From 532240f4eb07e638e306d59fb666b4dd8c8bce71 Mon Sep 17 00:00:00 2001
From: Mikhail Naganov <mnaganov@google.com>
Date: Wed, 4 Dec 2019 16:18:50 -0800
Subject: [PATCH] Audio HAL: Fix UAF if the effect is removed after close

Effect::close in V6 releases the underlying HAL effect.
It was not removing the effect entry from the effects
map, thus a call to Stream::removeEffect was retrieving
a stale handle.

Bug: 145656878
Test: start and stop recording for VOICE_COMMUNICATION
Change-Id: I47f486d3b6b4b0dc29acd1e3a2093e421b28d90b
---
 audio/effect/all-versions/default/Effect.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/audio/effect/all-versions/default/Effect.cpp b/audio/effect/all-versions/default/Effect.cpp
index 0afa779f03..33ec996d57 100644
--- a/audio/effect/all-versions/default/Effect.cpp
+++ b/audio/effect/all-versions/default/Effect.cpp
@@ -713,7 +713,10 @@ Return<Result> Effect::close() {
 #elif MAJOR_VERSION >= 6
     // No need to join the processing thread, it is part of the API contract that the client
     // must finish processing before closing the effect.
-    return analyzeStatus("EffectRelease", "", sContextCallFunction, EffectRelease(mHandle));
+    Result retval =
+            analyzeStatus("EffectRelease", "", sContextCallFunction, EffectRelease(mHandle));
+    EffectMap::getInstance().remove(mHandle);
+    return retval;
 #endif
 }