Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1d11b3dd authored by Dianne Hackborn's avatar Dianne Hackborn Committed by Michael Bestas
Browse files

Fix issue #27252896: Security Vulnerability -- weak binder 

Sending transaction to freed BBinder through weak handle
can cause use of a (mostly) freed object.  We need to try to
safely promote to a strong reference first.

Change-Id: Ic9c6940fa824980472e94ed2dfeca52a6b0fd342
(manually cherry picked and resolved conflicts from commit
c1114610)
(cherry picked from commit 41e7b178)
parent 9c55c870

libs/binder/IPCThreadState.cpp

+12 −3
Original line number Diff line number Diff line
@@ -1074,9 +1074,18 @@ status_t IPCThreadState::executeCommand(int32_t cmd) 
                    << reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl;

            }

            if (tr.target.ptr) {

                sp<BBinder> b((BBinder*)tr.cookie);

                const status_t error = b->transact(tr.code, buffer, &reply, tr.flags);

                // We only have a weak reference on the target object, so we must first try to

                // safely acquire a strong reference before doing anything else with it.

                if (reinterpret_cast<RefBase::weakref_type*>(

                        tr.target.ptr)->attemptIncStrong(this)) {

                    const status_t error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer,

                            &reply, tr.flags);

                    reinterpret_cast<BBinder*>(tr.cookie)->decStrong(this);

                    if (error < NO_ERROR) reply.setError(error);

                } else {

                    const status_t error = UNKNOWN_TRANSACTION;

                    if (error < NO_ERROR) reply.setError(error);

                }



            } else {

                const status_t error = the_context_object->transact(tr.code, buffer, &reply, tr.flags);