audio effects: filter reserved effect commands

Block effect commands reserved for framework use when received on server side IAudioEffect. Applications have no reason to use these commands and they present a unnecessary attack surface. Bug: 62019992 Test: run CTS tests for audio effects Change-Id: Ie680d5d5650f99dbabf93891703e1cde2c2e852d (cherry picked from commit c7ab309ecbb289cd1296430f724166a26bd45afe) CVE-2017-0768
author: Eric Laurent <elaurent@google.com> 2017-06-15 18:43:46 -0700
committer: Andreas Blaesius <skate4life@gmx.de> 2017-09-17 22:11:05 +0200
commit: 62677c87d461b11af3a25f808dbed4c21d2a48b8 (patch)
tree: 9b8da310205e80e72a3ccf01420bd3f6bddbf319
parent: 38d8804de3b81655da7c079e1bcecef3a98cc44c (diff)
download: frameworks_av-62677c87d461b11af3a25f808dbed4c21d2a48b8.tar.gz
frameworks_av-62677c87d461b11af3a25f808dbed4c21d2a48b8.tar.bz2
frameworks_av-62677c87d461b11af3a25f808dbed4c21d2a48b8.zip
1 files changed, 18 insertions, 0 deletions
diff --git a/services/audioflinger/Effects.cpp b/services/audioflinger/Effects.cpp
index 8a8b05b3b1..58df3bd385 100644
--- a/services/audioflinger/Effects.cpp
+++ b/services/audioflinger/Effects.cpp
@@ -1284,6 +1284,24 @@ status_t AudioFlinger::EffectHandle::command(uint32_t cmdCode,
     ALOGVV("command(), cmdCode: %d, mHasControl: %d, mEffect: %p",
             cmdCode, mHasControl, mEffect.unsafe_get());
 
+    // reject commands reserved for internal use by audio framework if coming from outside
+    // of audioserver
+    switch(cmdCode) {
+        case EFFECT_CMD_ENABLE:
+        case EFFECT_CMD_DISABLE:
+        case EFFECT_CMD_SET_PARAM:
+        case EFFECT_CMD_SET_PARAM_DEFERRED:
+        case EFFECT_CMD_SET_PARAM_COMMIT:
+        case EFFECT_CMD_GET_PARAM:
+            break;
+        default:
+            if (cmdCode >= EFFECT_CMD_FIRST_PROPRIETARY) {
+                break;
+            }
+            android_errorWriteLog(0x534e4554, "62019992");
+            return BAD_VALUE;
+    }
+
     if (cmdCode == EFFECT_CMD_ENABLE) {
         if (*replySize < sizeof(int)) {
             android_errorWriteLog(0x534e4554, "32095713");
author	Eric Laurent <elaurent@google.com>	2017-06-15 18:43:46 -0700
committer	Andreas Blaesius <skate4life@gmx.de>	2017-09-17 22:11:05 +0200
commit	62677c87d461b11af3a25f808dbed4c21d2a48b8 (patch)
tree	9b8da310205e80e72a3ccf01420bd3f6bddbf319
parent	38d8804de3b81655da7c079e1bcecef3a98cc44c (diff)
download	frameworks_av-62677c87d461b11af3a25f808dbed4c21d2a48b8.tar.gz frameworks_av-62677c87d461b11af3a25f808dbed4c21d2a48b8.tar.bz2 frameworks_av-62677c87d461b11af3a25f808dbed4c21d2a48b8.zip