Google Git
Sign in
android / platform / frameworks / hardware / interfaces / f511fda58b8c77b7f81a3586d8ae1cf10a920fce
commitf511fda58b8c77b7f81a3586d8ae1cf10a920fce[log] [tgz]
authorAnthony Stange <stange@google.com>Wed Dec 09 16:30:41 2020 -0500
committerandroid-build-team Robot <android-build-team-robot@google.com>Tue Feb 09 01:24:15 2021 +0000
tree2b33869ab55bd85fc7e55a3b46caace23eae7a93
parent429804c700a0b0db72c2e8d239f75e9e105e3ebc [diff]
Use strong pointer in ALooper to avoid use-after-free

If the endpoint that has a reference to the ASensorEventQueue goes away
without calling ASensorManager_destroyEventQueue, then the event queue's
reference goes to 0. This causes the event queue to be destroyed, but
the looper may still call it since it hasn't been invalidated yet
causing a use-after-free.

To avoid this, store the event queue as a weak pointer in the looper's
queue and attempt to promote it to a strong pointer when it needs to be
used. If it can't be promoted, then it is ignored and cleared later.

Bug: 175074139
Test: Load Android firmware image and run the camera app to verify no
crashes are seen.

Merged-In: I1439bf9c0a725818889f7be64e234d952363f4db
Change-Id: I1439bf9c0a725818889f7be64e234d952363f4db
(cherry picked from commit 7d712cfe6ddf86c07c4f2baee74ec948c7fc72d0)
2 files changed
tree: 2b33869ab55bd85fc7e55a3b46caace23eae7a93
  1. automotive/
  2. bufferhub/
  3. cameraservice/
  4. displayservice/
  5. schedulerservice/
  6. sensorservice/
  7. stats/
  8. vr/
  9. .clang-format
  10. Android.bp
  11. current.txt
  12. OWNERS
  13. PREUPLOAD.cfg
  14. TEST_MAPPING
  15. update-makefiles.sh