596d8bf4cc
The shared memory buffer used by srcPtr can be freed by another thread because it is not protected by a mutex. Subsequently, a use after free AIGABRT can occur in a race condition. SafetyNet logging is not added to avoid log spamming. The mutex lock is called to setup for decryption, which is called frequently. The crash was reproduced on the device before the fix. Verified the test passes after the fix. Test: sts sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665 Test: push to device with target_hwasan-userdebug build adb shell /data/local/tmp/Bug-176495665_sts64 Bug: 176495665 Bug: 176444161 Change-Id: If62b73a9c636048f942a2fc63a13b5bfd1e57b86
98 lines
2.7 KiB
C++
98 lines
2.7 KiB
C++
//
|
|
// Copyright 2018 Google LLC. All Rights Reserved. This file and proprietary
|
|
// source code may only be used and distributed under the Widevine License
|
|
// Agreement.
|
|
//
|
|
|
|
#ifndef WV_CRYPTO_PLUGIN_H_
|
|
#define WV_CRYPTO_PLUGIN_H_
|
|
|
|
#include <android-base/thread_annotations.h>
|
|
#include <android/hidl/memory/1.0/IMemory.h>
|
|
|
|
#include <mutex>
|
|
|
|
#include "HidlTypes.h"
|
|
#include "log.h"
|
|
#include "wv_content_decryption_module.h"
|
|
#include "WVTypes.h"
|
|
|
|
namespace wvdrm {
|
|
namespace hardware {
|
|
namespace drm {
|
|
namespace V1_4 {
|
|
namespace widevine {
|
|
|
|
using ::android::hidl::memory::V1_0::IMemory;
|
|
|
|
struct WVCryptoPlugin : public ::drm::V1_4::ICryptoPlugin {
|
|
WVCryptoPlugin(const void* data, size_t size,
|
|
const sp<wvcdm::WvContentDecryptionModule>& cdm);
|
|
virtual ~WVCryptoPlugin();
|
|
|
|
Return<bool> requiresSecureDecoderComponent(const hidl_string& mime)
|
|
override;
|
|
|
|
Return<void> notifyResolution(uint32_t width, uint32_t height) override;
|
|
|
|
Return<Status> setMediaDrmSession(const hidl_vec<uint8_t>& sessionId)
|
|
override;
|
|
|
|
Return<void> setSharedBufferBase(const hidl_memory& base,
|
|
uint32_t bufferId) override;
|
|
|
|
Return<void> decrypt(
|
|
bool secure,
|
|
const hidl_array<uint8_t, 16>& keyId,
|
|
const hidl_array<uint8_t, 16>& iv,
|
|
Mode mode,
|
|
const Pattern& pattern,
|
|
const hidl_vec<SubSample>& subSamples,
|
|
const SharedBuffer& source,
|
|
uint64_t offset,
|
|
const DestinationBuffer& destination,
|
|
decrypt_cb _hidl_cb) override;
|
|
|
|
Return<void> decrypt_1_2(
|
|
bool secure,
|
|
const hidl_array<uint8_t, 16>& keyId,
|
|
const hidl_array<uint8_t, 16>& iv,
|
|
Mode mode,
|
|
const Pattern& pattern,
|
|
const hidl_vec<SubSample>& subSamples,
|
|
const SharedBuffer& source,
|
|
uint64_t offset,
|
|
const DestinationBuffer& destination,
|
|
decrypt_1_2_cb _hidl_cb) override NO_THREAD_SAFETY_ANALYSIS; // use unique_lock
|
|
|
|
Return<void> getLogMessages(
|
|
getLogMessages_cb _hidl_cb) override;
|
|
|
|
private:
|
|
WVDRM_DISALLOW_COPY_AND_ASSIGN_AND_NEW(WVCryptoPlugin);
|
|
|
|
// List this field first so it is destructed last; ensure logging uid
|
|
// is cleared right before plugin is destructed.
|
|
wvcdm::LoggingUidSetter mLoggingUidSetter;
|
|
|
|
wvcdm::CdmSessionId mSessionId;
|
|
std::map<uint32_t, sp<IMemory> > mSharedBufferMap GUARDED_BY(mSharedBufferLock);
|
|
|
|
sp<wvcdm::WvContentDecryptionModule> const mCDM;
|
|
uint32_t mUserId;
|
|
|
|
Status_V1_2 attemptDecrypt(
|
|
const wvcdm::CdmDecryptionParametersV16& params,
|
|
bool haveEncryptedSubsamples, std::string* errorDetailMsg);
|
|
|
|
std::mutex mSharedBufferLock;
|
|
};
|
|
|
|
} // namespace widevine
|
|
} // namespace V1_4
|
|
} // namespace drm
|
|
} // namespace hardware
|
|
} // namespace wvdrm
|
|
|
|
#endif // WV_CRYPTO_PLUGIN_H_
|