Google Git
Sign in
android / device / google / wahoo / 9ccd8c165e9c4cae954842dc70ec22bb2013b2af
commit9ccd8c165e9c4cae954842dc70ec22bb2013b2af[log] [tgz]
authorAndrew Lehmer <alehmer@google.com>Mon Mar 30 14:12:15 2020 -0700
committerAndrew Lehmer <alehmer@google.com>Mon Mar 30 14:24:40 2020 -0700
treed9d8c43aef0050f4370eb350c3cb1f807789af72
parent6bf1d5cfb83d5402e08160cad0d5b422da4b2ef7 [diff]
folio_daemon: Avoid UAF with stale sensor handle

It is possible for sensor handles retrieved using
ASensorManager_getDefaultSensor() to become stale if the underlying
binder connection to the sensor service gets reset. This can be
triggered by ASensorManager_createEventQueue(), so any sensor handle
retrieved prior to this call may become stale, resulting in a use-after-
free when the handle is eventually registered with the queue. To avoid
this, the event queue is created before retrieving or registering the
sensor.

Bug: 150225255
Test: No longer crashes with proof-of-concept on Pixel 2 XL.
Change-Id: I243f6c68c734af3eb5488855d965a894b5fb99e5
1 file changed
tree: d9d8c43aef0050f4370eb350c3cb1f807789af72
  1. bluetooth/
  2. bootctrl/
  3. dumpstate/
  4. folio_daemon/
  5. health/
  6. liblight/
  7. lisa/
  8. nfc/
  9. overlay/
  10. permissions/
  11. powerstats/
  12. seccomp_policy/
  13. sensors/
  14. sepolicy/
  15. usb/
  16. Android.bp
  17. Android.mk
  18. audio_policy_configuration.xml
  19. audio_policy_configuration_bluetooth_legacy_hal.xml
  20. BoardConfig.mk
  21. CleanSpec.mk
  22. compatibility_matrix.xml
  23. component-overrides.xml
  24. config.fs
  25. default-permissions.xml
  26. device.mk
  27. device_framework_matrix.xml
  28. framework_manifest.xml
  29. fstab.hardware
  30. fstab.postinstall
  31. gps.conf
  32. graphite_ipc_platform_info.xml
  33. init.elabel.sh
  34. init.fingerprint.sh
  35. init.hardware.chamber.rc.userdebug
  36. init.hardware.diag.rc.user
  37. init.hardware.diag.rc.userdebug
  38. init.hardware.rc
  39. init.hardware.usb.rc
  40. init.hardware.xr.rc
  41. init.insmod.sh
  42. init.power.sh
  43. init.qcom.devstart.sh
  44. init.qcom.ipastart.sh
  45. init.radio.sh
  46. init.ramoops.sh
  47. init.recovery.hardware.rc
  48. lowi.conf
  49. manifest.xml
  50. media_codecs.xml
  51. media_codecs_performance.xml
  52. media_profiles_V1_0.xml
  53. p2p_supplicant_overlay.conf
  54. recovery.wipe
  55. sec_config
  56. sound_trigger_mixer_paths_wcd9340.xml
  57. sound_trigger_platform_info.xml
  58. system.prop
  59. ueventd.hardware.rc
  60. uinput-fpc.idc
  61. uinput-fpc.kl
  62. utils.mk
  63. wifi_concurrency_cfg.txt
  64. wpa_supplicant_overlay.conf
  65. wpa_supplicant_wcn.conf