Google Git
Sign in
android / platform / frameworks / av / e5bfb560a63daedbe1adf8bf41a20b572654f999^! / .
commite5bfb560a63daedbe1adf8bf41a20b572654f999[log] [tgz]
authorEdwin Wong <[email protected]>Tue Jan 05 22:21:23 2021 -0800
committerandroid-build-team Robot <[email protected]>Tue Feb 09 01:22:54 2021 +0000
tree34ec1941cd2905e682ef9e74d3f8a336f35a59cf
parent14937e01950dc4bce459c18fca9ef13dd3db5f8f [diff]
Fix double free of play policy in a race condition.

The mPlayPolicy can be freed twice if there is a race condition.
mPlayPolicy should be protected with a mutex lock.

SafetyNet logging is not added to avoid log spamming. The
mutex lock is called whenever a license request is made.
That can happen quite often.

Bug: 176168330

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases -t android.security.sts.Poc21_01#testPocBug_176168330

Test: run sts test on master build
  run sts test from http://go/ag/13308312

Change-Id: Ibc338e0a98293807dbf12500f7e82e62b6c4a04a
(cherry picked from commit 537144f77baad847d2c30be6436f94c917019e68)
(cherry picked from commit 4b86f1dbae158737cd05aa4d5b5634985534cfc3)

diff --git a/drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp
index 1b8b8c1..6ac3510 100644
--- a/drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp

@@ -109,6 +109,7 @@
 }
 
 void DrmPlugin::setPlayPolicy() {
+    android::Mutex::Autolock lock(mPlayPolicyLock);
     mPlayPolicy.clear();
     mPlayPolicy.add(kQueryKeyLicenseType, kStreaming);
     mPlayPolicy.add(kQueryKeyPlayAllowed, kTrue);

diff --git a/drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h b/drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h
index 4fa42e5..aa9b59d 100644
--- a/drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h
+++ b/drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h

@@ -262,6 +262,7 @@
     void initProperties();
     void setPlayPolicy();
 
+    android::Mutex mPlayPolicyLock;
     android::KeyedVector<String8, String8> mPlayPolicy;
     android::KeyedVector<String8, String8> mStringProperties;
     android::KeyedVector<String8, Vector<uint8_t>> mByteArrayProperties;

diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
index f87f830..a77759e 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

@@ -304,6 +304,7 @@
 }
 
 void DrmPlugin::setPlayPolicy() {
+    android::Mutex::Autolock lock(mPlayPolicyLock);
     mPlayPolicy.clear();
 
     KeyValue policy;

diff --git a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
index 3de7589..076beb8 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
+++ b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h

@@ -406,6 +406,7 @@
     int64_t mCloseSessionOkCount;
     int64_t mCloseSessionNotOpenedCount;
     uint32_t mNextSecureStopId;
+    android::Mutex mPlayPolicyLock;
 
     // set by property to mock error scenarios
     Status_V1_2 mMockError;