diff options
| author | Arthur Ishiguro <arthuri@google.com> | 2020-10-07 15:32:14 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-10-07 15:32:14 +0000 |
| commit | 0de2220f00851aab38395464f1a878765266c1c6 (patch) | |
| tree | 0df5234617c283d719defa3cea91a5b734659d02 | |
| parent | fe57c1aa7c108eaa2be8f0cf62e95782288ee8cb (diff) | |
| parent | 5adafe2d1e966066f209dbe8af5113c0b908133e (diff) | |
| download | native-0de2220f00851aab38395464f1a878765266c1c6.tar.gz | |
Merge "Prevent mEventCache UAF in SensorEventConnection" into rvc-dev am: 5adafe2d1e
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/native/+/12757250
Change-Id: I28e6484b8a1138ea21c198a13e8dbea83e6f87a5
| -rw-r--r-- | services/sensorservice/SensorEventConnection.cpp | 28 | ||||
| -rw-r--r-- | services/sensorservice/SensorEventConnection.h | 5 |
2 files changed, 21 insertions, 12 deletions
diff --git a/services/sensorservice/SensorEventConnection.cpp b/services/sensorservice/SensorEventConnection.cpp index b4b5f98609..6c8671289d 100644 --- a/services/sensorservice/SensorEventConnection.cpp +++ b/services/sensorservice/SensorEventConnection.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include <log/log.h> #include <sys/socket.h> #include <utils/threads.h> @@ -47,20 +48,13 @@ SensorService::SensorEventConnection::SensorEventConnection( SensorService::SensorEventConnection::~SensorEventConnection() { ALOGD_IF(DEBUG_CONNECTIONS, "~SensorEventConnection(%p)", this); destroy(); -} - -void SensorService::SensorEventConnection::destroy() { - Mutex::Autolock _l(mDestroyLock); - - // destroy once only - if (mDestroyed) { - return; - } - mService->cleanupConnection(this); if (mEventCache != nullptr) { delete[] mEventCache; } +} + +void SensorService::SensorEventConnection::destroy() { mDestroyed = true; } @@ -665,6 +659,11 @@ status_t SensorService::SensorEventConnection::enableDisable( int handle, bool enabled, nsecs_t samplingPeriodNs, nsecs_t maxBatchReportLatencyNs, int reservedFlags) { + if (mDestroyed) { + android_errorWriteLog(0x534e4554, "168211968"); + return DEAD_OBJECT; + } + status_t err; if (enabled) { err = mService->enable(this, handle, samplingPeriodNs, maxBatchReportLatencyNs, @@ -679,10 +678,19 @@ status_t SensorService::SensorEventConnection::enableDisable( status_t SensorService::SensorEventConnection::setEventRate( int handle, nsecs_t samplingPeriodNs) { + if (mDestroyed) { + android_errorWriteLog(0x534e4554, "168211968"); + return DEAD_OBJECT; + } + return mService->setEventRate(this, handle, samplingPeriodNs, mOpPackageName); } status_t SensorService::SensorEventConnection::flush() { + if (mDestroyed) { + return DEAD_OBJECT; + } + return mService->flushSensor(this, mOpPackageName); } diff --git a/services/sensorservice/SensorEventConnection.h b/services/sensorservice/SensorEventConnection.h index 8f2d5db28f..9487a39a92 100644 --- a/services/sensorservice/SensorEventConnection.h +++ b/services/sensorservice/SensorEventConnection.h @@ -17,6 +17,7 @@ #ifndef ANDROID_SENSOR_EVENT_CONNECTION_H #define ANDROID_SENSOR_EVENT_CONNECTION_H +#include <atomic> #include <stdint.h> #include <sys/types.h> #include <unordered_map> @@ -182,8 +183,8 @@ private: int mTotalAcksNeeded, mTotalAcksReceived; #endif - mutable Mutex mDestroyLock; - bool mDestroyed; + // Used to track if this object was inappropriately used after destroy(). + std::atomic_bool mDestroyed; // Store a mapping of sensor handles to required AppOp for a sensor. This map only contains a // valid mapping for sensors that require a permission in order to reduce the lookup time. |