Merge "graphics: fix use-after-free in mapper 2.0 passthrough"
diff --git a/graphics/mapper/2.0/utils/hal/include/mapper-hal/2.0/Mapper.h b/graphics/mapper/2.0/utils/hal/include/mapper-hal/2.0/Mapper.h
index 8134174..0067105 100644
--- a/graphics/mapper/2.0/utils/hal/include/mapper-hal/2.0/Mapper.h
+++ b/graphics/mapper/2.0/utils/hal/include/mapper-hal/2.0/Mapper.h
@@ -85,11 +85,7 @@
return Error::BAD_BUFFER;
}
- Error error = mHal->freeBuffer(bufferHandle);
- if (error == Error::NONE) {
- removeImportedBuffer(buffer);
- }
- return error;
+ return freeImportedBuffer(bufferHandle);
}
Return<void> lock(void* buffer, uint64_t cpuUsage, const V2_0::IMapper::Rect& accessRegion,
@@ -160,8 +156,8 @@
return static_cast<void*>(bufferHandle);
}
- virtual native_handle_t* removeImportedBuffer(void* buffer) {
- return static_cast<native_handle_t*>(buffer);
+ virtual Error freeImportedBuffer(native_handle_t* bufferHandle) {
+ return mHal->freeBuffer(bufferHandle);
}
virtual native_handle_t* getImportedBuffer(void* buffer) const {
diff --git a/graphics/mapper/2.0/utils/passthrough/include/mapper-passthrough/2.0/GrallocLoader.h b/graphics/mapper/2.0/utils/passthrough/include/mapper-passthrough/2.0/GrallocLoader.h
index 85a91c3..f2e0064 100644
--- a/graphics/mapper/2.0/utils/passthrough/include/mapper-passthrough/2.0/GrallocLoader.h
+++ b/graphics/mapper/2.0/utils/passthrough/include/mapper-passthrough/2.0/GrallocLoader.h
@@ -56,17 +56,14 @@
return *singleton;
}
+ std::mutex* getMutex() { return &mMutex; }
+
void* add(native_handle_t* bufferHandle) {
std::lock_guard<std::mutex> lock(mMutex);
return mBufferHandles.insert(bufferHandle).second ? bufferHandle : nullptr;
}
- native_handle_t* remove(void* buffer) {
- auto bufferHandle = static_cast<native_handle_t*>(buffer);
-
- std::lock_guard<std::mutex> lock(mMutex);
- return mBufferHandles.erase(bufferHandle) == 1 ? bufferHandle : nullptr;
- }
+ void removeLocked(native_handle* bufferHandle) { mBufferHandles.erase(bufferHandle); }
native_handle_t* get(void* buffer) {
auto bufferHandle = static_cast<native_handle_t*>(buffer);
@@ -95,8 +92,13 @@
return GrallocImportedBufferPool::getInstance().add(bufferHandle);
}
- native_handle_t* removeImportedBuffer(void* buffer) override {
- return GrallocImportedBufferPool::getInstance().remove(buffer);
+ Error freeImportedBuffer(native_handle_t* bufferHandle) override {
+ std::lock_guard<std::mutex> lock(*GrallocImportedBufferPool::getInstance().getMutex());
+ Error error = this->mHal->freeBuffer(bufferHandle);
+ if (error == Error::NONE) {
+ GrallocImportedBufferPool::getInstance().removeLocked(bufferHandle);
+ }
+ return error;
}
native_handle_t* getImportedBuffer(void* buffer) const override {
diff --git a/graphics/mapper/2.1/utils/hal/include/mapper-hal/2.1/Mapper.h b/graphics/mapper/2.1/utils/hal/include/mapper-hal/2.1/Mapper.h
index 038f572..b4a2bedc 100644
--- a/graphics/mapper/2.1/utils/hal/include/mapper-hal/2.1/Mapper.h
+++ b/graphics/mapper/2.1/utils/hal/include/mapper-hal/2.1/Mapper.h
@@ -46,7 +46,7 @@
return Error::BAD_BUFFER;
}
- return mHal->validateBufferSize(bufferHandle, descriptorInfo, stride);
+ return this->mHal->validateBufferSize(bufferHandle, descriptorInfo, stride);
}
Return<void> getTransportSize(void* buffer, IMapper::getTransportSize_cb hidl_cb) {
@@ -58,7 +58,7 @@
uint32_t numFds = 0;
uint32_t numInts = 0;
- Error error = mHal->getTransportSize(bufferHandle, &numFds, &numInts);
+ Error error = this->mHal->getTransportSize(bufferHandle, &numFds, &numInts);
hidl_cb(error, numFds, numInts);
return Void();
}
@@ -66,7 +66,7 @@
Return<void> createDescriptor_2_1(const IMapper::BufferDescriptorInfo& descriptorInfo,
IMapper::createDescriptor_2_1_cb hidl_cb) override {
BufferDescriptor descriptor;
- Error error = mHal->createDescriptor_2_1(descriptorInfo, &descriptor);
+ Error error = this->mHal->createDescriptor_2_1(descriptorInfo, &descriptor);
hidl_cb(error, descriptor);
return Void();
}
@@ -74,7 +74,6 @@
private:
using BaseType2_0 = V2_0::hal::detail::MapperImpl<Interface, Hal>;
using BaseType2_0::getImportedBuffer;
- using BaseType2_0::mHal;
};
} // namespace detail