Fix issue #27252896: Security Vulnerability -- weak binder
Sending transaction to freed BBinder through weak handle can cause use of a (mostly) freed object. We need to try to safely promote to a strong reference first. Change-Id: Ic9c6940fa824980472e94ed2dfeca52a6b0fd342 (cherry picked from commit c11146106f94e07016e8e26e4f8628f9a0c73199)
This commit is contained in:
parent
a30d7d90c4
commit
a59b827869
@ -1083,8 +1083,16 @@ status_t IPCThreadState::executeCommand(int32_t cmd)
|
|||||||
<< reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl;
|
<< reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl;
|
||||||
}
|
}
|
||||||
if (tr.target.ptr) {
|
if (tr.target.ptr) {
|
||||||
sp<BBinder> b((BBinder*)tr.cookie);
|
// We only have a weak reference on the target object, so we must first try to
|
||||||
error = b->transact(tr.code, buffer, &reply, tr.flags);
|
// safely acquire a strong reference before doing anything else with it.
|
||||||
|
if (reinterpret_cast<RefBase::weakref_type*>(
|
||||||
|
tr.target.ptr)->attemptIncStrong(this)) {
|
||||||
|
error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer,
|
||||||
|
&reply, tr.flags);
|
||||||
|
reinterpret_cast<BBinder*>(tr.cookie)->decStrong(this);
|
||||||
|
} else {
|
||||||
|
error = UNKNOWN_TRANSACTION;
|
||||||
|
}
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
error = the_context_object->transact(tr.code, buffer, &reply, tr.flags);
|
error = the_context_object->transact(tr.code, buffer, &reply, tr.flags);
|
||||||
|
Loading…
Reference in New Issue
Block a user