From d5d0c5500a97a411c34d27dc71dfd8f9d5787ffc Mon Sep 17 00:00:00 2001 From: Daniel Zheng Date: Wed, 16 Oct 2024 14:01:23 -0700 Subject: [PATCH] bootctl: pass cookie to death recipient On binder death, the cookie is the value that is passed to the death recipient. This value shouldn't be nullptr here since our onDeath() function expects an instance of BootControlClientAidl. If that doesn't exist, we have a null pointer dereference which will cause update_engine to crash. Bug: 369289491 Test: crash bootctl service Change-Id: I0bed4680c23b7d3516ed43aa566c4474962244fa --- boot/aidl/client/BootControlClient.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/boot/aidl/client/BootControlClient.cpp b/boot/aidl/client/BootControlClient.cpp index dca98c6cb4..10f0ffe2e9 100644 --- a/boot/aidl/client/BootControlClient.cpp +++ b/boot/aidl/client/BootControlClient.cpp @@ -69,8 +69,8 @@ class BootControlClientAidl final : public BootControlClient { explicit BootControlClientAidl(std::shared_ptr module) : module_(module), boot_control_death_recipient(AIBinder_DeathRecipient_new(onBootControlServiceDied)) { - binder_status_t status = AIBinder_linkToDeath(module->asBinder().get(), - boot_control_death_recipient, nullptr); + binder_status_t status = + AIBinder_linkToDeath(module->asBinder().get(), boot_control_death_recipient, this); if (status != STATUS_OK) { LOG(ERROR) << "Could not link to binder death"; return;