Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1465d183 authored by Edwin Wong's avatar Edwin Wong Committed by Automerger Merge Worker
Browse files

Merge "Fix CryptoPlugin use after free vulnerability." into sc-dev am: 9cb545e6 

Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/14066086

Change-Id: Iaac2c7d6c4c38c395b8560c6358dad4a994be777
parents a0a9b0a0 9cb545e6

drm/1.0/default/Android.bp

+8 −7
Original line number Diff line number Diff line
@@ -32,6 +32,7 @@ cc_library_static { 
        "-Werror",

        "-Wextra",

        "-Wall",

        "-Wthread-safety",

    ],

    shared_libs: [

        "liblog",
@@ -42,7 +43,7 @@ cc_library_static { 
    export_header_lib_headers: [

        "libutils_headers",

    ],

    export_include_dirs : ["include"]

    export_include_dirs: ["include"],

}



soong_config_module_type {
@@ -59,8 +60,8 @@ android_hardware_drm_1_0_multilib { 
    soong_config_variables: {

        TARGET_ENABLE_MEDIADRM_64: {

            compile_multilib: "both",

        }

    }

        },

    },

}



android_hardware_drm_1_0_multilib {
@@ -69,8 +70,8 @@ android_hardware_drm_1_0_multilib { 
    soong_config_variables: {

        TARGET_ENABLE_MEDIADRM_64: {

            compile_multilib: "first",

        }

    }

        },

    },

}



cc_defaults {
@@ -98,7 +99,7 @@ cc_binary { 
    name: "android.hardware.drm@1.0-service",

    defaults: [

        "android.hardware.drm@1.0-multilib-exe",

        "android.hardware.drm@1.0-service-defaults"

        "android.hardware.drm@1.0-service-defaults",

    ],

    init_rc: ["android.hardware.drm@1.0-service.rc"],

    srcs: ["service.cpp"],
@@ -110,7 +111,7 @@ cc_binary { 
    name: "android.hardware.drm@1.0-service-lazy",

    defaults: [

        "android.hardware.drm@1.0-multilib-exe",

        "android.hardware.drm@1.0-service-defaults"

        "android.hardware.drm@1.0-service-defaults",

    ],

    overrides: ["android.hardware.drm@1.0-service"],

    init_rc: ["android.hardware.drm@1.0-service-lazy.rc"],

drm/1.0/default/CryptoPlugin.cpp

+7 −1
Original line number Diff line number Diff line
@@ -53,6 +53,8 @@ namespace implementation { 
            uint32_t bufferId) {

        sp<IMemory> hidlMemory = mapMemory(base);



        std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock);



        // allow mapMemory to return nullptr

        mSharedBufferMap[bufferId] = hidlMemory;

        return Void();
@@ -65,7 +67,7 @@ namespace implementation { 
            const SharedBuffer& source, uint64_t offset,

            const DestinationBuffer& destination,

            decrypt_cb _hidl_cb) {



        std::unique_lock<std::mutex> shared_buffer_lock(mSharedBufferLock);

        if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {

            _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "source decrypt buffer base not set");

            return Void();
@@ -173,6 +175,10 @@ namespace implementation { 
            _hidl_cb(Status::BAD_VALUE, 0, "invalid destination type");

            return Void();

        }



        // release mSharedBufferLock

        shared_buffer_lock.unlock();



        ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(),

                legacyMode, legacyPattern, srcPtr, legacySubSamples.get(),

                subSamples.size(), destPtr, &detailMessage);

drm/1.0/default/CryptoPlugin.h

+13 −8
Original line number Diff line number Diff line
@@ -17,11 +17,14 @@ 
#ifndef ANDROID_HARDWARE_DRM_V1_0__CRYPTOPLUGIN_H

#define ANDROID_HARDWARE_DRM_V1_0__CRYPTOPLUGIN_H



#include <android/hidl/memory/1.0/IMemory.h>

#include <android-base/thread_annotations.h>

#include <android/hardware/drm/1.0/ICryptoPlugin.h>

#include <android/hidl/memory/1.0/IMemory.h>

#include <hidl/Status.h>

#include <media/hardware/CryptoAPI.h>



#include <mutex>



namespace android {

namespace hardware {

namespace drm {
@@ -60,19 +63,21 @@ struct CryptoPlugin : public ICryptoPlugin { 
    Return<void> setSharedBufferBase(const ::android::hardware::hidl_memory& base,

        uint32_t bufferId) override;



    Return<void> decrypt(bool secure, const hidl_array<uint8_t, 16>& keyId,

            const hidl_array<uint8_t, 16>& iv, Mode mode, const Pattern& pattern,

            const hidl_vec<SubSample>& subSamples, const SharedBuffer& source,

            uint64_t offset, const DestinationBuffer& destination,

            decrypt_cb _hidl_cb) override;

    Return<void> decrypt(

            bool secure, const hidl_array<uint8_t, 16>& keyId, const hidl_array<uint8_t, 16>& iv,

            Mode mode, const Pattern& pattern, const hidl_vec<SubSample>& subSamples,

            const SharedBuffer& source, uint64_t offset, const DestinationBuffer& destination,

            decrypt_cb _hidl_cb) override NO_THREAD_SAFETY_ANALYSIS;  // use unique_lock



  private:

    android::CryptoPlugin *mLegacyPlugin;

    std::map<uint32_t, sp<IMemory> > mSharedBufferMap;

    std::map<uint32_t, sp<IMemory>> mSharedBufferMap GUARDED_BY(mSharedBufferLock);



    CryptoPlugin() = delete;

    CryptoPlugin(const CryptoPlugin &) = delete;

    void operator=(const CryptoPlugin &) = delete;



    std::mutex mSharedBufferLock;

};



}  // namespace implementation