Prevent mEventCache UAF in SensorEventConnection Since there is no check to see if SensorEventConnection has been destroyed, the mEventCache pointer can still be used even after it was freed. Bug: 168211968 Test: Run test code that attempts to enable a sensor after destroying the SensorEventConnection, and verify no system_server crash occurs. Change-Id: Ia9275b7cc574df371cdb2e1b80c6699df193b580

commit: 3e9afc163256db661b9039120d07501b3a8a7d99 [log] [tgz]
author: Arthur Ishiguro <arthuri@google.com> Tue Sep 22 13:05:15 2020 -0700
committer: Arthur Ishiguro <arthuri@google.com> Fri Oct 02 11:24:49 2020 -0700
tree: fa4ec4960f9d248093be44c5d49d75a7907c2d85
parent: a72accd83cc7f7144ad19439c24d4db7a1572141 [diff] [blame]
diff --git a/services/sensorservice/SensorEventConnection.h b/services/sensorservice/SensorEventConnection.h
index 8f2d5db..9487a39 100644
--- a/services/sensorservice/SensorEventConnection.h
+++ b/services/sensorservice/SensorEventConnection.h

@@ -17,6 +17,7 @@
 #ifndef ANDROID_SENSOR_EVENT_CONNECTION_H
 #define ANDROID_SENSOR_EVENT_CONNECTION_H
 
+#include <atomic>
 #include <stdint.h>
 #include <sys/types.h>
 #include <unordered_map>
@@ -182,8 +183,8 @@
     int mTotalAcksNeeded, mTotalAcksReceived;
 #endif
 
-    mutable Mutex mDestroyLock;
-    bool mDestroyed;
+    // Used to track if this object was inappropriately used after destroy().
+    std::atomic_bool mDestroyed;
 
     // Store a mapping of sensor handles to required AppOp for a sensor. This map only contains a
     // valid mapping for sensors that require a permission in order to reduce the lookup time.
commit	3e9afc163256db661b9039120d07501b3a8a7d99	[log] [tgz]
author	Arthur Ishiguro <arthuri@google.com>	Tue Sep 22 13:05:15 2020 -0700
committer	Arthur Ishiguro <arthuri@google.com>	Fri Oct 02 11:24:49 2020 -0700
tree	fa4ec4960f9d248093be44c5d49d75a7907c2d85
parent	a72accd83cc7f7144ad19439c24d4db7a1572141 [diff] [blame]