widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[RESTRICT AUTOMERGE] Fix WVCryptoPlugin use after free vulnerability.

Browse Source 
The shared memory buffer used by srcPtr can be freed by another
thread because it is not protected by a mutex. Subsequently,
a use after free AIGABRT can occur in a race condition.

SafetyNet logging is not added to avoid log spamming. The
mutex lock is called to setup for decryption, which is
called frequently.

Test is run on rvc-dev branch, using target_hwasan-userdebug build.

Test: sts
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-176495665_sts64

Bug: 176495665
Bug: 176444161
Change-Id: Ie1aca0ceacb4b7a1b6e473b823541607a36d8cb4
This commit is contained in:
Edwin Wong
2021-01-22 22:46:42 -08:00
parent 0253cb580e
commit f49a3e5682
3 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libwvdrmengine/mediacrypto/Android.mk
View File

@@ -68,6 +68,8 @@ LOCAL_SHARED_LIBRARIES := \
libhidlmemory \
liblog
LOCAL_CFLAGS := -Wthread-safety
LOCAL_MODULE := libwvdrmcryptoplugin_hidl
LOCAL_PROPRIETARY_MODULE := true