From d17e3b5f6cf71eb52bc81f37719254ce08244b34 Mon Sep 17 00:00:00 2001 From: Mathias Agopian Date: Mon, 22 Oct 2012 14:27:45 -0700 Subject: [PATCH] prevent a client from crashing surfaceflinger a misbehaving or malicious client could cause SF to crash by providing a "fake" IInterface. we now check the IInterface we get is our own and local. Bug: 7278879 Change-Id: Ia19d05902d4b2385c5a16416148378d4998833fd --- services/surfaceflinger/SurfaceFlinger.cpp | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp index 38e02f1b8..26e9c6054 100644 --- a/services/surfaceflinger/SurfaceFlinger.cpp +++ b/services/surfaceflinger/SurfaceFlinger.cpp @@ -1681,8 +1681,23 @@ void SurfaceFlinger::setTransactionState( count = state.size(); for (size_t i=0 ; i client( static_cast(s.client.get()) ); - transactionFlags |= setClientStateLocked(client, s.state); + // Here we need to check that the interface we're given is indeed + // one of our own. A malicious client could give us a NULL + // IInterface, or one of its own or even one of our own but a + // different type. All these situations would cause us to crash. + // + // NOTE: it would be better to use RTTI as we could directly check + // that we have a Client*. however, RTTI is disabled in Android. + if (s.client != NULL) { + sp binder = s.client->asBinder(); + if (binder != NULL) { + String16 desc(binder->getInterfaceDescriptor()); + if (desc == ISurfaceComposerClient::descriptor) { + sp client( static_cast(s.client.get()) ); + transactionFlags |= setClientStateLocked(client, s.state); + } + } + } } if (transactionFlags) {