commit 936279e1ffe6bf7e842c46f9a94d98a48dce6754
author Mikhail Naganov <mnaganov@google.com> Wed Mar 29 09:31:18 2017 -0700
committer Mikhail Naganov <mnaganov@google.com> Thu Mar 30 15:52:30 2017 +0000
tree 39eadf542d861befe9ca3eed3cf21ba439e52353
parent 63e15f079062579a1b1866026eee0fca5d677fb7

audiohal: Fix UAF of HAL devices in Stream objects

Stream objects used to hold a pointer to underlying HAL device
object which they didn't own. Since destruction of server side
objects is asynchronous, it was possible that a Device object
gets destroyed before Stream objects, making all the HAL device
object pointer to become stale.

Fixed by adding a strong reference to Device objects into Stream
objects.

Bug: 36702804
Change-Id: I3da3611afbb91d6fd6410ac5b8af2a2eebfa6dac
Test: ran Loopback app and HAL VTS tests
(cherry picked from commit 96d3573cda6f76bcbfc277e69d94914a565218d8)

audio/2.0/default/StreamIn.cpp

diff --git a/audio/2.0/default/StreamIn.cpp b/audio/2.0/default/StreamIn.cpp
index b641e82..2745607 100644
--- a/audio/2.0/default/StreamIn.cpp
+++ b/audio/2.0/default/StreamIn.cpp
@@ -135,7 +135,7 @@
 
 }  // namespace
 
-StreamIn::StreamIn(audio_hw_device_t* device, audio_stream_in_t* stream)
+StreamIn::StreamIn(const sp<Device>& device, audio_stream_in_t* stream)
         : mIsClosed(false), mDevice(device), mStream(stream),
           mStreamCommon(new Stream(&stream->common)),
           mStreamMmap(new StreamMmap<audio_stream_in_t>(stream)),
@@ -154,9 +154,8 @@
         status_t status = EventFlag::deleteEventFlag(&mEfGroup);
         ALOGE_IF(status, "read MQ event flag deletion error: %s", strerror(-status));
     }
-    mDevice->close_input_stream(mDevice, mStream);
+    mDevice->closeInputStream(mStream);
     mStream = nullptr;
-    mDevice = nullptr;
 }
 
 // Methods from ::android::hardware::audio::V2_0::IStream follow.