mm-video-v4l2: venc: Protect buffer from being freed while accessing

Output buffer (in use-buffer mode) has an internal backup ion buffer. The contents of this buffer are deep-copied in client's buffer in the context of VideoEncCallBackThread; while this buffer can be freed in the client thread's context. Check the allocation bitmask before attempting to copy and synchronize these operations by holding a lock Fixes bug 36130225 Security Vulnerability - Heap use after free in libOmxVenc CRs-Fixed: 2053101 Author: Praveen Chavan<pchavan@codeaurora.org> Change-Id: I6141e81d7dbd50bc3601c8df066fd8cbd06b4e0b
2024-10-31 22:47:35 +00:00 · 2017-06-05 15:21:22 -07:00 · 2017-06-05 15:21:22 -07:00 · a569853311
commit a569853311
parent 56c7e0ae48
3 changed files with 19 additions and 4 deletions
--- a/msm8996/mm-video-v4l2/vidc/venc/inc/omx_video_base.h
+++ b/msm8996/mm-video-v4l2/vidc/venc/inc/omx_video_base.h
@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
-Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
+Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@ -649,6 +649,7 @@ class omx_video: public qc_omx_component
        omx_cmd_queue m_opq_meta_q;
        omx_cmd_queue m_opq_pmem_q;
        OMX_BUFFERHEADERTYPE meta_buffer_hdr[MAX_NUM_INPUT_BUFFERS];
+        pthread_mutex_t m_buf_lock;

        bool input_flush_progress;
        bool output_flush_progress;
--- a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
+++ b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
-Copyright (c) 2010-2016, Linux Foundation. All rights reserved.
+Copyright (c) 2010-2017, Linux Foundation. All rights reserved.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
@ -314,6 +314,8 @@ omx_video::omx_video():
    pthread_mutex_init(&m_lock, NULL);
    sem_init(&m_cmd_lock,0,0);
    DEBUG_PRINT_LOW("meta_buffer_hdr = %p", meta_buffer_hdr);
+
+    pthread_mutex_init(&m_buf_lock, NULL);
 }


@ -354,6 +356,8 @@ omx_video::~omx_video()
    sem_destroy(&m_cmd_lock);
    DEBUG_PRINT_HIGH("m_etb_count = %" PRIu64 ", m_fbd_count = %" PRIu64, m_etb_count,
            m_fbd_count);
+
+    pthread_mutex_destroy(&m_buf_lock);
    DEBUG_PRINT_HIGH("omx_video: Destructor exit");
    DEBUG_PRINT_HIGH("Exiting OMX Video Encoder ...");
 }
@ -2594,6 +2598,7 @@ OMX_ERRORTYPE  omx_video::use_output_buffer(
        return OMX_ErrorBadParameter;
    }

+    auto_lock l(m_buf_lock);
    if (!m_out_mem_ptr) {
        output_use_buffer = true;
        int nBufHdrSize        = 0;
@ -3512,6 +3517,7 @@ OMX_ERRORTYPE  omx_video::free_buffer(OMX_IN OMX_HANDLETYPE         hComp,
                nPortIndex, (unsigned int)m_sOutPortDef.nBufferCountActual);
        if (nPortIndex < m_sOutPortDef.nBufferCountActual &&
                BITMASK_PRESENT(&m_out_bm_count, nPortIndex)) {
+            auto_lock l(m_buf_lock);
            // Clear the bit associated with it.
            BITMASK_CLEAR(&m_out_bm_count,nPortIndex);
            m_sOutPortDef.bPopulated = OMX_FALSE;
--- a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
+++ b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
@ -2430,11 +2430,18 @@ int omx_venc::async_message_process (void *context, void* message)
                    OMX_COMPONENT_GENERATE_EBD);
            break;
        case VEN_MSG_OUTPUT_BUFFER_DONE:
+        {
            omxhdr = (OMX_BUFFERHEADERTYPE*)m_sVenc_msg->buf.clientdata;
+            OMX_U32 bufIndex = (OMX_U32)(omxhdr - omx->m_out_mem_ptr);

            if ( (omxhdr != NULL) &&
-                    ((OMX_U32)(omxhdr - omx->m_out_mem_ptr)  < omx->m_sOutPortDef.nBufferCountActual)) {
-                if (m_sVenc_msg->buf.len <=  omxhdr->nAllocLen) {
+                    (bufIndex  < omx->m_sOutPortDef.nBufferCountActual)) {
+                auto_lock l(omx->m_buf_lock);
+                if (BITMASK_ABSENT(&(omx->m_out_bm_count), bufIndex)) {
+                    DEBUG_PRINT_ERROR("Recieved FBD for buffer that is already freed !");
+                    break;
+                }
+                if (!omx->is_secure_session() && (m_sVenc_msg->buf.len <=  omxhdr->nAllocLen)) {
                    omxhdr->nFilledLen = m_sVenc_msg->buf.len;
                    omxhdr->nOffset = m_sVenc_msg->buf.offset;
                    omxhdr->nTimeStamp = m_sVenc_msg->buf.timestamp;
@ -2459,6 +2466,7 @@ int omx_venc::async_message_process (void *context, void* message)
            omx->post_event ((unsigned long)omxhdr,m_sVenc_msg->statuscode,
                    OMX_COMPONENT_GENERATE_FBD);
            break;
+        }
        case VEN_MSG_NEED_OUTPUT_BUFFER:
            //TBD what action needs to be done here??
            break;