Fix SF security vulnerability: 32706020

Because of lack of mutex lock when get mConsumerName, if one thread
getConsumerName, another thread setConsumerName frequently, an UAF will
be triggered.

Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65
Test: Marling with poc provided in bug report.
Bug: 32706020
(cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436)
(cherry picked from commit 2e16d5fac149dab3c3e8f1b2ca89f45cf55a7b34)
This commit is contained in:
Fabien Sanglard 2016-11-08 15:35:02 -08:00 committed by Brinly Taylor
parent 0ff545d4a7
commit c2983e9d3b

View File

@ -1091,6 +1091,7 @@ status_t BufferQueueProducer::setGenerationNumber(uint32_t generationNumber) {
String8 BufferQueueProducer::getConsumerName() const { String8 BufferQueueProducer::getConsumerName() const {
ATRACE_CALL(); ATRACE_CALL();
Mutex::Autolock lock(mCore->mMutex);
BQ_LOGV("getConsumerName: %s", mConsumerName.string()); BQ_LOGV("getConsumerName: %s", mConsumerName.string());
return mConsumerName; return mConsumerName;
} }