commit 9a02eda8d5f95d754aa908e66089750183355511
author Alec Mouri <alecmouri@google.com> Tue Apr 21 17:39:34 2020 -0700
committer Alec Mouri <alecmouri@google.com> Wed Apr 22 11:24:30 2020 -0700
tree 97ebeea93991e0132e090c5fddd45fae92967989
parent 9bb4cfb009f1317605e8ff090e0ce930e15d4d40

Lookup layer handle when registering region sampling listener

We must do this in order to prevent clients from providing a bogus
handle when registering a region sampling listener. Fortunately, this
particular path required a permissions check so it cannot be accessed
from arbitrary apps on unrooted devices. But, we should not allow this
type of memory corruption to be reachable by the system.

Bug: 153467444
Test: libgui_test
Test: Repro steps in the bug no longer reproduce
Change-Id: I883506798574dfd0688371fdb6305cfad9d153fc

services/surfaceflinger/SurfaceFlinger.h

diff --git a/services/surfaceflinger/SurfaceFlinger.h b/services/surfaceflinger/SurfaceFlinger.h
index f3c481a..c59d3ff 100644
--- a/services/surfaceflinger/SurfaceFlinger.h
+++ b/services/surfaceflinger/SurfaceFlinger.h
@@ -332,7 +332,12 @@
         return mTransactionCompletedThread;
     }
 
-    sp<Layer> fromHandle(const sp<IBinder>& handle) REQUIRES(mStateLock);
+    // Converts from a binder handle to a Layer
+    // Returns nullptr if the handle does not point to an existing layer.
+    // Otherwise, returns a weak reference so that callers off the main-thread
+    // won't accidentally hold onto the last strong reference.
+    wp<Layer> fromHandle(const sp<IBinder>& handle);
+    wp<Layer> fromHandleLocked(const sp<IBinder>& handle) REQUIRES(mStateLock);
 
     // Inherit from ClientCache::ErasedRecipient
     void bufferErased(const client_cache_t& clientCacheId) override;