From 442f2b2b9b3e53932ec997c924396dd561543e36 Mon Sep 17 00:00:00 2001 From: Santhosh Behara Date: Mon, 5 Jun 2017 15:21:22 -0700 Subject: mm-video-v4l2: venc: Protect buffer from being freed while accessing Output buffer (in use-buffer mode) has an internal backup ion buffer. The contents of this buffer are deep-copied in client's buffer in the context of VideoEncCallBackThread; while this buffer can be freed in the client thread's context. Check the allocation bitmask before attempting to copy and synchronize these operations by holding a lock Fixes bug 36130225 Security Vulnerability - Heap use after free in libOmxVenc CRs-Fixed: 2053101 Bug: 36130225 Change-Id: I75ef3df29fcabff52ea87cf5a4aa98e48bb40298 Author: Praveen Chavan (cherry picked from commit f56db36a42e50bfca7dd0e8d80cee8233daf61d2) --- msm8996/mm-video-v4l2/vidc/venc/inc/omx_video_base.h | 3 ++- msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 8 +++++++- msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp | 14 +++++++++++--- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/msm8996/mm-video-v4l2/vidc/venc/inc/omx_video_base.h b/msm8996/mm-video-v4l2/vidc/venc/inc/omx_video_base.h index f97bcd7..33671e8 100644 --- a/msm8996/mm-video-v4l2/vidc/venc/inc/omx_video_base.h +++ b/msm8996/mm-video-v4l2/vidc/venc/inc/omx_video_base.h @@ -1,5 +1,5 @@ /*-------------------------------------------------------------------------- -Copyright (c) 2010-2016, The Linux Foundation. All rights reserved. +Copyright (c) 2010-2017, The Linux Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are @@ -667,6 +667,7 @@ class omx_video: public qc_omx_component omx_cmd_queue m_opq_meta_q; omx_cmd_queue m_opq_pmem_q; OMX_BUFFERHEADERTYPE meta_buffer_hdr[MAX_NUM_INPUT_BUFFERS]; + pthread_mutex_t m_buf_lock; bool input_flush_progress; bool output_flush_progress; diff --git a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index 87f8d42..64f76ee 100644 --- a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -1,5 +1,5 @@ /*-------------------------------------------------------------------------- -Copyright (c) 2010-2016, Linux Foundation. All rights reserved. +Copyright (c) 2010-2017, Linux Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -314,6 +314,8 @@ omx_video::omx_video(): pthread_mutex_init(&m_lock, NULL); sem_init(&m_cmd_lock,0,0); DEBUG_PRINT_LOW("meta_buffer_hdr = %p", meta_buffer_hdr); + + pthread_mutex_init(&m_buf_lock, NULL); } @@ -354,6 +356,8 @@ omx_video::~omx_video() sem_destroy(&m_cmd_lock); DEBUG_PRINT_HIGH("m_etb_count = %" PRIu64 ", m_fbd_count = %" PRIu64, m_etb_count, m_fbd_count); + + pthread_mutex_destroy(&m_buf_lock); DEBUG_PRINT_HIGH("omx_video: Destructor exit"); DEBUG_PRINT_HIGH("Exiting OMX Video Encoder ..."); } @@ -2664,6 +2668,7 @@ OMX_ERRORTYPE omx_video::use_output_buffer( return OMX_ErrorBadParameter; } + auto_lock l(m_buf_lock); if (!m_out_mem_ptr) { output_use_buffer = true; int nBufHdrSize = 0; @@ -3590,6 +3595,7 @@ OMX_ERRORTYPE omx_video::free_buffer(OMX_IN OMX_HANDLETYPE hComp, nPortIndex, (unsigned int)m_sOutPortDef.nBufferCountActual); if (nPortIndex < m_sOutPortDef.nBufferCountActual && BITMASK_PRESENT(&m_out_bm_count, nPortIndex)) { + auto_lock l(m_buf_lock); // Clear the bit associated with it. BITMASK_CLEAR(&m_out_bm_count,nPortIndex); m_sOutPortDef.bPopulated = OMX_FALSE; diff --git a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp index 74c2869..f4a92a4 100644 --- a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp +++ b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp @@ -1,5 +1,5 @@ /*-------------------------------------------------------------------------- -Copyright (c) 2010-2016, The Linux Foundation. All rights reserved. +Copyright (c) 2010-2017, The Linux Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -2526,11 +2526,18 @@ int omx_venc::async_message_process (void *context, void* message) OMX_COMPONENT_GENERATE_EBD); break; case VEN_MSG_OUTPUT_BUFFER_DONE: + { omxhdr = (OMX_BUFFERHEADERTYPE*)m_sVenc_msg->buf.clientdata; + OMX_U32 bufIndex = (OMX_U32)(omxhdr - omx->m_out_mem_ptr); if ( (omxhdr != NULL) && - ((OMX_U32)(omxhdr - omx->m_out_mem_ptr) < omx->m_sOutPortDef.nBufferCountActual)) { - if (m_sVenc_msg->buf.len <= omxhdr->nAllocLen) { + (bufIndex < omx->m_sOutPortDef.nBufferCountActual)) { + auto_lock l(omx->m_buf_lock); + if (BITMASK_ABSENT(&(omx->m_out_bm_count), bufIndex)) { + DEBUG_PRINT_ERROR("Recieved FBD for buffer that is already freed !"); + break; + } + if (!omx->is_secure_session() && (m_sVenc_msg->buf.len <= omxhdr->nAllocLen)) { omxhdr->nFilledLen = m_sVenc_msg->buf.len; omxhdr->nOffset = m_sVenc_msg->buf.offset; omxhdr->nTimeStamp = m_sVenc_msg->buf.timestamp; @@ -2555,6 +2562,7 @@ int omx_venc::async_message_process (void *context, void* message) omx->post_event ((unsigned long)omxhdr,m_sVenc_msg->statuscode, OMX_COMPONENT_GENERATE_FBD); break; + } case VEN_MSG_NEED_OUTPUT_BUFFER: //TBD what action needs to be done here?? break; -- cgit v1.2.3