audiohal: Fix UAF of HAL devices in Stream objects
Stream objects used to hold a pointer to underlying HAL device
object which they didn't own. Since destruction of server side
objects is asynchronous, it was possible that a Device object
gets destroyed before Stream objects, making all the HAL device
object pointer to become stale.
Fixed by adding a strong reference to Device objects into Stream
objects.
Bug: 36702804
Change-Id: I3da3611afbb91d6fd6410ac5b8af2a2eebfa6dac
Test: ran Loopback app and HAL VTS tests
diff --git a/audio/2.0/default/StreamIn.h b/audio/2.0/default/StreamIn.h
index b867387..950d68f 100644
--- a/audio/2.0/default/StreamIn.h
+++ b/audio/2.0/default/StreamIn.h
@@ -27,6 +27,7 @@
#include <hidl/Status.h>
#include <utils/Thread.h>
+#include "Device.h"
#include "Stream.h"
namespace android {
@@ -55,7 +56,7 @@
typedef MessageQueue<uint8_t, kSynchronizedReadWrite> DataMQ;
typedef MessageQueue<ReadStatus, kSynchronizedReadWrite> StatusMQ;
- StreamIn(audio_hw_device_t* device, audio_stream_in_t* stream);
+ StreamIn(const sp<Device>& device, audio_stream_in_t* stream);
// Methods from ::android::hardware::audio::V2_0::IStream follow.
Return<uint64_t> getFrameSize() override;
@@ -101,10 +102,10 @@
private:
bool mIsClosed;
- audio_hw_device_t *mDevice;
+ const sp<Device> mDevice;
audio_stream_in_t *mStream;
- sp<Stream> mStreamCommon;
- sp<StreamMmap<audio_stream_in_t>> mStreamMmap;
+ const sp<Stream> mStreamCommon;
+ const sp<StreamMmap<audio_stream_in_t>> mStreamMmap;
std::unique_ptr<CommandMQ> mCommandMQ;
std::unique_ptr<DataMQ> mDataMQ;
std::unique_ptr<StatusMQ> mStatusMQ;