From 41e7b1780f106d2eb4304b1f9cf060ce44177cae Mon Sep 17 00:00:00 2001 From: Dianne Hackborn Date: Mon, 21 Mar 2016 10:36:54 -0700 Subject: [PATCH] Fix issue #27252896: Security Vulnerability -- weak binder Sending transaction to freed BBinder through weak handle can cause use of a (mostly) freed object. We need to try to safely promote to a strong reference first. Change-Id: Ic9c6940fa824980472e94ed2dfeca52a6b0fd342 (manually cherry picked and resolved conflicts from commit c11146106f94e07016e8e26e4f8628f9a0c73199) --- libs/binder/IPCThreadState.cpp | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp index 5951a3ff47..b865026afc 100644 --- a/libs/binder/IPCThreadState.cpp +++ b/libs/binder/IPCThreadState.cpp @@ -1070,9 +1070,18 @@ status_t IPCThreadState::executeCommand(int32_t cmd) << reinterpret_cast(tr.data.ptr.offsets) << endl; } if (tr.target.ptr) { - sp b((BBinder*)tr.cookie); - const status_t error = b->transact(tr.code, buffer, &reply, tr.flags); - if (error < NO_ERROR) reply.setError(error); + // We only have a weak reference on the target object, so we must first try to + // safely acquire a strong reference before doing anything else with it. + if (reinterpret_cast( + tr.target.ptr)->attemptIncStrong(this)) { + const status_t error = reinterpret_cast(tr.cookie)->transact(tr.code, buffer, + &reply, tr.flags); + reinterpret_cast(tr.cookie)->decStrong(this); + if (error < NO_ERROR) reply.setError(error); + } else { + const status_t error = UNKNOWN_TRANSACTION; + if (error < NO_ERROR) reply.setError(error); + } } else { const status_t error = the_context_object->transact(tr.code, buffer, &reply, tr.flags); -- 2.11.0