widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[RESTRICT AUTOMERGE] Fix WVCryptoPlugin use after free vulnerability.

Browse Source 
The shared memory buffer used by srcPtr can be freed by another
thread because it is not protected by a mutex. Subsequently,
a use after free AIGABRT can occur in a race condition.

SafetyNet logging is not added to avoid log spamming. The
mutex lock is called to setup for decryption, which is
called frequently.

Test is run on rvc-dev branch, using target_hwasan-userdebug build.

Test: sts
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-176495665_sts64

Bug: 176495665
Bug: 176444161
Change-Id: Ie1aca0ceacb4b7a1b6e473b823541607a36d8cb4
This commit is contained in:
Edwin Wong
2021-01-22 22:46:42 -08:00
parent 0253cb580e
commit f49a3e5682
3 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
libwvdrmengine/mediacrypto/include_hidl/WVCryptoPlugin.h
View File

@@ -5,9 +5,12 @@
#ifndef WV_CRYPTO_PLUGIN_H_
#define WV_CRYPTO_PLUGIN_H_
#include <android-base/thread_annotations.h>
#include <android/hardware/drm/1.0/ICryptoPlugin.h>
#include <android/hidl/memory/1.0/IMemory.h>
#include <mutex>
#include "wv_content_decryption_module.h"
#include "WVTypes.h"
@@ -58,13 +61,13 @@ struct WVCryptoPlugin : public ICryptoPlugin {
const SharedBuffer& source,
uint64_t offset,
const DestinationBuffer& destination,
decrypt_cb _hidl_cb) override;
decrypt_cb _hidl_cb) override NO_THREAD_SAFETY_ANALYSIS; // use unique_lock
private:
WVDRM_DISALLOW_COPY_AND_ASSIGN_AND_NEW(WVCryptoPlugin);
wvcdm::CdmSessionId mSessionId;
std::map<uint32_t, sp<IMemory> > mSharedBufferMap;
std::map<uint32_t, sp<IMemory> > mSharedBufferMap GUARDED_BY(mSharedBufferLock);
sp<wvcdm::WvContentDecryptionModule> const mCDM;
@@ -74,6 +77,8 @@ struct WVCryptoPlugin : public ICryptoPlugin {
static wvcdm::CdmResponseType countEncryptedBlocksInPatternedRange(
size_t range, const Pattern& pattern, uint64_t* result);
static void incrementIV(uint64_t increaseBy, std::vector<uint8_t>* ivPtr);
std::mutex mSharedBufferLock;
};
} // namespace widevine