commit cb61d0c9be80bf834653496195caa8264a9e30ec
author Wolloh Chou <wollohchou@google.com> Tue Mar 20 15:28:00 2018 +0800
committer Wolloh Chou <wollohchou@google.com> Tue Mar 20 15:38:45 2018 +0800
tree 7bb8199a0ef0dd55497c48cf1ed570b3d998e43e
parent eec88d343a1105d4da5c108c49258e2ccc131f4a

Fix heap use after free.

Asan shows the memory op used was freed by mOperationMap.removeOperation(token), so change the order of mAuthTokenTable.MarkCompleted(op.handle) and mOperationMap.removeOperation(token).

Bug: 74572753
Test: runtest --path
cts/tests/tests/keystore/src/android/keystore/cts/KeyStoreTest.java

Change-Id: I9f5452fc639a1f694c37759ee860f73f57d0fdcf

keystore/key_store_service.cpp

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index aab3db1..721b857 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -1436,8 +1436,9 @@
         op.device->finish(op.handle, inParams,
                           ::std::vector<uint8_t>() /* TODO(swillden): wire up input to finish() */,
                           signature, authToken, VerificationToken(), hidlCb));
-    mOperationMap.removeOperation(token);
+    // removeOperation() will free the memory 'op' used, so the order is important
     mAuthTokenTable.MarkCompleted(op.handle);
+    mOperationMap.removeOperation(token);
 
     // just a reminder: on success result->resultCode was set in the callback. So we only overwrite
     // it if there was a communication error indicated by the ErrorCode.