Fix SF security vulnerability: 32706020 Because of lack of mutex lock when get mConsumerName, if one thread getConsumerName, another thread setConsumerName frequently, an UAF will be triggered. Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65 Test: Marling with poc provided in bug report. Bug: 32706020

commit: d073eb7a3f28fd74bfa24c8b7599465cb7de5436 [log] [tgz]
author: Fabien Sanglard <sanglardf@google.com> Tue Nov 08 15:35:02 2016 -0800
committer: Fabien Sanglard <sanglardf@google.com> Wed Nov 09 17:25:44 2016 +0000
tree: 313ea3bcbab084f3a60fd1690b552f49c0629624
parent: 2c39ea10255c4cddf3e97fd00c2aa1548bc54c4f [diff] [blame]
diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp
index 87e5b4d..c6851c8 100644
--- a/libs/gui/BufferQueueProducer.cpp
+++ b/libs/gui/BufferQueueProducer.cpp

@@ -1091,6 +1091,7 @@
 
 String8 BufferQueueProducer::getConsumerName() const {
     ATRACE_CALL();
+    Mutex::Autolock lock(mCore->mMutex);
     BQ_LOGV("getConsumerName: %s", mConsumerName.string());
     return mConsumerName;
 }
commit	d073eb7a3f28fd74bfa24c8b7599465cb7de5436	[log] [tgz]
author	Fabien Sanglard <sanglardf@google.com>	Tue Nov 08 15:35:02 2016 -0800
committer	Fabien Sanglard <sanglardf@google.com>	Wed Nov 09 17:25:44 2016 +0000
tree	313ea3bcbab084f3a60fd1690b552f49c0629624
parent	2c39ea10255c4cddf3e97fd00c2aa1548bc54c4f [diff] [blame]