Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0390207e authored Jul 09, 2022 by Edwin Wong

[Fix vulnerability] setSecurityLevel in clearkey

Potential race condition in clearkey setSecurityLevel.

POC test in http://go/ag/19083795

Test: adb shell /data/nativetest/Bug-235601882_sts64

Bug: 235601882
Change-Id: I2e2084e85fe45d7d7f958c59b0063a477c7d24bf

parent 13459e82

drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

+4 −0

Original line number	Diff line number	Diff line
		@@ -619,6 +619,8 @@ Return<void> DrmPlugin::getSecurityLevel(const hidl_vec<uint8_t>& sessionId,
		return Void();
		}

		android_errorWriteLog(0x534e4554, "235601882");
		Mutex::Autolock lock(mSecurityLevelLock);
		std::map<std::vector<uint8_t>, SecurityLevel>::iterator itr =
		mSecurityLevel.find(sid);
		if (itr == mSecurityLevel.end()) {
		@@ -691,6 +693,8 @@ Return<Status> DrmPlugin::setSecurityLevel(const hidl_vec<uint8_t>& sessionId,
		return Status::ERROR_DRM_SESSION_NOT_OPENED;
		}

		android_errorWriteLog(0x534e4554, "235601882");
		Mutex::Autolock lock(mSecurityLevelLock);
		std::map<std::vector<uint8_t>, SecurityLevel>::iterator itr =
		mSecurityLevel.find(sid);
		if (itr != mSecurityLevel.end()) {

drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h

+3 −1

Original line number	Diff line number	Diff line
		@@ -414,7 +414,6 @@ private:
		std::map<std::string, std::vector<uint8_t> > mByteArrayProperties;
		std::map<std::string, std::vector<uint8_t> > mReleaseKeysMap;
		std::map<std::vector<uint8_t>, std::string> mPlaybackId;
		std::map<std::vector<uint8_t>, SecurityLevel> mSecurityLevel;
		sp<IDrmPluginListener> mListener;
		sp<IDrmPluginListener_V1_2> mListenerV1_2;
		SessionLibrary *mSessionLibrary;
		@@ -434,6 +433,9 @@ private:

		DeviceFiles mFileHandle;
		Mutex mSecureStopLock;
		Mutex mSecurityLevelLock;
		std::map<std::vector<uint8_t>, SecurityLevel> mSecurityLevel
		GUARDED_BY(mSecurityLevelLock);

		CLEARKEY_DISALLOW_COPY_AND_ASSIGN_AND_NEW(DrmPlugin);
		};