mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-22 21:31:15 -05:00
082bc48c32
https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev>
68 lines
2.8 KiB
Diff
68 lines
2.8 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Edwin Wong <edwinwong@google.com>
|
|
Date: Tue, 21 Jun 2022 01:36:43 +0000
|
|
Subject: [PATCH] RESTRICT AUTOMERGE - [Fix vulnerability] setSecurityLevel in
|
|
clearkey
|
|
|
|
Potential race condition in clearkey setSecurityLevel.
|
|
|
|
POC test in http://go/ag/19083795
|
|
|
|
Test: sts-tradefed run sts-dynamic-develop -m StsHostTestCases -t android.security.sts.CVE_2022_2209#testPocCVE_2022_2209
|
|
|
|
Bug: 235601882
|
|
Change-Id: I6447fb539ef0cb395772c61e6f3e1504ccde331b
|
|
(cherry picked from commit dab37c25e3337387809fd35c7cd46abf76088b83)
|
|
Merged-In: I6447fb539ef0cb395772c61e6f3e1504ccde331b
|
|
---
|
|
drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp | 2 ++
|
|
drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h | 8 +++++++-
|
|
2 files changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
|
|
index 0737851acc..923e4d500e 100644
|
|
--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
|
|
+++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
|
|
@@ -381,6 +381,7 @@ Return<void> DrmPlugin::getSecurityLevel(const hidl_vec<uint8_t>& sessionId,
|
|
return Void();
|
|
}
|
|
|
|
+ Mutex::Autolock lock(mSecurityLevelLock);
|
|
std::map<std::vector<uint8_t>, SecurityLevel>::iterator itr =
|
|
mSecurityLevel.find(sid);
|
|
if (itr == mSecurityLevel.end()) {
|
|
@@ -411,6 +412,7 @@ Return<Status> DrmPlugin::setSecurityLevel(const hidl_vec<uint8_t>& sessionId,
|
|
return Status::ERROR_DRM_SESSION_NOT_OPENED;
|
|
}
|
|
|
|
+ Mutex::Autolock lock(mSecurityLevelLock);
|
|
std::map<std::vector<uint8_t>, SecurityLevel>::iterator itr =
|
|
mSecurityLevel.find(sid);
|
|
if (itr != mSecurityLevel.end()) {
|
|
diff --git a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
|
|
index 7d9650f4bf..5360623aef 100644
|
|
--- a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
|
|
+++ b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
|
|
@@ -323,7 +323,8 @@ private:
|
|
std::vector<KeyValue> mPlayPolicy;
|
|
std::map<std::string, std::string> mStringProperties;
|
|
std::map<std::string, std::vector<uint8_t> > mByteArrayProperties;
|
|
- std::map<std::vector<uint8_t>, SecurityLevel> mSecurityLevel;
|
|
+ std::map<std::vector<uint8_t>, SecurityLevel> mSecurityLevel
|
|
+ GUARDED_BY(mSecurityLevelLock);
|
|
sp<IDrmPluginListener> mListener;
|
|
SessionLibrary *mSessionLibrary;
|
|
int64_t mOpenSessionOkCount;
|
|
@@ -332,6 +333,11 @@ private:
|
|
uint32_t mNextSecureStopId;
|
|
android::Mutex mPlayPolicyLock;
|
|
|
|
+ DeviceFiles mFileHandle GUARDED_BY(mFileHandleLock);
|
|
+ Mutex mFileHandleLock;
|
|
+ Mutex mSecureStopLock;
|
|
+ Mutex mSecurityLevelLock;
|
|
+
|
|
CLEARKEY_DISALLOW_COPY_AND_ASSIGN_AND_NEW(DrmPlugin);
|
|
};
|
|
|