Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit effa2b51 authored by Edwin Wong's avatar Edwin Wong Committed by Automerger Merge Worker
Browse files

[RESTRICT AUTOMERGE]Fix CryptoPlugin use after free vulnerability. am: 79a6ffbd am: c5dc2536 

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13808809

Change-Id: Ie68d50b9eed47edf8f6baa8fd2086defc8c10622
parents 9ea359b3 c5dc2536

drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp

+6 −0
Original line number Diff line number Diff line
@@ -37,6 +37,8 @@ Return<void> CryptoPlugin::setSharedBufferBase( 
    sp<IMemory> hidlMemory = mapMemory(base);

    ALOGE_IF(hidlMemory == nullptr, "mapMemory returns nullptr");



    std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock);



    // allow mapMemory to return nullptr

    mSharedBufferMap[bufferId] = hidlMemory;

    return Void();
@@ -94,6 +96,7 @@ Return<void> CryptoPlugin::decrypt_1_2( 
        return Void();

    }



    std::unique_lock<std::mutex> shared_buffer_lock(mSharedBufferLock);

    if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {

      _hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0,

               "source decrypt buffer base not set");
@@ -151,6 +154,9 @@ Return<void> CryptoPlugin::decrypt_1_2( 
    }

    destPtr = static_cast<void*>(base + destination.nonsecureMemory.offset);



    // release mSharedBufferLock

    shared_buffer_lock.unlock();



    // Calculate the output buffer size and determine if any subsamples are

    // encrypted.

    size_t destSize = 0;

drm/mediadrm/plugins/clearkey/hidl/include/CryptoPlugin.h

+5 −2
Original line number Diff line number Diff line
@@ -20,6 +20,8 @@ 
#include <android/hardware/drm/1.2/ICryptoPlugin.h>

#include <android/hidl/memory/1.0/IMemory.h>



#include <mutex>



#include "ClearKeyTypes.h"

#include "Session.h"

#include "Utils.h"
@@ -93,7 +95,7 @@ struct CryptoPlugin : public drm::V1_2::ICryptoPlugin { 
            const SharedBuffer& source,

            uint64_t offset,

            const DestinationBuffer& destination,

            decrypt_1_2_cb _hidl_cb);

            decrypt_1_2_cb _hidl_cb) NO_THREAD_SAFETY_ANALYSIS; // use unique_lock



    Return<void> setSharedBufferBase(const hidl_memory& base,

            uint32_t bufferId);
@@ -105,7 +107,8 @@ struct CryptoPlugin : public drm::V1_2::ICryptoPlugin { 
private:

    CLEARKEY_DISALLOW_COPY_AND_ASSIGN(CryptoPlugin);



    std::map<uint32_t, sp<IMemory> > mSharedBufferMap;

    std::mutex mSharedBufferLock;

    std::map<uint32_t, sp<IMemory>> mSharedBufferMap GUARDED_BY(mSharedBufferLock);

    sp<Session> mSession;

    Status mInitStatus;

};