Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 02751bc6 authored by John Wu's avatar John Wu Committed by Android Build Coastguard Worker
Browse files

Do not recycle Parcel when lazy value is used 

Recycling the parcel when all lazy values are consumed in a bundle may
lead to several UAF issues. However, resources tied to the parcel,
especially file descriptors, should be released as soon as possible, and
it should not wait until the next GC cycle.

To workaround this issue, we expose the destroy() method in Parcel, and
update BaseBundle's implementation to destroy the dangling parcel when
mLazyValues is zero, and never call recycle that may lead to reuse of
these Parcel instances. By doing so, we completely remove any
possibility of UAF with regards to Bundle and lazy values.

Flag: EXEMPT security fix
Test: TH
Bug: 377704076
Bug: 381885240
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:d20f3599f89388d181735db351879d2487cc331b
Merged-In: Ibb28bf81f9028c18baad4e898e387a3e6192db5d
Change-Id: Ibb28bf81f9028c18baad4e898e387a3e6192db5d
parent 08a07667
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment