Fix potential use-after-free in hw auth token handling.
The operation map caches the hw_auth_token used to start the operation
but it was storing the pointer returned by the auth token table and not
the token itself leading to a potential use-after-free if the token was
removed from the table between the operation starting and completeting.
The operation table now stores the auth token itself instead of the
pointer provided by the auth table.
Change-Id: I80fd49655ed98e7879d2caa7f1ae077ff50e0e54
diff --git a/keystore/operation.cpp b/keystore/operation.cpp
index 667f456..74d65f6 100644
--- a/keystore/operation.cpp
+++ b/keystore/operation.cpp
@@ -115,11 +115,7 @@
if (entry == mMap.end()) {
return false;
}
- if (entry->second.authToken.get() != NULL) {
- *outToken = *entry->second.authToken;
- } else {
- *outToken = NULL;
- }
+ *outToken = entry->second.authToken.get();
return true;
}
@@ -128,8 +124,8 @@
if (entry == mMap.end()) {
return false;
}
- entry->second.authToken.reset(new const hw_auth_token_t*);
- *entry->second.authToken = authToken;
+ entry->second.authToken.reset(new hw_auth_token_t);
+ *entry->second.authToken = *authToken;
return true;
}
diff --git a/keystore/operation.h b/keystore/operation.h
index fb9583f..07238d1 100644
--- a/keystore/operation.h
+++ b/keystore/operation.h
@@ -71,7 +71,7 @@
const keymaster1_device_t* device;
Unique_keymaster_key_characteristics characteristics;
sp<IBinder> appToken;
- std::unique_ptr<const hw_auth_token_t*> authToken;
+ std::unique_ptr<hw_auth_token_t> authToken;
};
std::map<sp<IBinder>, struct Operation> mMap;
std::vector<sp<IBinder>> mLru;