Fix SF security vulnerability: 32706020

Because of lack of mutex lock when get mConsumerName, if one thread getConsumerName, another thread setConsumerName frequently, an UAF will be triggered. Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65 Test: Marling with poc provided in bug report. Bug: 32706020 (cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436) (cherry picked from commit 2e16d5fac149dab3c3e8f1b2ca89f45cf55a7b34)
2016-11-08 15:35:02 -08:00 · 2016-11-08 15:35:02 -08:00 · c2983e9d3b
parent 0ff545d4a7
commit c2983e9d3b
1 changed files with 1 additions and 0 deletions
--- a/libs/gui/BufferQueueProducer.cpp
+++ b/libs/gui/BufferQueueProducer.cpp
@ -1091,6 +1091,7 @@ status_t BufferQueueProducer::setGenerationNumber(uint32_t generationNumber) {

 String8 BufferQueueProducer::getConsumerName() const {
    ATRACE_CALL();
+    Mutex::Autolock lock(mCore->mMutex);
    BQ_LOGV("getConsumerName: %s", mConsumerName.string());
    return mConsumerName;
 }