Fix issue #27252896: Security Vulnerability -- weak binder
am: 41e7b17
* commit '41e7b1780f106d2eb4304b1f9cf060ce44177cae':
Fix issue #27252896: Security Vulnerability -- weak binder
diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp
index 5951a3f..b865026 100644
--- a/libs/binder/IPCThreadState.cpp
+++ b/libs/binder/IPCThreadState.cpp
@@ -1070,9 +1070,18 @@
<< reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl;
}
if (tr.target.ptr) {
- sp<BBinder> b((BBinder*)tr.cookie);
- const status_t error = b->transact(tr.code, buffer, &reply, tr.flags);
- if (error < NO_ERROR) reply.setError(error);
+ // We only have a weak reference on the target object, so we must first try to
+ // safely acquire a strong reference before doing anything else with it.
+ if (reinterpret_cast<RefBase::weakref_type*>(
+ tr.target.ptr)->attemptIncStrong(this)) {
+ const status_t error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer,
+ &reply, tr.flags);
+ reinterpret_cast<BBinder*>(tr.cookie)->decStrong(this);
+ if (error < NO_ERROR) reply.setError(error);
+ } else {
+ const status_t error = UNKNOWN_TRANSACTION;
+ if (error < NO_ERROR) reply.setError(error);
+ }
} else {
const status_t error = the_context_object->transact(tr.code, buffer, &reply, tr.flags);