Fix SF security vulnerability: 32706020 Because of lack of mutex lock when get mConsumerName, if one thread getConsumerName, another thread setConsumerName frequently, an UAF will be triggered. Test: Marling with poc provided in bug report. Bug: 32706020 FPIIM-178: Elevation of privilege vulnerability in Mediaserver CVE-2017-0415 A-32706020 (cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436) Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65 (cherry picked from commit fb2412c4a57dc93ed9f7ffedc4fa2d3117dcf201)

commit: 61e9ba7116ca5504ebb48ad590f76ea8190e15a4 [log] [tgz]
author: Fabien Sanglard <sanglardf@google.com> Tue Nov 08 15:35:02 2016 -0800
committer: Dirk Vogt <dirk@fairphone.com> Wed Jan 25 21:25:16 2017 +0000
tree: 2061415aecd20fb8603be48907a846514e25d435
parent: 4713d7aac38f32ee1442a809aba5234b3d70f62b [diff] [blame]
diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp
index 87e5b4d..c6851c8 100644
--- a/libs/gui/BufferQueueProducer.cpp
+++ b/libs/gui/BufferQueueProducer.cpp

@@ -1091,6 +1091,7 @@
 
 String8 BufferQueueProducer::getConsumerName() const {
     ATRACE_CALL();
+    Mutex::Autolock lock(mCore->mMutex);
     BQ_LOGV("getConsumerName: %s", mConsumerName.string());
     return mConsumerName;
 }
commit	61e9ba7116ca5504ebb48ad590f76ea8190e15a4	[log] [tgz]
author	Fabien Sanglard <sanglardf@google.com>	Tue Nov 08 15:35:02 2016 -0800
committer	Dirk Vogt <dirk@fairphone.com>	Wed Jan 25 21:25:16 2017 +0000
tree	2061415aecd20fb8603be48907a846514e25d435
parent	4713d7aac38f32ee1442a809aba5234b3d70f62b [diff] [blame]