summaryrefslogtreecommitdiffstats
path: root/libs
diff options
context:
space:
mode:
authorDianne Hackborn <hackbod@google.com>2016-03-21 10:36:54 -0700
committerThe Android Automerger <android-build@google.com>2016-03-25 17:47:54 -0700
commita59b827869a2ea04022dd225007f29af8d61837a (patch)
treef73b2b42a583950af1e873fe175141ed4f3a5a7f /libs
parenta30d7d90c4f718e46fb41a99b3d52800e1011b73 (diff)
downloadframeworks_native-a59b827869a2ea04022dd225007f29af8d61837a.zip
frameworks_native-a59b827869a2ea04022dd225007f29af8d61837a.tar.gz
frameworks_native-a59b827869a2ea04022dd225007f29af8d61837a.tar.bz2
Fix issue #27252896: Security Vulnerability -- weak binder
Sending transaction to freed BBinder through weak handle can cause use of a (mostly) freed object. We need to try to safely promote to a strong reference first. Change-Id: Ic9c6940fa824980472e94ed2dfeca52a6b0fd342 (cherry picked from commit c11146106f94e07016e8e26e4f8628f9a0c73199)
Diffstat (limited to 'libs')
-rw-r--r--libs/binder/IPCThreadState.cpp12
1 files changed, 10 insertions, 2 deletions
diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp
index ef88181..af18e11 100644
--- a/libs/binder/IPCThreadState.cpp
+++ b/libs/binder/IPCThreadState.cpp
@@ -1083,8 +1083,16 @@ status_t IPCThreadState::executeCommand(int32_t cmd)
<< reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl;
}
if (tr.target.ptr) {
- sp<BBinder> b((BBinder*)tr.cookie);
- error = b->transact(tr.code, buffer, &reply, tr.flags);
+ // We only have a weak reference on the target object, so we must first try to
+ // safely acquire a strong reference before doing anything else with it.
+ if (reinterpret_cast<RefBase::weakref_type*>(
+ tr.target.ptr)->attemptIncStrong(this)) {
+ error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer,
+ &reply, tr.flags);
+ reinterpret_cast<BBinder*>(tr.cookie)->decStrong(this);
+ } else {
+ error = UNKNOWN_TRANSACTION;
+ }
} else {
error = the_context_object->transact(tr.code, buffer, &reply, tr.flags);