityLevel(const hidl_vec<uint8_t>& sessionId,
		return Void();
		}

		Mutex::Autolock lock(mSecurityLevelLock);
		std::map<std::vector<uint8_t>, SecurityLevel>::iterator itr =
		mSecurityLevel.find(sid);
		if (itr == mSecurityLevel.end()) {
		@@ -640,6 +641,7 @@ Return<Status> DrmPlugin::setSecurityLevel(const hidl_vec<uint8_t>& sessionId,
		return Status::ERROR_DRM_SESSION_NOT_OPENED;
		}

		Mutex::Autolock lock(mSecurityLevelLock);
		std::map<std::vector<uint8_t>, SecurityLevel>::iterator itr =
		mSecurityLevel.find(sid);
		if (itr != mSecurityLevel.end()) {

drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h

+3 −1

Original line number	Diff line number	Diff line
		@@ -398,7 +398,8 @@ private:
		std::map<std::string, std::string> mStringProperties;
		std::map<std::string, std::vector<uint8_t> > mByteArrayProperties;
		std::map<std::string, std::vector<uint8_t> > mReleaseKeysMap;
		std::map<std::vector<uint8_t>, SecurityLevel> mSecurityLevel;
		std::map<std::vector<uint8_t>, SecurityLevel> mSecurityLevel
		GUARDED_BY(mSecurityLevelLock);
		sp<IDrmPluginListener> mListener;
		sp<IDrmPluginListener_V1_2> mListenerV1_2;
		SessionLibrary *mSessionLibrary;
		@@ -418,6 +419,7 @@ private:

		Mutex mFileHandleLock;
		DeviceFiles mFileHandle GUARDED_BY(mFileHandleLock);
		Mutex mSecurityLevelLock;

		CLEARKEY_DISALLOW_COPY_AND_ASSIGN_AND_NEW(DrmPlugin);
		};