From c2983e9d3bc3905d06a8b7dfa58548687c50634a Mon Sep 17 00:00:00 2001 From: Fabien Sanglard Date: Tue, 8 Nov 2016 15:35:02 -0800 Subject: Fix SF security vulnerability: 32706020 Because of lack of mutex lock when get mConsumerName, if one thread getConsumerName, another thread setConsumerName frequently, an UAF will be triggered. Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65 Test: Marling with poc provided in bug report. Bug: 32706020 (cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436) (cherry picked from commit 2e16d5fac149dab3c3e8f1b2ca89f45cf55a7b34) --- libs/gui/BufferQueueProducer.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp index a941e2d29..5db0b3754 100644 --- a/libs/gui/BufferQueueProducer.cpp +++ b/libs/gui/BufferQueueProducer.cpp @@ -1091,6 +1091,7 @@ status_t BufferQueueProducer::setGenerationNumber(uint32_t generationNumber) { String8 BufferQueueProducer::getConsumerName() const { ATRACE_CALL(); + Mutex::Autolock lock(mCore->mMutex); BQ_LOGV("getConsumerName: %s", mConsumerName.string()); return mConsumerName; } -- cgit v1.2.3