Merge "Fix WVCryptoPlugin use after free vulnerability." into sc-dev am: 9d1ad7590a

Original change: https://googleplex-android-review.googlesource.com/c/platform/vendor/widevine/+/13808139 Change-Id: I4c2aadb7b98c48abc349582d0bca0ddb41d05df7
2021-04-05 21:35:55 +00:00
parent 1df93e5cae 9d1ad7590a
commit c10f719067
3 changed files with 15 additions and 3 deletions
--- a/libwvdrmengine/mediacrypto/Android.bp
+++ b/libwvdrmengine/mediacrypto/Android.bp
@@ -102,6 +102,8 @@ cc_library_static {
        "liblog",
    ],

+    cflags: ["-Wthread-safety"],
+
    proprietary: true,

 }
--- a/libwvdrmengine/mediacrypto/include_hidl/WVCryptoPlugin.h
+++ b/libwvdrmengine/mediacrypto/include_hidl/WVCryptoPlugin.h
@@ -7,8 +7,11 @@
 #ifndef WV_CRYPTO_PLUGIN_H_
 #define WV_CRYPTO_PLUGIN_H_

+#include <android-base/thread_annotations.h>
 #include <android/hidl/memory/1.0/IMemory.h>

+#include <mutex>
+
 #include "HidlTypes.h"
 #include "log.h"
 #include "wv_content_decryption_module.h"
@@ -60,7 +63,7 @@ struct WVCryptoPlugin : public ::drm::V1_4::ICryptoPlugin {
      const SharedBuffer& source,
      uint64_t offset,
      const DestinationBuffer& destination,
-      decrypt_1_2_cb _hidl_cb) override;
+      decrypt_1_2_cb _hidl_cb) override NO_THREAD_SAFETY_ANALYSIS; // use unique_lock

  Return<void> getLogMessages(
      getLogMessages_cb _hidl_cb) override;
@@ -73,7 +76,7 @@ struct WVCryptoPlugin : public ::drm::V1_4::ICryptoPlugin {
  wvcdm::LoggingUidSetter mLoggingUidSetter;

  wvcdm::CdmSessionId mSessionId;
-  std::map<uint32_t, sp<IMemory> > mSharedBufferMap;
+  std::map<uint32_t, sp<IMemory> > mSharedBufferMap GUARDED_BY(mSharedBufferLock);

  sp<wvcdm::WvContentDecryptionModule> const mCDM;
  uint32_t mUserId;
@@ -81,6 +84,8 @@ struct WVCryptoPlugin : public ::drm::V1_4::ICryptoPlugin {
  Status_V1_2 attemptDecrypt(
      const wvcdm::CdmDecryptionParametersV16& params,
      bool haveEncryptedSubsamples, std::string* errorDetailMsg);
+
+  std::mutex mSharedBufferLock;
 };

 }  // namespace widevine
--- a/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
+++ b/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
@@ -121,6 +121,8 @@ Return<void> WVCryptoPlugin::setSharedBufferBase(
    const hidl_memory& base, uint32_t bufferId) {
  sp<IMemory> hidlMemory = mapMemory(base);

+  std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock);
+
  // allow mapMemory to return nullptr
  mSharedBufferMap[bufferId] = hidlMemory;
  return Void();
@@ -169,7 +171,7 @@ Return<void> WVCryptoPlugin::decrypt_1_2(
    uint64_t offset,
    const DestinationBuffer& destination,
    decrypt_1_2_cb _hidl_cb) {
-
+  std::unique_lock<std::mutex> lock(mSharedBufferLock);
  if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {
    _hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0,
             "source decrypt buffer base not set");
@@ -245,6 +247,9 @@ Return<void> WVCryptoPlugin::decrypt_1_2(
    destPtr = static_cast<void *>(handle);
  }

+  // release mSharedBufferLock
+  lock.unlock();
+
  // Set up the decrypt params
  CdmDecryptionParametersV16 params;
  params.key_id = cryptoKey;