widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "[RESTRICT AUTOMERGE] Fix WVCryptoPlugin use after free vulnerability." into oc-mr1-dev

Browse Source
This commit is contained in:
Edwin Wong
2021-04-06 22:27:14 +00:00
committed by Android (Google) Code Review
parent 1bd967f9a8 f49a3e5682
commit 1e44ea96ef
3 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libwvdrmengine/mediacrypto/Android.mk
View File

@@ -68,6 +68,8 @@ LOCAL_SHARED_LIBRARIES := \
libhidlmemory \
liblog
LOCAL_CFLAGS := -Wthread-safety
LOCAL_MODULE := libwvdrmcryptoplugin_hidl
LOCAL_PROPRIETARY_MODULE := true

9
libwvdrmengine/mediacrypto/include_hidl/WVCryptoPlugin.h
View File

@@ -5,9 +5,12 @@
#ifndef WV_CRYPTO_PLUGIN_H_
#define WV_CRYPTO_PLUGIN_H_
#include <android-base/thread_annotations.h>
#include <android/hardware/drm/1.0/ICryptoPlugin.h>
#include <android/hidl/memory/1.0/IMemory.h>
#include <mutex>
#include "wv_content_decryption_module.h"
#include "WVTypes.h"
@@ -58,13 +61,13 @@ struct WVCryptoPlugin : public ICryptoPlugin {
const SharedBuffer& source,
uint64_t offset,
const DestinationBuffer& destination,
decrypt_cb _hidl_cb) override;
decrypt_cb _hidl_cb) override NO_THREAD_SAFETY_ANALYSIS; // use unique_lock
private:
WVDRM_DISALLOW_COPY_AND_ASSIGN_AND_NEW(WVCryptoPlugin);
wvcdm::CdmSessionId mSessionId;
std::map<uint32_t, sp<IMemory> > mSharedBufferMap;
std::map<uint32_t, sp<IMemory> > mSharedBufferMap GUARDED_BY(mSharedBufferLock);
sp<wvcdm::WvContentDecryptionModule> const mCDM;
@@ -74,6 +77,8 @@ struct WVCryptoPlugin : public ICryptoPlugin {
static wvcdm::CdmResponseType countEncryptedBlocksInPatternedRange(
size_t range, const Pattern& pattern, uint64_t* result);
static void incrementIV(uint64_t increaseBy, std::vector<uint8_t>* ivPtr);
std::mutex mSharedBufferLock;
};
} // namespace widevine

7
libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
View File

@@ -98,6 +98,8 @@ Return<void> WVCryptoPlugin::setSharedBufferBase(
sp<IMemory> hidlMemory = mapMemory(base);
ALOGE_IF(hidlMemory == nullptr, "mapMemory returns nullptr");
std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock);
// allow mapMemory to return nullptr
mSharedBufferMap[bufferId] = hidlMemory;
return Void();
@@ -114,7 +116,7 @@ Return<void> WVCryptoPlugin::decrypt(
uint64_t offset,
const DestinationBuffer& destination,
decrypt_cb _hidl_cb) {
std::unique_lock<std::mutex> lock(mSharedBufferLock);
if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {
_hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0,
"source decrypt buffer base not set");
@@ -185,6 +187,9 @@ Return<void> WVCryptoPlugin::decrypt(
destPtr = static_cast<void *>(handle);
}
// release mSharedBufferLock
lock.unlock();
// Calculate the output buffer size and determine if any subsamples are
// encrypted.
size_t destSize = 0;