From: Eino-Ville Talvala Date: Tue, 21 Jun 2016 00:00:14 +0000 (-0700) Subject: DO NOT MERGE: Camera: Adjust pointers to ANW buffers to avoid infoleak X-Git-Tag: android-x86-7.1-r1~217^2~2^2^2^2^2^2^2^2^2 X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=54fc49c9f5ac06ea3c21cfe05a00f36c7df91b3f;p=android-x86%2Fframeworks-av.git DO NOT MERGE: Camera: Adjust pointers to ANW buffers to avoid infoleak Subtract address of a random static object from pointers being routed through app process. Bug: 28466701 Change-Id: Idcbfe81e9507433769672f3dc6d67db5eeed4e04 --- diff --git a/camera/ICameraRecordingProxy.cpp b/camera/ICameraRecordingProxy.cpp index 7223b6d32c..16a3d0221b 100644 --- a/camera/ICameraRecordingProxy.cpp +++ b/camera/ICameraRecordingProxy.cpp @@ -31,6 +31,11 @@ enum { RELEASE_RECORDING_FRAME, }; +uint8_t ICameraRecordingProxy::baseObject = 0; + +size_t ICameraRecordingProxy::getCommonBaseAddress() { + return (size_t)&baseObject; +} class BpCameraRecordingProxy: public BpInterface { @@ -106,4 +111,3 @@ status_t BnCameraRecordingProxy::onTransact( // ---------------------------------------------------------------------------- }; // namespace android - diff --git a/include/camera/ICameraRecordingProxy.h b/include/camera/ICameraRecordingProxy.h index 2aac28465c..4edf9cd1bb 100644 --- a/include/camera/ICameraRecordingProxy.h +++ b/include/camera/ICameraRecordingProxy.h @@ -83,6 +83,12 @@ public: virtual status_t startRecording(const sp& listener) = 0; virtual void stopRecording() = 0; virtual void releaseRecordingFrame(const sp& mem) = 0; + + // b/28466701 + static size_t getCommonBaseAddress(); + private: + + static uint8_t baseObject; }; // ---------------------------------------------------------------------------- diff --git a/include/media/stagefright/CameraSource.h b/include/media/stagefright/CameraSource.h index dd0a106974..cc46801314 100644 --- a/include/media/stagefright/CameraSource.h +++ b/include/media/stagefright/CameraSource.h @@ -234,6 +234,9 @@ private: status_t checkFrameRate(const CameraParameters& params, int32_t frameRate); + static void adjustIncomingANWBuffer(IMemory* data); + static void adjustOutgoingANWBuffer(IMemory* data); + void stopCameraRecording(); status_t reset(); diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp index f76aed6256..7d2e0a49e1 100644 --- a/media/libstagefright/CameraSource.cpp +++ b/media/libstagefright/CameraSource.cpp @@ -27,8 +27,10 @@ #include #include #include +#include #include #include +#include #include #include #include @@ -770,6 +772,8 @@ void CameraSource::releaseQueuedFrames() { List >::iterator it; while (!mFramesReceived.empty()) { it = mFramesReceived.begin(); + // b/28466701 + adjustOutgoingANWBuffer(it->get()); releaseRecordingFrame(*it); mFramesReceived.erase(it); ++mNumFramesDropped; @@ -790,6 +794,9 @@ void CameraSource::signalBufferReturned(MediaBuffer *buffer) { for (List >::iterator it = mFramesBeingEncoded.begin(); it != mFramesBeingEncoded.end(); ++it) { if ((*it)->pointer() == buffer->data()) { + // b/28466701 + adjustOutgoingANWBuffer(it->get()); + releaseOneRecordingFrame((*it)); mFramesBeingEncoded.erase(it); ++mNumFramesEncoded; @@ -890,6 +897,10 @@ void CameraSource::dataCallbackTimestamp(int64_t timestampUs, ++mNumFramesReceived; CHECK(data != NULL && data->size() > 0); + + // b/28466701 + adjustIncomingANWBuffer(data.get()); + mFramesReceived.push_back(data); int64_t timeUs = mStartTimeUs + (timestampUs - mFirstFrameTimeUs); mFrameTimes.push_back(timeUs); @@ -903,6 +914,26 @@ bool CameraSource::isMetaDataStoredInVideoBuffers() const { return mIsMetaDataStoredInVideoBuffers; } +void CameraSource::adjustIncomingANWBuffer(IMemory* data) { + uint8_t *payload = + reinterpret_cast(data->pointer()); + if (*(uint32_t*)payload == kMetadataBufferTypeGrallocSource) { + buffer_handle_t* pBuffer = (buffer_handle_t*)(payload + 4); + *pBuffer = (buffer_handle_t)((uint8_t*)(*pBuffer) + + ICameraRecordingProxy::getCommonBaseAddress()); + } +} + +void CameraSource::adjustOutgoingANWBuffer(IMemory* data) { + uint8_t *payload = + reinterpret_cast(data->pointer()); + if (*(uint32_t*)payload == kMetadataBufferTypeGrallocSource) { + buffer_handle_t* pBuffer = (buffer_handle_t*)(payload + 4); + *pBuffer = (buffer_handle_t)((uint8_t*)(*pBuffer) - + ICameraRecordingProxy::getCommonBaseAddress()); + } +} + CameraSource::ProxyListener::ProxyListener(const sp& source) { mSource = source; } diff --git a/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp b/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp index 9e7fff8e32..37df24d1e4 100644 --- a/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp +++ b/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp @@ -29,6 +29,7 @@ #include #include #include +#include #include "common/CameraDeviceBase.h" #include "api1/Camera2Client.h" @@ -768,7 +769,10 @@ status_t StreamingProcessor::processRecordingFrame() { uint8_t *data = (uint8_t*)heap->getBase() + offset; uint32_t type = kMetadataBufferTypeGrallocSource; *((uint32_t*)data) = type; - *((buffer_handle_t*)(data + 4)) = imgBuffer.mGraphicBuffer->handle; + buffer_handle_t* pBuffer = (buffer_handle_t*)(data + 4); + *pBuffer = (buffer_handle_t)( + (uint8_t*)imgBuffer.mGraphicBuffer->handle - + ICameraRecordingProxy::getCommonBaseAddress()); ALOGVV("%s: Camera %d: Sending out buffer_handle_t %p", __FUNCTION__, mId, imgBuffer.mGraphicBuffer->handle); @@ -814,8 +818,10 @@ void StreamingProcessor::releaseRecordingFrame(const sp& mem) { } // Release the buffer back to the recording queue - - buffer_handle_t imgHandle = *(buffer_handle_t*)(data + 4); + // b/28466701 + buffer_handle_t* pBuffer = (buffer_handle_t*)(data + 4); + buffer_handle_t imgHandle = (buffer_handle_t)((uint8_t*)(*pBuffer) + + ICameraRecordingProxy::getCommonBaseAddress()); size_t itemIndex; for (itemIndex = 0; itemIndex < mRecordingBuffers.size(); itemIndex++) {