ADHOC/replicant-frameworks_native
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

prevent a client from crashing surfaceflinger

Browse Source 
a misbehaving or malicious client could cause SF to crash
by providing a "fake" IInterface. we now check the
IInterface we get is our own and local.

Bug: 7278879
Change-Id: Ia19d05902d4b2385c5a16416148378d4998833fd
This commit is contained in:
Mathias Agopian 2012-10-22 14:27:45 -07:00 committed by Android (Google) Code Review
parent ba7dc2db6e
commit d17e3b5f6c
1 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
services/surfaceflinger/SurfaceFlinger.cpp
View File

@ -1681,9 +1681,24 @@ void SurfaceFlinger::setTransactionState(
count = state.size(); count = state.size();
for (size_t i=0 ; i<count ; i++) { for (size_t i=0 ; i<count ; i++) {
const ComposerState& s(state[i]); const ComposerState& s(state[i]);
// Here we need to check that the interface we're given is indeed
// one of our own. A malicious client could give us a NULL
// IInterface, or one of its own or even one of our own but a
// different type. All these situations would cause us to crash.
//
// NOTE: it would be better to use RTTI as we could directly check
// that we have a Client*. however, RTTI is disabled in Android.
if (s.client != NULL) {
sp<IBinder> binder = s.client->asBinder();
if (binder != NULL) {
String16 desc(binder->getInterfaceDescriptor());
if (desc == ISurfaceComposerClient::descriptor) {
sp<Client> client( static_cast<Client *>(s.client.get()) ); sp<Client> client( static_cast<Client *>(s.client.get()) );
transactionFlags |= setClientStateLocked(client, s.state); transactionFlags |= setClientStateLocked(client, s.state);
} }
}
}
}
if (transactionFlags) { if (transactionFlags) {
// this triggers the transaction // this triggers the transaction