diff options
author | Santhosh Behara <santhoshbehara@codeaurora.org> | 2017-06-05 15:21:22 -0700 |
---|---|---|
committer | Jonathan Solnit <jsolnit@google.com> | 2017-07-25 15:13:51 -0700 |
commit | f56db36a42e50bfca7dd0e8d80cee8233daf61d2 (patch) | |
tree | 0bdd26a12e48248b1cda8871e0989a602273bdea /msm8996 | |
parent | af7f1cd76eaafee0d9838e6c40af9c494e884e36 (diff) | |
download | media-f56db36a42e50bfca7dd0e8d80cee8233daf61d2.tar.gz |
mm-video-v4l2: venc: Protect buffer from being freed while accessing
Output buffer (in use-buffer mode) has an internal backup ion buffer.
The contents of this buffer are deep-copied in client's buffer in
the context of VideoEncCallBackThread; while this buffer can be
freed in the client thread's context.
Check the allocation bitmask before attempting to copy and
synchronize these operations by holding a lock
Fixes bug 36130225
Security Vulnerability - Heap use after free in libOmxVenc
CRs-Fixed: 2053101
Bug: 36130225
Change-Id: I75ef3df29fcabff52ea87cf5a4aa98e48bb40298
Author: Praveen Chavan<pchavan@codeaurora.org>
Diffstat (limited to 'msm8996')
-rw-r--r-- | msm8996/mm-video-v4l2/vidc/venc/inc/omx_video_base.h | 3 | ||||
-rw-r--r-- | msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 8 | ||||
-rw-r--r-- | msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp | 14 |
3 files changed, 20 insertions, 5 deletions
diff --git a/msm8996/mm-video-v4l2/vidc/venc/inc/omx_video_base.h b/msm8996/mm-video-v4l2/vidc/venc/inc/omx_video_base.h index 351c011..3590609 100644 --- a/msm8996/mm-video-v4l2/vidc/venc/inc/omx_video_base.h +++ b/msm8996/mm-video-v4l2/vidc/venc/inc/omx_video_base.h @@ -1,5 +1,5 @@ /*-------------------------------------------------------------------------- -Copyright (c) 2010-2016, The Linux Foundation. All rights reserved. +Copyright (c) 2010-2017, The Linux Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are @@ -655,6 +655,7 @@ class omx_video: public qc_omx_component omx_cmd_queue m_opq_meta_q; omx_cmd_queue m_opq_pmem_q; OMX_BUFFERHEADERTYPE meta_buffer_hdr[MAX_NUM_INPUT_BUFFERS]; + pthread_mutex_t m_buf_lock; bool input_flush_progress; bool output_flush_progress; diff --git a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index 691ede8..4f6f8a1 100644 --- a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -1,5 +1,5 @@ /*-------------------------------------------------------------------------- -Copyright (c) 2010-2016, Linux Foundation. All rights reserved. +Copyright (c) 2010-2017, Linux Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -314,6 +314,8 @@ omx_video::omx_video(): pthread_mutex_init(&m_lock, NULL); sem_init(&m_cmd_lock,0,0); DEBUG_PRINT_LOW("meta_buffer_hdr = %p", meta_buffer_hdr); + + pthread_mutex_init(&m_buf_lock, NULL); } @@ -354,6 +356,8 @@ omx_video::~omx_video() sem_destroy(&m_cmd_lock); DEBUG_PRINT_HIGH("m_etb_count = %" PRIu64 ", m_fbd_count = %" PRIu64, m_etb_count, m_fbd_count); + + pthread_mutex_destroy(&m_buf_lock); DEBUG_PRINT_HIGH("omx_video: Destructor exit"); DEBUG_PRINT_HIGH("Exiting OMX Video Encoder ..."); } @@ -2654,6 +2658,7 @@ OMX_ERRORTYPE omx_video::use_output_buffer( return OMX_ErrorBadParameter; } + auto_lock l(m_buf_lock); if (!m_out_mem_ptr) { output_use_buffer = true; int nBufHdrSize = 0; @@ -3572,6 +3577,7 @@ OMX_ERRORTYPE omx_video::free_buffer(OMX_IN OMX_HANDLETYPE hComp, nPortIndex, (unsigned int)m_sOutPortDef.nBufferCountActual); if (nPortIndex < m_sOutPortDef.nBufferCountActual && BITMASK_PRESENT(&m_out_bm_count, nPortIndex)) { + auto_lock l(m_buf_lock); // Clear the bit associated with it. BITMASK_CLEAR(&m_out_bm_count,nPortIndex); m_sOutPortDef.bPopulated = OMX_FALSE; diff --git a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp index c216eee..e9c75f7 100644 --- a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp +++ b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp @@ -1,5 +1,5 @@ /*-------------------------------------------------------------------------- -Copyright (c) 2010-2016, The Linux Foundation. All rights reserved. +Copyright (c) 2010-2017, The Linux Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -2485,11 +2485,18 @@ int omx_venc::async_message_process (void *context, void* message) OMX_COMPONENT_GENERATE_EBD); break; case VEN_MSG_OUTPUT_BUFFER_DONE: + { omxhdr = (OMX_BUFFERHEADERTYPE*)m_sVenc_msg->buf.clientdata; + OMX_U32 bufIndex = (OMX_U32)(omxhdr - omx->m_out_mem_ptr); if ( (omxhdr != NULL) && - ((OMX_U32)(omxhdr - omx->m_out_mem_ptr) < omx->m_sOutPortDef.nBufferCountActual)) { - if (m_sVenc_msg->buf.len <= omxhdr->nAllocLen) { + (bufIndex < omx->m_sOutPortDef.nBufferCountActual)) { + auto_lock l(omx->m_buf_lock); + if (BITMASK_ABSENT(&(omx->m_out_bm_count), bufIndex)) { + DEBUG_PRINT_ERROR("Recieved FBD for buffer that is already freed !"); + break; + } + if (!omx->is_secure_session() && (m_sVenc_msg->buf.len <= omxhdr->nAllocLen)) { omxhdr->nFilledLen = m_sVenc_msg->buf.len; omxhdr->nOffset = m_sVenc_msg->buf.offset; omxhdr->nTimeStamp = m_sVenc_msg->buf.timestamp; @@ -2514,6 +2521,7 @@ int omx_venc::async_message_process (void *context, void* message) omx->post_event ((unsigned long)omxhdr,m_sVenc_msg->statuscode, OMX_COMPONENT_GENERATE_FBD); break; + } case VEN_MSG_NEED_OUTPUT_BUFFER: //TBD what action needs to be done here?? break; |