widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[RESTRICT AUTOMERGE] Fix WVCryptoPlugin use after free vulnerability. am: 76f39ddb08 am: 2c59c30f1b

Browse Source 
Original change: https://googleplex-android-review.googlesource.com/c/platform/vendor/widevine/+/13499847

Change-Id: I9d84f4bc553f9c665d418734a9cf032bb4460a0c
This commit is contained in:
Edwin Wong
2021-04-06 22:23:03 +00:00
committed by Automerger Merge Worker
parent 34effc90d6 2c59c30f1b
commit 79b4677c6e
3 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libwvdrmengine/mediacrypto/Android.mk
View File

@@ -78,6 +78,8 @@ LOCAL_SHARED_LIBRARIES := \
libhidlmemory \ libhidlmemory \
liblog liblog
LOCAL_CFLAGS := -Wthread-safety
LOCAL_MODULE := libwvdrmcryptoplugin_hidl LOCAL_MODULE := libwvdrmcryptoplugin_hidl
LOCAL_LICENSE_KINDS := legacy_by_exception_only LOCAL_LICENSE_KINDS := legacy_by_exception_only
LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_LICENSE_CONDITIONS := by_exception_only

11
libwvdrmengine/mediacrypto/include_hidl/WVCryptoPlugin.h
View File

@@ -7,11 +7,14 @@
#ifndef WV_CRYPTO_PLUGIN_H_ #ifndef WV_CRYPTO_PLUGIN_H_
#define WV_CRYPTO_PLUGIN_H_ #define WV_CRYPTO_PLUGIN_H_
#include <android-base/thread_annotations.h>
#include <android/hidl/memory/1.0/IMemory.h> #include <android/hidl/memory/1.0/IMemory.h>
#include <mutex>
#include "HidlTypes.h" #include "HidlTypes.h"
#include "wv_content_decryption_module.h"
#include "WVTypes.h" #include "WVTypes.h"
#include "wv_content_decryption_module.h"
namespace wvdrm { namespace wvdrm {
namespace hardware { namespace hardware {
@@ -59,19 +62,21 @@ struct WVCryptoPlugin : public ICryptoPlugin {
const SharedBuffer& source, const SharedBuffer& source,
uint64_t offset, uint64_t offset,
const DestinationBuffer& destination, const DestinationBuffer& destination,
decrypt_1_2_cb _hidl_cb) override; decrypt_1_2_cb _hidl_cb) override NO_THREAD_SAFETY_ANALYSIS; // use unique_lock
private: private:
WVDRM_DISALLOW_COPY_AND_ASSIGN_AND_NEW(WVCryptoPlugin); WVDRM_DISALLOW_COPY_AND_ASSIGN_AND_NEW(WVCryptoPlugin);
wvcdm::CdmSessionId mSessionId; wvcdm::CdmSessionId mSessionId;
std::map<uint32_t, sp<IMemory> > mSharedBufferMap; std::map<uint32_t, sp<IMemory> > mSharedBufferMap GUARDED_BY(mSharedBufferLock);
sp<wvcdm::WvContentDecryptionModule> const mCDM; sp<wvcdm::WvContentDecryptionModule> const mCDM;
Status_V1_2 attemptDecrypt( Status_V1_2 attemptDecrypt(
const wvcdm::CdmDecryptionParametersV16& params, const wvcdm::CdmDecryptionParametersV16& params,
bool haveEncryptedSubsamples, std::string* errorDetailMsg); bool haveEncryptedSubsamples, std::string* errorDetailMsg);
std::mutex mSharedBufferLock;
}; };
} // namespace widevine } // namespace widevine

7
libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
View File

@@ -110,6 +110,8 @@ Return<void> WVCryptoPlugin::setSharedBufferBase(
const hidl_memory& base, uint32_t bufferId) { const hidl_memory& base, uint32_t bufferId) {
sp<IMemory> hidlMemory = mapMemory(base); sp<IMemory> hidlMemory = mapMemory(base);
std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock);
// allow mapMemory to return nullptr // allow mapMemory to return nullptr
mSharedBufferMap[bufferId] = hidlMemory; mSharedBufferMap[bufferId] = hidlMemory;
return Void(); return Void();
@@ -158,7 +160,7 @@ Return<void> WVCryptoPlugin::decrypt_1_2(
uint64_t offset, uint64_t offset,
const DestinationBuffer& destination, const DestinationBuffer& destination,
decrypt_1_2_cb _hidl_cb) { decrypt_1_2_cb _hidl_cb) {
std::unique_lock<std::mutex> lock(mSharedBufferLock);
if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) { if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {
_hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0, _hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0,
"source decrypt buffer base not set"); "source decrypt buffer base not set");
@@ -231,6 +233,9 @@ Return<void> WVCryptoPlugin::decrypt_1_2(
destPtr = static_cast<void *>(handle); destPtr = static_cast<void *>(handle);
} }
// release mSharedBufferLock
lock.unlock();
// Set up the decrypt params // Set up the decrypt params
CdmDecryptionParametersV16 params; CdmDecryptionParametersV16 params;
params.key_id = cryptoKey; params.key_id = cryptoKey;