Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1fe8a63c authored by Ravneet Dhanjal's avatar Ravneet Dhanjal
Browse files

Camera: Fix use-after-free issue with provider instance 

- Use copy of removed provider instance in case it is erased
when accessing mProviderPidMap

Test: Reproduced on oriole hwasan target and tested change
Bug: 366671893
Flag: EXEMPT bugfix
Change-Id: I01e9ca6c080269732c5409d34726473e0268bb47
parent f8c01058

services/camera/libcameraservice/common/aidl/AidlProviderInfo.cpp

+2 −2
Original line number Diff line number Diff line
@@ -202,7 +202,7 @@ status_t AidlProviderInfo::initializeAidlProvider( 
void AidlProviderInfo::binderDied(void *cookie) {

    AidlProviderInfo *provider = reinterpret_cast<AidlProviderInfo *>(cookie);

    ALOGI("Camera provider '%s' has died; removing it", provider->mProviderInstance.c_str());

    provider->mManager->removeProvider(provider->mProviderInstance);

    provider->mManager->removeProvider(std::string(provider->mProviderInstance));

}



status_t AidlProviderInfo::setUpVendorTags() {
@@ -320,7 +320,7 @@ const std::shared_ptr<ICameraProvider> AidlProviderInfo::startProviderInterface( 
    if (link != STATUS_OK) {

        ALOGW("%s: Unable to link to provider '%s' death notifications",

                __FUNCTION__, mProviderName.c_str());

        mManager->removeProvider(mProviderInstance);

        mManager->removeProvider(std::string(mProviderInstance));

        return nullptr;

    }

services/camera/libcameraservice/common/hidl/HidlProviderInfo.cpp

+2 −2
Original line number Diff line number Diff line
@@ -391,7 +391,7 @@ HidlProviderInfo::startProviderInterface() { 
                  __FUNCTION__,

                  mProviderName.c_str(),

                  linked.description().c_str());

              mManager->removeProvider(mProviderInstance);

              mManager->removeProvider(std::string(mProviderInstance));

              return nullptr;

            } else if (!linked) {

              ALOGW("%s: Unable to link to provider '%s' death notifications",
@@ -451,7 +451,7 @@ void HidlProviderInfo::serviceDied(uint64_t cookie, 
        ALOGW("%s: Unexpected serviceDied cookie %" PRIu64 ", expected %" PRIu32,

                __FUNCTION__, cookie, mId);

    }

    mManager->removeProvider(mProviderInstance);

    mManager->removeProvider(std::string(mProviderInstance));

}



std::unique_ptr<CameraProviderManager::ProviderInfo::DeviceInfo>