Merge "[RESTRICT AUTOMERGE] Fix CryptoPlugin use after free vulnerability." into oc-mr1-dev

2026-02-01 16:09:42 +00:00 · 2021-04-06 22:27:14 +00:00
parent d468101f14 7e4c587ae3
commit c73a52277f
3 changed files with 21 additions and 10 deletions
--- a/drm/1.0/default/Android.bp
+++ b/drm/1.0/default/Android.bp
@@ -9,6 +9,7 @@ cc_library_static {
        "-Werror",
        "-Wextra",
        "-Wall",
        "-Wthread-safety",
    ],
    shared_libs: [
        "liblog",
@@ -19,5 +20,5 @@ cc_library_static {
    export_header_lib_headers: [
        "libutils_headers",
    ],
-    export_include_dirs : ["include"]
+    export_include_dirs: ["include"],
 }
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp
@@ -54,6 +54,8 @@ namespace implementation {
        sp<IMemory> hidlMemory = mapMemory(base);
        ALOGE_IF(hidlMemory == nullptr, "mapMemory returns nullptr");
        std::unique_lock<std::mutex> lock(mSharedBufferLock);
        // allow mapMemory to return nullptr
        mSharedBufferMap[bufferId] = hidlMemory;
        return Void();
@@ -66,7 +68,7 @@ namespace implementation {
            const SharedBuffer& source, uint64_t offset,
            const DestinationBuffer& destination,
            decrypt_cb _hidl_cb) {
-
+        std::unique_lock<std::mutex> lock(mSharedBufferLock);
        if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {
            _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "source decrypt buffer base not set");
            return Void();
@@ -179,6 +181,9 @@ namespace implementation {
            _hidl_cb(Status::BAD_VALUE, 0, "invalid destination type");
            return Void();
        }
        // release mSharedBufferLock
        lock.unlock();
        ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(),
                legacyMode, legacyPattern, srcPtr, legacySubSamples,
                subSamples.size(), destPtr, &detailMessage);
--- a/drm/1.0/default/CryptoPlugin.h
+++ b/drm/1.0/default/CryptoPlugin.h
@@ -17,11 +17,14 @@
 #ifndef ANDROID_HARDWARE_DRM_V1_0__CRYPTOPLUGIN_H
 #define ANDROID_HARDWARE_DRM_V1_0__CRYPTOPLUGIN_H
-#include <android/hidl/memory/1.0/IMemory.h>
+#include <android-base/thread_annotations.h>
 #include <android/hardware/drm/1.0/ICryptoPlugin.h>
 #include <android/hidl/memory/1.0/IMemory.h>
 #include <hidl/Status.h>
 #include <media/hardware/CryptoAPI.h>
 #include <mutex>
 namespace android {
 namespace hardware {
 namespace drm {
@@ -60,19 +63,21 @@ struct CryptoPlugin : public ICryptoPlugin {
    Return<void> setSharedBufferBase(const ::android::hardware::hidl_memory& base,
        uint32_t bufferId) override;
-    Return<void> decrypt(bool secure, const hidl_array<uint8_t, 16>& keyId,
+    Return<void> decrypt(
-            const hidl_array<uint8_t, 16>& iv, Mode mode, const Pattern& pattern,
+        bool secure, const hidl_array<uint8_t, 16>& keyId, const hidl_array<uint8_t, 16>& iv,
-            const hidl_vec<SubSample>& subSamples, const SharedBuffer& source,
+        Mode mode, const Pattern& pattern, const hidl_vec<SubSample>& subSamples,
-            uint64_t offset, const DestinationBuffer& destination,
+        const SharedBuffer& source, uint64_t offset, const DestinationBuffer& destination,
-            decrypt_cb _hidl_cb) override;
+        decrypt_cb _hidl_cb) override NO_THREAD_SAFETY_ANALYSIS;  // use unique_lock
-private:
+   private:
    android::CryptoPlugin *mLegacyPlugin;
-    std::map<uint32_t, sp<IMemory> > mSharedBufferMap;
+    std::map<uint32_t, sp<IMemory>> mSharedBufferMap GUARDED_BY(mSharedBufferLock);
    CryptoPlugin() = delete;
    CryptoPlugin(const CryptoPlugin &) = delete;
    void operator=(const CryptoPlugin &) = delete;
    std::mutex mSharedBufferLock;
 };
 }  // namespace implementation