Fix issue #27252896: Security Vulnerability -- weak binder

author Dianne Hackborn <hackbod@google.com>

Mon, 21 Mar 2016 17:36:54 +0000 (10:36 -0700)

committer Suprabh Shukla <suprabh@google.com>

Wed, 23 Mar 2016 01:22:23 +0000 (01:22 +0000)
author Dianne Hackborn <hackbod@google.com>
Mon, 21 Mar 2016 17:36:54 +0000 (10:36 -0700)
committer Suprabh Shukla <suprabh@google.com>
Wed, 23 Mar 2016 01:22:23 +0000 (01:22 +0000)
diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp

index ef88181..af18e11 100644 (file)
--- a/libs/binder/IPCThreadState.cpp
+++ b/libs/binder/IPCThreadState.cpp
@@ -1083,8 +1083,16 @@ status_t IPCThreadState::executeCommand(int32_t cmd)
                      << reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl;
              }
              if (tr.target.ptr) {
-                sp<BBinder> b((BBinder*)tr.cookie);
-                error = b->transact(tr.code, buffer, &reply, tr.flags);
+                // We only have a weak reference on the target object, so we must first try to
+                // safely acquire a strong reference before doing anything else with it.
+                if (reinterpret_cast<RefBase::weakref_type*>(
+                        tr.target.ptr)->attemptIncStrong(this)) {
+                    error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer,
+                            &reply, tr.flags);
+                    reinterpret_cast<BBinder*>(tr.cookie)->decStrong(this);
+                } else {
+                    error = UNKNOWN_TRANSACTION;
+                }
  
              } else {
                  error = the_context_object->transact(tr.code, buffer, &reply, tr.flags);
author	Dianne Hackborn <hackbod@google.com>
	Mon, 21 Mar 2016 17:36:54 +0000 (10:36 -0700)
committer	Suprabh Shukla <suprabh@google.com>
	Wed, 23 Mar 2016 01:22:23 +0000 (01:22 +0000)