Fix SF security vulnerability: 32706020

Because of lack of mutex lock when get mConsumerName, if one thread getConsumerName, another thread setConsumerName frequently, an UAF will be triggered. Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65 Test: Marling with poc provided in bug report. Bug: 32706020 (cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436)
author: Fabien Sanglard <sanglardf@google.com> 2016-11-08 15:35:02 -0800
committer: gitbuildkicker <android-build@google.com> 2017-01-04 10:37:14 -0800
commit: 509fb5c3719d6b1fa0adec3b85b21115692d5dae (patch)
tree: 06421e98c287cf861e6a3ba65432036b2a686b35
parent: 38ac668e47f80b513cab10bab6af585d810f59c3 (diff)
download: native-509fb5c3719d6b1fa0adec3b85b21115692d5dae.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp
index 48b1db8f59..05923b5d35 100644
--- a/libs/gui/BufferQueueProducer.cpp
+++ b/libs/gui/BufferQueueProducer.cpp
@@ -1352,6 +1352,7 @@ status_t BufferQueueProducer::setGenerationNumber(uint32_t generationNumber) {
 
 String8 BufferQueueProducer::getConsumerName() const {
     ATRACE_CALL();
+    Mutex::Autolock lock(mCore->mMutex);
     BQ_LOGV("getConsumerName: %s", mConsumerName.string());
     return mConsumerName;
 }
author	Fabien Sanglard <sanglardf@google.com>	2016-11-08 15:35:02 -0800
committer	gitbuildkicker <android-build@google.com>	2017-01-04 10:37:14 -0800
commit	509fb5c3719d6b1fa0adec3b85b21115692d5dae (patch)
tree	06421e98c287cf861e6a3ba65432036b2a686b35
parent	38ac668e47f80b513cab10bab6af585d810f59c3 (diff)
download	native-509fb5c3719d6b1fa0adec3b85b21115692d5dae.tar.gz