diff options
author | Dianne Hackborn <hackbod@google.com> | 2016-03-21 10:36:54 -0700 |
---|---|---|
committer | The Android Automerger <android-build@google.com> | 2016-03-25 17:09:17 -0700 |
commit | 433616eda147bb7e557796b4e02795946ff2478b (patch) | |
tree | 2760e1f6d0084680ac91370309864da301735060 | |
parent | 9c7a8c24c7498dfa653f35af1bab3f3235665b17 (diff) | |
download | native-433616eda147bb7e557796b4e02795946ff2478b.tar.gz |
Fix issue #27252896: Security Vulnerability -- weak binder
Sending transaction to freed BBinder through weak handle
can cause use of a (mostly) freed object. We need to try to
safely promote to a strong reference first.
Change-Id: Ic9c6940fa824980472e94ed2dfeca52a6b0fd342
(cherry picked from commit c11146106f94e07016e8e26e4f8628f9a0c73199)
-rw-r--r-- | libs/binder/IPCThreadState.cpp | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp index dd04dcf4db..2296cd2b83 100644 --- a/libs/binder/IPCThreadState.cpp +++ b/libs/binder/IPCThreadState.cpp @@ -1080,8 +1080,16 @@ status_t IPCThreadState::executeCommand(int32_t cmd) << reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl; } if (tr.target.ptr) { - sp<BBinder> b((BBinder*)tr.cookie); - error = b->transact(tr.code, buffer, &reply, tr.flags); + // We only have a weak reference on the target object, so we must first try to + // safely acquire a strong reference before doing anything else with it. + if (reinterpret_cast<RefBase::weakref_type*>( + tr.target.ptr)->attemptIncStrong(this)) { + error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer, + &reply, tr.flags); + reinterpret_cast<BBinder*>(tr.cookie)->decStrong(this); + } else { + error = UNKNOWN_TRANSACTION; + } } else { error = the_context_object->transact(tr.code, buffer, &reply, tr.flags); |