From a59b827869a2ea04022dd225007f29af8d61837a Mon Sep 17 00:00:00 2001 From: Dianne Hackborn Date: Mon, 21 Mar 2016 10:36:54 -0700 Subject: [PATCH] Fix issue #27252896: Security Vulnerability -- weak binder Sending transaction to freed BBinder through weak handle can cause use of a (mostly) freed object. We need to try to safely promote to a strong reference first. Change-Id: Ic9c6940fa824980472e94ed2dfeca52a6b0fd342 (cherry picked from commit c11146106f94e07016e8e26e4f8628f9a0c73199) --- libs/binder/IPCThreadState.cpp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp index ef88181d6..af18e119a 100644 --- a/libs/binder/IPCThreadState.cpp +++ b/libs/binder/IPCThreadState.cpp @@ -1083,8 +1083,16 @@ status_t IPCThreadState::executeCommand(int32_t cmd) << reinterpret_cast(tr.data.ptr.offsets) << endl; } if (tr.target.ptr) { - sp b((BBinder*)tr.cookie); - error = b->transact(tr.code, buffer, &reply, tr.flags); + // We only have a weak reference on the target object, so we must first try to + // safely acquire a strong reference before doing anything else with it. + if (reinterpret_cast( + tr.target.ptr)->attemptIncStrong(this)) { + error = reinterpret_cast(tr.cookie)->transact(tr.code, buffer, + &reply, tr.flags); + reinterpret_cast(tr.cookie)->decStrong(this); + } else { + error = UNKNOWN_TRANSACTION; + } } else { error = the_context_object->transact(tr.code, buffer, &reply, tr.flags);