Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d17e3b5f authored by Mathias Agopian's avatar Mathias Agopian Committed by Android (Google) Code Review
Browse files

prevent a client from crashing surfaceflinger 

a misbehaving or malicious client could cause SF to crash
by providing a "fake" IInterface. we now check the
IInterface we get is our own and local.

Bug: 7278879
Change-Id: Ia19d05902d4b2385c5a16416148378d4998833fd
parent ba7dc2db

services/surfaceflinger/SurfaceFlinger.cpp

+17 −2
Original line number Diff line number Diff line
@@ -1681,9 +1681,24 @@ void SurfaceFlinger::setTransactionState( 
    count = state.size();

    for (size_t i=0 ; i<count ; i++) {

        const ComposerState& s(state[i]);

        // Here we need to check that the interface we're given is indeed

        // one of our own. A malicious client could give us a NULL

        // IInterface, or one of its own or even one of our own but a

        // different type. All these situations would cause us to crash.

        //

        // NOTE: it would be better to use RTTI as we could directly check

        // that we have a Client*. however, RTTI is disabled in Android.

        if (s.client != NULL) {

            sp<IBinder> binder = s.client->asBinder();

            if (binder != NULL) {

                String16 desc(binder->getInterfaceDescriptor());

                if (desc == ISurfaceComposerClient::descriptor) {

                    sp<Client> client( static_cast<Client *>(s.client.get()) );

                    transactionFlags |= setClientStateLocked(client, s.state);

                }

            }

        }

    }



    if (transactionFlags) {

        // this triggers the transaction