Fix potential use-after-free in hw auth token handling. The operation map caches the hw_auth_token used to start the operation but it was storing the pointer returned by the auth token table and not the token itself leading to a potential use-after-free if the token was removed from the table between the operation starting and completeting. The operation table now stores the auth token itself instead of the pointer provided by the auth table. Change-Id: I80fd49655ed98e7879d2caa7f1ae077ff50e0e54

commit: 999f1b05261837d6571fa4effa357a9af1d8d01a [log] [tgz]
author: Chad Brubaker <cbrubaker@google.com> Tue Jun 02 14:32:59 2015 -0700
committer: Chad Brubaker <cbrubaker@google.com> Wed Jun 03 10:11:51 2015 -0700
tree: b6658813f991f5d032a14e1407f776a101665c16
parent: 7d0e9a4170ec1b1ed0f80c1a75131dadf3dd6abe [diff] [blame]
diff --git a/keystore/operation.cpp b/keystore/operation.cpp
index 667f456..74d65f6 100644
--- a/keystore/operation.cpp
+++ b/keystore/operation.cpp

@@ -115,11 +115,7 @@
     if (entry == mMap.end()) {
         return false;
     }
-    if (entry->second.authToken.get() != NULL) {
-        *outToken = *entry->second.authToken;
-    } else {
-        *outToken = NULL;
-    }
+    *outToken = entry->second.authToken.get();
     return true;
 }
 
@@ -128,8 +124,8 @@
     if (entry == mMap.end()) {
         return false;
     }
-    entry->second.authToken.reset(new const hw_auth_token_t*);
-    *entry->second.authToken = authToken;
+    entry->second.authToken.reset(new hw_auth_token_t);
+    *entry->second.authToken = *authToken;
     return true;
 }
commit	999f1b05261837d6571fa4effa357a9af1d8d01a	[log] [tgz]
author	Chad Brubaker <cbrubaker@google.com>	Tue Jun 02 14:32:59 2015 -0700
committer	Chad Brubaker <cbrubaker@google.com>	Wed Jun 03 10:11:51 2015 -0700
tree	b6658813f991f5d032a14e1407f776a101665c16
parent	7d0e9a4170ec1b1ed0f80c1a75131dadf3dd6abe [diff] [blame]