fix use-after-free in adbd_auth The writev call is using references to data from the packet after it's popped from the queue. This was discovered in GrapheneOS due to using zero-on-free by default. It ends up resulting in adb being unable to persistently whitelist keys. Change-Id: Ibd9c1c4170bfe632b598b7666d09e4ce939a9e95

commit: e3e1cd5351b445a0d8df1617bbd2fc456c16cbd0 [log] [tgz]
author: Daniel Micay <danielmicay@gmail.com> Sat Jan 02 20:17:35 2021 -0500
committer: Daniel Micay <danielmicay@gmail.com> Sat Jan 02 21:01:54 2021 -0500
tree: 7110bad7b58fdc07478c11838a8829e6e8984ba4
parent: f5c89f5911cb24070dd3248d588a0d9d065fbe41 [diff] [blame]
diff --git a/libs/adbd_auth/adbd_auth.cpp b/libs/adbd_auth/adbd_auth.cpp
index dae6eeb..15bd5c3 100644
--- a/libs/adbd_auth/adbd_auth.cpp
+++ b/libs/adbd_auth/adbd_auth.cpp

@@ -282,9 +282,8 @@
             LOG(FATAL) << "adbd_auth: unhandled packet type?";
         }
 
-        output_queue_.pop_front();
-
         ssize_t rc = writev(framework_fd_.get(), iovs, iovcnt);
+        output_queue_.pop_front();
         if (rc == -1 && errno != EAGAIN && errno != EWOULDBLOCK) {
             PLOG(ERROR) << "adbd_auth: failed to write to framework fd";
             ReplaceFrameworkFd(unique_fd());
commit	e3e1cd5351b445a0d8df1617bbd2fc456c16cbd0	[log] [tgz]
author	Daniel Micay <danielmicay@gmail.com>	Sat Jan 02 20:17:35 2021 -0500
committer	Daniel Micay <danielmicay@gmail.com>	Sat Jan 02 21:01:54 2021 -0500
tree	7110bad7b58fdc07478c11838a8829e6e8984ba4
parent	f5c89f5911cb24070dd3248d588a0d9d065fbe41 [diff] [blame]