libbinder_ndk: fix UB memory access for race
AIBinder_DeathRecipient holds a strong pointer to its internal class
TransferDeathRecipient. If a user deletes a death recipient at the
same time a binder dies, the TDR still holds a reference to the
AIBinder_DeathRecipient object that may be invalidated.
Bug: N/A
Test: build, boot, and ./runtests.sh
Change-Id: Ic4cbc50c2d85ce52e36d4b157a50d0c75048e664
diff --git a/libs/binder/ndk/ibinder_internal.h b/libs/binder/ndk/ibinder_internal.h
index 0dd795a..202d6d2 100644
--- a/libs/binder/ndk/ibinder_internal.h
+++ b/libs/binder/ndk/ibinder_internal.h
@@ -133,7 +133,7 @@
// binderDied receipt only gives us information about the IBinder.
struct TransferDeathRecipient : ::android::IBinder::DeathRecipient {
TransferDeathRecipient(const ::android::wp<::android::IBinder>& who, void* cookie,
- const AIBinder_DeathRecipient_onBinderDied& onDied)
+ const AIBinder_DeathRecipient_onBinderDied onDied)
: mWho(who), mCookie(cookie), mOnDied(onDied) {}
void binderDied(const ::android::wp<::android::IBinder>& who) override;
@@ -144,7 +144,7 @@
private:
::android::wp<::android::IBinder> mWho;
void* mCookie;
- const AIBinder_DeathRecipient_onBinderDied& mOnDied;
+ const AIBinder_DeathRecipient_onBinderDied mOnDied;
};
explicit AIBinder_DeathRecipient(AIBinder_DeathRecipient_onBinderDied onDied);