Fix SF security vulnerability: 32706020

Because of lack of mutex lock when get mConsumerName, if one thread getConsumerName, another thread setConsumerName frequently, an UAF will be triggered. Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65 Test: Marling with poc provided in bug report. Bug: 32706020 (cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436)
author: Fabien Sanglard <sanglardf@google.com> 2016-11-08 15:35:02 -0800
committer: gitbuildkicker <android-build@google.com> 2016-12-14 16:53:10 -0800
commit: dc6d25ff1e1d4079853f2efc3c7147991fa7f18a (patch)
tree: 6456e31c8b573aa2293b953cbc5011b86a16d7c7
parent: 65dd433f0db2fe402dc725f7012c6e26769b3224 (diff)
download: native-dc6d25ff1e1d4079853f2efc3c7147991fa7f18a.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp
index 48b1db8f59..05923b5d35 100644
--- a/libs/gui/BufferQueueProducer.cpp
+++ b/libs/gui/BufferQueueProducer.cpp
@@ -1352,6 +1352,7 @@ status_t BufferQueueProducer::setGenerationNumber(uint32_t generationNumber) {
 
 String8 BufferQueueProducer::getConsumerName() const {
     ATRACE_CALL();
+    Mutex::Autolock lock(mCore->mMutex);
     BQ_LOGV("getConsumerName: %s", mConsumerName.string());
     return mConsumerName;
 }
author	Fabien Sanglard <sanglardf@google.com>	2016-11-08 15:35:02 -0800
committer	gitbuildkicker <android-build@google.com>	2016-12-14 16:53:10 -0800
commit	dc6d25ff1e1d4079853f2efc3c7147991fa7f18a (patch)
tree	6456e31c8b573aa2293b953cbc5011b86a16d7c7
parent	65dd433f0db2fe402dc725f7012c6e26769b3224 (diff)
download	native-dc6d25ff1e1d4079853f2efc3c7147991fa7f18a.tar.gz