Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit daa95ee1 authored by Edwin Wong's avatar Edwin Wong Committed by Android Build Coastguard Worker
Browse files

[Fix vulnerability] setSecurityLevel in clearkey 

Potential race condition in clearkey setSecurityLevel.

POC test in http://go/ag/19083795

Test: sts-tradefed run sts-dynamic-develop -m StsHostTestCases -t android.security.sts.CVE_2022_2209#testPocCVE_2022_2209

Bug: 235601882
Change-Id: I6447fb539ef0cb395772c61e6f3e1504ccde331b
Merged-In: I2e2084e85fe45d7d7f958c59b0063a477c7d24bf
(cherry picked from commit 9bfc2fbc)
Merged-In: I6447fb539ef0cb395772c61e6f3e1504ccde331b
parent 8051a196

drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

+2 −0
Original line number Diff line number Diff line
@@ -619,6 +619,7 @@ Return<void> DrmPlugin::getSecurityLevel(const hidl_vec<uint8_t>& sessionId, 
        return Void();

    }



    Mutex::Autolock lock(mSecurityLevelLock);

    std::map<std::vector<uint8_t>, SecurityLevel>::iterator itr =

            mSecurityLevel.find(sid);

    if (itr == mSecurityLevel.end()) {
@@ -691,6 +692,7 @@ Return<Status> DrmPlugin::setSecurityLevel(const hidl_vec<uint8_t>& sessionId, 
        return Status::ERROR_DRM_SESSION_NOT_OPENED;

    }



    Mutex::Autolock lock(mSecurityLevelLock);

    std::map<std::vector<uint8_t>, SecurityLevel>::iterator itr =

            mSecurityLevel.find(sid);

    if (itr != mSecurityLevel.end()) {

drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h

+3 −1
Original line number Diff line number Diff line
@@ -414,7 +414,8 @@ private: 
    std::map<std::string, std::vector<uint8_t> > mByteArrayProperties;

    std::map<std::string, std::vector<uint8_t> > mReleaseKeysMap;

    std::map<std::vector<uint8_t>, std::string> mPlaybackId;

    std::map<std::vector<uint8_t>, SecurityLevel> mSecurityLevel;

    std::map<std::vector<uint8_t>, SecurityLevel> mSecurityLevel

        GUARDED_BY(mSecurityLevelLock);

    sp<IDrmPluginListener> mListener;

    sp<IDrmPluginListener_V1_2> mListenerV1_2;

    SessionLibrary *mSessionLibrary;
@@ -434,6 +435,7 @@ private: 


    DeviceFiles mFileHandle;

    Mutex mSecureStopLock;

    Mutex mSecurityLevelLock;



    CLEARKEY_DISALLOW_COPY_AND_ASSIGN_AND_NEW(DrmPlugin);

};