commit daa95ee120926ced237c37a5deea6a994b1f62e2
author Edwin Wong <edwinwong@google.com> Tue Jun 21 01:36:43 2022 +0000
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Sun Sep 25 23:52:10 2022 +0000
tree 1071faa08cd71aa2646e9982cff06c2af24b8986
parent 8051a196acbd5271961c351843483741b3062cf0

[Fix vulnerability] setSecurityLevel in clearkey

Potential race condition in clearkey setSecurityLevel.

POC test in http://go/ag/19083795

Test: sts-tradefed run sts-dynamic-develop -m StsHostTestCases -t android.security.sts.CVE_2022_2209#testPocCVE_2022_2209

Bug: 235601882
Change-Id: I6447fb539ef0cb395772c61e6f3e1504ccde331b
Merged-In: I2e2084e85fe45d7d7f958c59b0063a477c7d24bf
(cherry picked from commit 9bfc2fbcc4be68bc8939a10dd7942845dc724f75)
Merged-In: I6447fb539ef0cb395772c61e6f3e1504ccde331b

drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
index 32d7723..e04dd7e 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
@@ -619,6 +619,7 @@
         return Void();
     }
 
+    Mutex::Autolock lock(mSecurityLevelLock);
     std::map<std::vector<uint8_t>, SecurityLevel>::iterator itr =
             mSecurityLevel.find(sid);
     if (itr == mSecurityLevel.end()) {
@@ -691,6 +692,7 @@
         return Status::ERROR_DRM_SESSION_NOT_OPENED;
     }
 
+    Mutex::Autolock lock(mSecurityLevelLock);
     std::map<std::vector<uint8_t>, SecurityLevel>::iterator itr =
             mSecurityLevel.find(sid);
     if (itr != mSecurityLevel.end()) {

drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h

diff --git a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
index cb5c9fe..1019520 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
+++ b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
@@ -414,7 +414,8 @@
     std::map<std::string, std::vector<uint8_t> > mByteArrayProperties;
     std::map<std::string, std::vector<uint8_t> > mReleaseKeysMap;
     std::map<std::vector<uint8_t>, std::string> mPlaybackId;
-    std::map<std::vector<uint8_t>, SecurityLevel> mSecurityLevel;
+    std::map<std::vector<uint8_t>, SecurityLevel> mSecurityLevel
+        GUARDED_BY(mSecurityLevelLock);
     sp<IDrmPluginListener> mListener;
     sp<IDrmPluginListener_V1_2> mListenerV1_2;
     SessionLibrary *mSessionLibrary;
@@ -434,6 +435,7 @@
 
     DeviceFiles mFileHandle;
     Mutex mSecureStopLock;
+    Mutex mSecurityLevelLock;
 
     CLEARKEY_DISALLOW_COPY_AND_ASSIGN_AND_NEW(DrmPlugin);
 };