From e637aa32b86dec4778ac8dd934266bb3755bc773 Mon Sep 17 00:00:00 2001
From: Nick Desaulniers <ndesaulniers@google.com>
Date: Fri, 18 Aug 2017 10:00:44 -0700
Subject: [PATCH] biometrics: fingerprint: add locking to default impl

There exists the following race condition:
a). thread A receives setNotify and sets the callback to some object
b). thread B of the wrapped implementation calls
BiometricsFingerprint::notify which it was given a handle to. Thread B
executes past the nullptr check:
c). thread A receives setNotify and sets the callback to some other
object (or nullptr)
d). thread B resumes in notify with unknown state

Add mutex to protect access to mClientCallback.

Change-Id: I9163204ff5802e9246056caeb2a7857e6138531c
Fixes: 64802340
Test: VtsHalBiometricsFingerprintV2_1IfaceFuzzer
---
 biometrics/fingerprint/2.1/default/BiometricsFingerprint.cpp | 2 ++
 biometrics/fingerprint/2.1/default/BiometricsFingerprint.h   | 1 +
 2 files changed, 3 insertions(+)

diff --git a/biometrics/fingerprint/2.1/default/BiometricsFingerprint.cpp b/biometrics/fingerprint/2.1/default/BiometricsFingerprint.cpp
index c6774ca222..f68795955a 100644
--- a/biometrics/fingerprint/2.1/default/BiometricsFingerprint.cpp
+++ b/biometrics/fingerprint/2.1/default/BiometricsFingerprint.cpp
@@ -145,6 +145,7 @@ FingerprintAcquiredInfo BiometricsFingerprint::VendorAcquiredFilter(
 
 Return<uint64_t> BiometricsFingerprint::setNotify(
         const sp<IBiometricsFingerprintClientCallback>& clientCallback) {
+    std::lock_guard<std::mutex> lock(mClientCallbackMutex);
     mClientCallback = clientCallback;
     // This is here because HAL 2.1 doesn't have a way to propagate a
     // unique token for its driver. Subsequent versions should send a unique
@@ -259,6 +260,7 @@ fingerprint_device_t* BiometricsFingerprint::openHal() {
 void BiometricsFingerprint::notify(const fingerprint_msg_t *msg) {
     BiometricsFingerprint* thisPtr = static_cast<BiometricsFingerprint*>(
             BiometricsFingerprint::getInstance());
+    std::lock_guard<std::mutex> lock(thisPtr->mClientCallbackMutex);
     if (thisPtr == nullptr || thisPtr->mClientCallback == nullptr) {
         ALOGE("Receiving callbacks before the client callback is registered.");
         return;
diff --git a/biometrics/fingerprint/2.1/default/BiometricsFingerprint.h b/biometrics/fingerprint/2.1/default/BiometricsFingerprint.h
index 5923c849c8..6d64e3d38d 100644
--- a/biometrics/fingerprint/2.1/default/BiometricsFingerprint.h
+++ b/biometrics/fingerprint/2.1/default/BiometricsFingerprint.h
@@ -69,6 +69,7 @@ private:
     static FingerprintAcquiredInfo VendorAcquiredFilter(int32_t error, int32_t* vendorCode);
     static BiometricsFingerprint* sInstance;
 
+    std::mutex mClientCallbackMutex;
     sp<IBiometricsFingerprintClientCallback> mClientCallback;
     fingerprint_device_t *mDevice;
 };