Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5951b43a authored by Arthur Ishiguro's avatar Arthur Ishiguro Committed by Automerger Merge Worker
Browse files

Merge "Prevent mEventCache UAF in SensorEventConnection" into rvc-dev am: 5adafe2d am: 81c8fe38 

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/native/+/12757250

Change-Id: I9966427ab7f593152a3a48bfdcc647cb2130fcea
parents 989e9978 81c8fe38

services/sensorservice/SensorEventConnection.cpp

+18 −10
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ 
 * limitations under the License.

 */



#include <log/log.h>

#include <sys/socket.h>

#include <utils/threads.h>
@@ -47,20 +48,13 @@ SensorService::SensorEventConnection::SensorEventConnection( 
SensorService::SensorEventConnection::~SensorEventConnection() {

    ALOGD_IF(DEBUG_CONNECTIONS, "~SensorEventConnection(%p)", this);

    destroy();

}



void SensorService::SensorEventConnection::destroy() {

    Mutex::Autolock _l(mDestroyLock);



    // destroy once only

    if (mDestroyed) {

        return;

    }



    mService->cleanupConnection(this);

    if (mEventCache != nullptr) {

        delete[] mEventCache;

    }

}



void SensorService::SensorEventConnection::destroy() {

    mDestroyed = true;

}
@@ -665,6 +659,11 @@ status_t SensorService::SensorEventConnection::enableDisable( 
        int handle, bool enabled, nsecs_t samplingPeriodNs, nsecs_t maxBatchReportLatencyNs,

        int reservedFlags)

{

    if (mDestroyed) {

        android_errorWriteLog(0x534e4554, "168211968");

        return DEAD_OBJECT;

    }



    status_t err;

    if (enabled) {

        err = mService->enable(this, handle, samplingPeriodNs, maxBatchReportLatencyNs,
@@ -679,10 +678,19 @@ status_t SensorService::SensorEventConnection::enableDisable( 
status_t SensorService::SensorEventConnection::setEventRate(

        int handle, nsecs_t samplingPeriodNs)

{

    if (mDestroyed) {

        android_errorWriteLog(0x534e4554, "168211968");

        return DEAD_OBJECT;

    }



    return mService->setEventRate(this, handle, samplingPeriodNs, mOpPackageName);

}



status_t  SensorService::SensorEventConnection::flush() {

    if (mDestroyed) {

        return DEAD_OBJECT;

    }



    return  mService->flushSensor(this, mOpPackageName);

}

services/sensorservice/SensorEventConnection.h

+3 −2
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ 
#ifndef ANDROID_SENSOR_EVENT_CONNECTION_H

#define ANDROID_SENSOR_EVENT_CONNECTION_H



#include <atomic>

#include <stdint.h>

#include <sys/types.h>

#include <unordered_map>
@@ -182,8 +183,8 @@ private: 
    int mTotalAcksNeeded, mTotalAcksReceived;

#endif



    mutable Mutex mDestroyLock;

    bool mDestroyed;

    // Used to track if this object was inappropriately used after destroy().

    std::atomic_bool mDestroyed;



    // Store a mapping of sensor handles to required AppOp for a sensor. This map only contains a

    // valid mapping for sensors that require a permission in order to reduce the lookup time.