audiohal: Fix UAF of HAL devices in Stream objects
Stream objects used to hold a pointer to underlying HAL device
object which they didn't own. Since destruction of server side
objects is asynchronous, it was possible that a Device object
gets destroyed before Stream objects, making all the HAL device
object pointer to become stale.
Fixed by adding a strong reference to Device objects into Stream
objects.
Bug: 36702804
Change-Id: I3da3611afbb91d6fd6410ac5b8af2a2eebfa6dac
Test: ran Loopback app and HAL VTS tests
diff --git a/audio/2.0/default/StreamOut.h b/audio/2.0/default/StreamOut.h
index bbe64a1..99352bc 100644
--- a/audio/2.0/default/StreamOut.h
+++ b/audio/2.0/default/StreamOut.h
@@ -27,6 +27,7 @@
#include <fmq/MessageQueue.h>
#include <utils/Thread.h>
+#include "Device.h"
#include "Stream.h"
namespace android {
@@ -57,7 +58,7 @@
typedef MessageQueue<uint8_t, kSynchronizedReadWrite> DataMQ;
typedef MessageQueue<WriteStatus, kSynchronizedReadWrite> StatusMQ;
- StreamOut(audio_hw_device_t* device, audio_stream_out_t* stream);
+ StreamOut(const sp<Device>& device, audio_stream_out_t* stream);
// Methods from ::android::hardware::audio::V2_0::IStream follow.
Return<uint64_t> getFrameSize() override;
@@ -112,10 +113,10 @@
private:
bool mIsClosed;
- audio_hw_device_t *mDevice;
+ const sp<Device> mDevice;
audio_stream_out_t *mStream;
- sp<Stream> mStreamCommon;
- sp<StreamMmap<audio_stream_out_t>> mStreamMmap;
+ const sp<Stream> mStreamCommon;
+ const sp<StreamMmap<audio_stream_out_t>> mStreamMmap;
sp<IStreamOutCallback> mCallback;
std::unique_ptr<CommandMQ> mCommandMQ;
std::unique_ptr<DataMQ> mDataMQ;