DO NOT MERGE: Camera: Adjust pointers to ANW buffers to avoid infoleak

Subtract address of a random static object from pointers being routed through app process. Bug: 28466701 Change-Id: Idcbfe81e9507433769672f3dc6d67db5eeed4e04
author: Eino-Ville Talvala <etalvala@google.com> 2016-06-20 17:00:14 -0700
committer: The Android Automerger <android-build@google.com> 2016-06-23 15:05:18 -0700
commit: 1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc (patch)
tree: 240a349e5c0a5e783cd192317d3aa47c935861c2
parent: b351eabb428c7ca85a34513c64601f437923d576 (diff)
download: frameworks_av-1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc.zip
frameworks_av-1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc.tar.gz
frameworks_av-1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc.tar.bz2
5 files changed, 51 insertions, 1 deletions
diff --git a/camera/ICameraRecordingProxy.cpp b/camera/ICameraRecordingProxy.cpp
index 3dc0ffb..517b64f 100644
--- a/camera/ICameraRecordingProxy.cpp
+++ b/camera/ICameraRecordingProxy.cpp
@@ -31,6 +31,11 @@ enum {
     RELEASE_RECORDING_FRAME,
 };
 
+uint8_t ICameraRecordingProxy::baseObject = 0;
+
+size_t ICameraRecordingProxy::getCommonBaseAddress() {
+    return (size_t)&baseObject;
+}
 
 class BpCameraRecordingProxy: public BpInterface<ICameraRecordingProxy>
 {
@@ -106,4 +111,3 @@ status_t BnCameraRecordingProxy::onTransact(
 // ----------------------------------------------------------------------------
 
 }; // namespace android
-
diff --git a/include/camera/ICameraRecordingProxy.h b/include/camera/ICameraRecordingProxy.h
index 2aac284..4edf9cd 100644
--- a/include/camera/ICameraRecordingProxy.h
+++ b/include/camera/ICameraRecordingProxy.h
@@ -83,6 +83,12 @@ public:
     virtual status_t        startRecording(const sp<ICameraRecordingProxyListener>& listener) = 0;
     virtual void            stopRecording() = 0;
     virtual void            releaseRecordingFrame(const sp<IMemory>& mem) = 0;
+
+    // b/28466701
+    static  size_t          getCommonBaseAddress();
+  private:
+
+    static  uint8_t         baseObject;
 };
 
 // ----------------------------------------------------------------------------
diff --git a/include/media/stagefright/CameraSource.h b/include/media/stagefright/CameraSource.h
index 069e897..6c938a5 100644
--- a/include/media/stagefright/CameraSource.h
+++ b/include/media/stagefright/CameraSource.h
@@ -236,6 +236,9 @@ private:
     status_t checkFrameRate(const CameraParameters& params,
                     int32_t frameRate);
 
+    static void adjustIncomingANWBuffer(IMemory* data);
+    static void adjustOutgoingANWBuffer(IMemory* data);
+
     void stopCameraRecording();
     status_t reset();
 
diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp
index 66280da..fa30644 100644
--- a/media/libstagefright/CameraSource.cpp
+++ b/media/libstagefright/CameraSource.cpp
@@ -27,8 +27,10 @@
 #include <media/stagefright/MediaDefs.h>
 #include <media/stagefright/MediaErrors.h>
 #include <media/stagefright/MetaData.h>
+#include <media/hardware/HardwareAPI.h>
 #include <camera/Camera.h>
 #include <camera/CameraParameters.h>
+#include <camera/ICameraRecordingProxy.h>
 #include <gui/Surface.h>
 #include <utils/String8.h>
 #include <cutils/properties.h>
@@ -792,6 +794,8 @@ void CameraSource::releaseQueuedFrames() {
     List<sp<IMemory> >::iterator it;
     while (!mFramesReceived.empty()) {
         it = mFramesReceived.begin();
+        // b/28466701
+        adjustOutgoingANWBuffer(it->get());
         releaseRecordingFrame(*it);
         mFramesReceived.erase(it);
         ++mNumFramesDropped;
@@ -812,6 +816,9 @@ void CameraSource::signalBufferReturned(MediaBuffer *buffer) {
     for (List<sp<IMemory> >::iterator it = mFramesBeingEncoded.begin();
          it != mFramesBeingEncoded.end(); ++it) {
         if ((*it)->pointer() ==  buffer->data()) {
+            // b/28466701
+            adjustOutgoingANWBuffer(it->get());
+
             releaseOneRecordingFrame((*it));
             mFramesBeingEncoded.erase(it);
             ++mNumFramesEncoded;
@@ -917,6 +924,10 @@ void CameraSource::dataCallbackTimestamp(int64_t timestampUs,
     ++mNumFramesReceived;
 
     CHECK(data != NULL && data->size() > 0);
+
+    // b/28466701
+    adjustIncomingANWBuffer(data.get());
+
     mFramesReceived.push_back(data);
     int64_t timeUs = mStartTimeUs + (timestampUs - mFirstFrameTimeUs);
     mFrameTimes.push_back(timeUs);
@@ -930,6 +941,24 @@ bool CameraSource::isMetaDataStoredInVideoBuffers() const {
     return mIsMetaDataStoredInVideoBuffers;
 }
 
+void CameraSource::adjustIncomingANWBuffer(IMemory* data) {
+    VideoNativeMetadata *payload =
+            reinterpret_cast<VideoNativeMetadata*>(data->pointer());
+    if (payload->eType == kMetadataBufferTypeANWBuffer) {
+        payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) +
+                ICameraRecordingProxy::getCommonBaseAddress());
+    }
+}
+
+void CameraSource::adjustOutgoingANWBuffer(IMemory* data) {
+    VideoNativeMetadata *payload =
+            reinterpret_cast<VideoNativeMetadata*>(data->pointer());
+    if (payload->eType == kMetadataBufferTypeANWBuffer) {
+        payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) -
+                ICameraRecordingProxy::getCommonBaseAddress());
+    }
+}
+
 CameraSource::ProxyListener::ProxyListener(const sp<CameraSource>& source) {
     mSource = source;
 }
diff --git a/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp b/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp
index 66d7b00..9e6c0db 100644
--- a/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp
+++ b/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp
@@ -30,6 +30,7 @@
 #include <utils/Trace.h>
 #include <gui/BufferItem.h>
 #include <gui/Surface.h>
+#include <camera/ICameraRecordingProxy.h>
 #include <media/hardware/HardwareAPI.h>
 
 #include "common/CameraDeviceBase.h"
@@ -826,6 +827,9 @@ status_t StreamingProcessor::processRecordingFrame() {
             (uint8_t*)heap->getBase() + offset);
         payload->eType = kMetadataBufferTypeANWBuffer;
         payload->pBuffer = imgBuffer.mGraphicBuffer->getNativeBuffer();
+        // b/28466701
+        payload->pBuffer = (ANativeWindowBuffer*)((uint8_t*)payload->pBuffer -
+                ICameraRecordingProxy::getCommonBaseAddress());
         payload->nFenceFd = -1;
 
         ALOGVV("%s: Camera %d: Sending out ANWBuffer %p",
@@ -874,6 +878,10 @@ void StreamingProcessor::releaseRecordingFrame(const sp<IMemory>& mem) {
         return;
     }
 
+    // b/28466701
+    payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) +
+            ICameraRecordingProxy::getCommonBaseAddress());
+
     // Release the buffer back to the recording queue
     size_t itemIndex;
     for (itemIndex = 0; itemIndex < mRecordingBuffers.size(); itemIndex++) {
author	Eino-Ville Talvala <etalvala@google.com>	2016-06-20 17:00:14 -0700
committer	The Android Automerger <android-build@google.com>	2016-06-23 15:05:18 -0700
commit	1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc (patch)
tree	240a349e5c0a5e783cd192317d3aa47c935861c2
parent	b351eabb428c7ca85a34513c64601f437923d576 (diff)
download	frameworks_av-1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc.zip frameworks_av-1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc.tar.gz frameworks_av-1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc.tar.bz2