commit 537144f77baad847d2c30be6436f94c917019e68
author Edwin Wong <edwinwong@google.com> Tue Jan 05 22:21:23 2021 -0800
committer Edwin Wong <edwinwong@google.com> Tue Feb 02 23:38:59 2021 +0000
tree dd3ae7be6bb68da7b584f77b123f6fce9cb40f49
parent a7dd68bd2ef09f4e38621e29fea55e59ffbc195b

Fix double free of play policy in a race condition.

The mPlayPolicy can be freed twice if there is a race condition.
mPlayPolicy should be protected with a mutex lock.

SafetyNet logging is not added to avoid log spamming. The
mutex lock is called whenever a license request is made.
That can happen quite often.

Bug: 176168330

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases -t android.security.sts.Poc21_01#testPocBug_176168330

Test: run sts test on master build
  run sts test from http://go/ag/13308312

Change-Id: Ibc338e0a98293807dbf12500f7e82e62b6c4a04a

drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp

diff --git a/drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp
index 1b8b8c1..6ac3510 100644
--- a/drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp
@@ -109,6 +109,7 @@
 }
 
 void DrmPlugin::setPlayPolicy() {
+    android::Mutex::Autolock lock(mPlayPolicyLock);
     mPlayPolicy.clear();
     mPlayPolicy.add(kQueryKeyLicenseType, kStreaming);
     mPlayPolicy.add(kQueryKeyPlayAllowed, kTrue);

drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h

diff --git a/drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h b/drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h
index 4fa42e5..aa9b59d 100644
--- a/drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h
+++ b/drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h
@@ -262,6 +262,7 @@
     void initProperties();
     void setPlayPolicy();
 
+    android::Mutex mPlayPolicyLock;
     android::KeyedVector<String8, String8> mPlayPolicy;
     android::KeyedVector<String8, String8> mStringProperties;
     android::KeyedVector<String8, Vector<uint8_t>> mByteArrayProperties;

drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
index 30f7459..e03a419 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
@@ -212,6 +212,7 @@
 }
 
 void DrmPlugin::setPlayPolicy() {
+    android::Mutex::Autolock lock(mPlayPolicyLock);
     mPlayPolicy.clear();
 
     KeyValue policy;

drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h

diff --git a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
index fb0695a..7d9650f 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
+++ b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
@@ -330,6 +330,7 @@
     int64_t mCloseSessionOkCount;
     int64_t mCloseSessionNotOpenedCount;
     uint32_t mNextSecureStopId;
+    android::Mutex mPlayPolicyLock;
 
     CLEARKEY_DISALLOW_COPY_AND_ASSIGN_AND_NEW(DrmPlugin);
 };