[RESTRICT AUTOMERGE] Fix WVCryptoPlugin use after free vulnerability. am: 9c278174c8

Original change: https://googleplex-android-review.googlesource.com/c/platform/vendor/widevine/+/13499846 Change-Id: I1cb45d35088d149f02b0bb6c408e5fee3d79c1db
2021-04-06 23:06:28 +00:00
parent 18065ce373 9c278174c8
commit 605ae2e217
3 changed files with 16 additions and 4 deletions
--- a/libwvdrmengine/mediacrypto/Android.mk
+++ b/libwvdrmengine/mediacrypto/Android.mk
@@ -72,6 +72,8 @@ LOCAL_SHARED_LIBRARIES := \
  libhidlmemory \
  liblog

+LOCAL_CFLAGS := -Wthread-safety
+
 LOCAL_MODULE := libwvdrmcryptoplugin_hidl
 LOCAL_PROPRIETARY_MODULE := true

--- a/libwvdrmengine/mediacrypto/include_hidl/WVCryptoPlugin.h
+++ b/libwvdrmengine/mediacrypto/include_hidl/WVCryptoPlugin.h
@@ -7,11 +7,14 @@
 #ifndef WV_CRYPTO_PLUGIN_H_
 #define WV_CRYPTO_PLUGIN_H_

+#include <android-base/thread_annotations.h>
 #include <android/hidl/memory/1.0/IMemory.h>

+#include <mutex>
+
 #include "HidlTypes.h"
-#include "wv_content_decryption_module.h"
 #include "WVTypes.h"
+#include "wv_content_decryption_module.h"

 namespace wvdrm {
 namespace hardware {
@@ -59,13 +62,13 @@ struct WVCryptoPlugin : public ICryptoPlugin {
      const SharedBuffer& source,
      uint64_t offset,
      const DestinationBuffer& destination,
-      decrypt_1_2_cb _hidl_cb) override;
+      decrypt_1_2_cb _hidl_cb) override NO_THREAD_SAFETY_ANALYSIS; // use unique_lock

 private:
  WVDRM_DISALLOW_COPY_AND_ASSIGN_AND_NEW(WVCryptoPlugin);

  wvcdm::CdmSessionId mSessionId;
-  std::map<uint32_t, sp<IMemory> > mSharedBufferMap;
+  std::map<uint32_t, sp<IMemory> > mSharedBufferMap GUARDED_BY(mSharedBufferLock);

  sp<wvcdm::WvContentDecryptionModule> const mCDM;

@@ -73,6 +76,8 @@ struct WVCryptoPlugin : public ICryptoPlugin {
      const wvcdm::CdmDecryptionParameters& params,
      bool haveEncryptedSubsamples, std::string* errorDetailMsg);
  static void incrementIV(uint64_t increaseBy, std::vector<uint8_t>* ivPtr);
+
+  std::mutex mSharedBufferLock;
 };

 }  // namespace widevine
--- a/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
+++ b/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
@@ -108,6 +108,8 @@ Return<void> WVCryptoPlugin::setSharedBufferBase(
    const hidl_memory& base, uint32_t bufferId) {
  sp<IMemory> hidlMemory = mapMemory(base);

+  std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock);
+
  // allow mapMemory to return nullptr
  mSharedBufferMap[bufferId] = hidlMemory;
  return Void();
@@ -156,7 +158,7 @@ Return<void> WVCryptoPlugin::decrypt_1_2(
    uint64_t offset,
    const DestinationBuffer& destination,
    decrypt_1_2_cb _hidl_cb) {
-
+    std::unique_lock<std::mutex> lock(mSharedBufferLock);
    if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {
      _hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0,
               "source decrypt buffer base not set");
@@ -227,6 +229,9 @@ Return<void> WVCryptoPlugin::decrypt_1_2(
    destPtr = static_cast<void *>(handle);
  }

+  // release mSharedBufferLock
+  lock.unlock();
+
  // Calculate the output buffer size and determine if any subsamples are
  // encrypted.
  size_t destSize = 0;