mm-video-v4l2: venc: Protect buffer from being freed while accessing

Output buffer (in use-buffer mode) has an internal backup ion buffer.
The contents of this buffer are deep-copied in client's buffer in
the context of VideoEncCallBackThread; while this buffer can be
freed in the client thread's context.
Check the allocation bitmask before attempting to copy and
synchronize these operations by holding a lock

Fixes bug 36130225
 Security Vulnerability - Heap use after free in libOmxVenc

CRs-Fixed: 2053101

Author: Praveen Chavan <pchavan@codeaurora.org>

Change-Id: I6141e81d7dbd50bc3601c8df066fd8cbd06b4e0b
This commit is contained in:
Santhosh Behara 2017-06-05 15:21:22 -07:00 committed by Marco Nelissen
parent 4fb2744c19
commit 6ec830ac0c
3 changed files with 16 additions and 1 deletions

View file

@ -683,6 +683,7 @@ class omx_video: public qc_omx_component
omx_cmd_queue m_opq_meta_q;
omx_cmd_queue m_opq_pmem_q;
OMX_BUFFERHEADERTYPE meta_buffer_hdr[MAX_NUM_INPUT_BUFFERS];
pthread_mutex_t m_buf_lock;
bool input_flush_progress;
bool output_flush_progress;

View file

@ -328,6 +328,8 @@ omx_video::omx_video():
property_get("ro.board.platform", platform_name, "0");
strlcpy(m_platform, platform_name, sizeof(m_platform));
#endif
pthread_mutex_init(&m_buf_lock, NULL);
}
@ -369,6 +371,8 @@ omx_video::~omx_video()
sem_destroy(&m_cmd_lock);
DEBUG_PRINT_HIGH("m_etb_count = %" PRIu64 ", m_fbd_count = %" PRIu64, m_etb_count,
m_fbd_count);
pthread_mutex_destroy(&m_buf_lock);
DEBUG_PRINT_HIGH("omx_video: Destructor exit");
DEBUG_PRINT_HIGH("Exiting OMX Video Encoder ...");
}
@ -2725,6 +2729,7 @@ OMX_ERRORTYPE omx_video::use_output_buffer(
return OMX_ErrorBadParameter;
}
auto_lock l(m_buf_lock);
if (!m_out_mem_ptr) {
output_use_buffer = true;
int nBufHdrSize = 0;
@ -3655,6 +3660,7 @@ OMX_ERRORTYPE omx_video::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
nPortIndex, (unsigned int)m_sOutPortDef.nBufferCountActual);
if (nPortIndex < m_sOutPortDef.nBufferCountActual &&
BITMASK_PRESENT(&m_out_bm_count, nPortIndex)) {
auto_lock l(m_buf_lock);
// Clear the bit associated with it.
BITMASK_CLEAR(&m_out_bm_count,nPortIndex);
m_sOutPortDef.bPopulated = OMX_FALSE;

View file

@ -2593,10 +2593,17 @@ int omx_venc::async_message_process (void *context, void* message)
OMX_COMPONENT_GENERATE_EBD);
break;
case VEN_MSG_OUTPUT_BUFFER_DONE:
{
omxhdr = (OMX_BUFFERHEADERTYPE*)m_sVenc_msg->buf.clientdata;
OMX_U32 bufIndex = (OMX_U32)(omxhdr - omx->m_out_mem_ptr);
if ( (omxhdr != NULL) &&
((OMX_U32)(omxhdr - omx->m_out_mem_ptr) < omx->m_sOutPortDef.nBufferCountActual)) {
(bufIndex < omx->m_sOutPortDef.nBufferCountActual)) {
auto_lock l(omx->m_buf_lock);
if (BITMASK_ABSENT(&(omx->m_out_bm_count), bufIndex)) {
DEBUG_PRINT_ERROR("Recieved FBD for buffer that is already freed !");
break;
}
if (!omx->is_secure_session() && (m_sVenc_msg->buf.len <= omxhdr->nAllocLen)) {
omxhdr->nFilledLen = m_sVenc_msg->buf.len;
omxhdr->nOffset = m_sVenc_msg->buf.offset;
@ -2630,6 +2637,7 @@ int omx_venc::async_message_process (void *context, void* message)
omx->post_event ((unsigned long)omxhdr,m_sVenc_msg->statuscode,
OMX_COMPONENT_GENERATE_FBD);
break;
}
case VEN_MSG_NEED_OUTPUT_BUFFER:
//TBD what action needs to be done here??
break;