diff options
| author | Ken Chen <cken@google.com> | 2023-06-15 17:46:16 +0800 |
|---|---|---|
| committer | Julian Veit <claymore1298@gmail.com> | 2023-11-10 17:47:38 +0100 |
| commit | 7f4bc042da81931eabdc93510e1216d8b94117d9 (patch) | |
| tree | 42e93331bea27edfc6c111d284bdd2977dc8174c /ResolverController.cpp | |
| parent | a2019f5fbbbbc08ac918263c406ae21b221a2a6a (diff) | |
Fix use-after-free in DNS64 discovery threadt13.0
DNS64 discovery thread is detached from binder requesting thread. But
the discovery thread references resources not belongs to itself, which
can be destroyed in dnsresolver destruction.
Holds a strong pointer of Dns64Configuration in DNS64 discovery thread
so that the instance of Dns64Configuration will keep until the DNS64
thread is force terminated.
Ignore-AOSP-First: Fix security vulnerability
Bug: 278303745
Test: m, fuzzing
Fuzzing: mma resolv_service_fuzzer && adb sync data && adb shell /data/fuzz/arm64/resolv_service_fuzzer/resolv_service_fuzzer
(cherry picked from commit 254115584ff558fb87ee6ec5f5bb043f76219910)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:79f571069c4db536e7c1bfecbb50c926f0ef0548)
Merged-In: Id74ea4e6f54a00805d3cc8a9d7e15e58a473b7d3
Change-Id: Id74ea4e6f54a00805d3cc8a9d7e15e58a473b7d3
Diffstat (limited to 'ResolverController.cpp')
| -rw-r--r-- | ResolverController.cpp | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/ResolverController.cpp b/ResolverController.cpp index a430a08c..12bf7f92 100644 --- a/ResolverController.cpp +++ b/ResolverController.cpp @@ -156,17 +156,17 @@ int getDnsInfo(unsigned netId, std::vector<std::string>* servers, std::vector<st } // namespace ResolverController::ResolverController() - : mDns64Configuration( + : mDns64Configuration(new Dns64Configuration( [](uint32_t netId, uint32_t uid, android_net_context* netcontext) { gResNetdCallbacks.get_network_context(netId, uid, netcontext); }, - std::bind(sendNat64PrefixEvent, std::placeholders::_1)) {} + std::bind(sendNat64PrefixEvent, std::placeholders::_1))) {} void ResolverController::destroyNetworkCache(unsigned netId) { LOG(VERBOSE) << __func__ << ": netId = " << netId; resolv_delete_cache_for_net(netId); - mDns64Configuration.stopPrefixDiscovery(netId); + mDns64Configuration->stopPrefixDiscovery(netId); PrivateDnsConfiguration::getInstance().clear(netId); if (isDoHEnabled()) PrivateDnsConfiguration::getInstance().clearDoh(netId); @@ -283,16 +283,16 @@ int ResolverController::getResolverInfo(int32_t netId, std::vector<std::string>* } void ResolverController::startPrefix64Discovery(int32_t netId) { - mDns64Configuration.startPrefixDiscovery(netId); + mDns64Configuration->startPrefixDiscovery(netId); } void ResolverController::stopPrefix64Discovery(int32_t netId) { - return mDns64Configuration.stopPrefixDiscovery(netId); + return mDns64Configuration->stopPrefixDiscovery(netId); } // TODO: use StatusOr<T> to wrap the result. int ResolverController::getPrefix64(unsigned netId, netdutils::IPPrefix* prefix) { - netdutils::IPPrefix p = mDns64Configuration.getPrefix64(netId); + netdutils::IPPrefix p = mDns64Configuration->getPrefix64(netId); if (p.family() != AF_INET6 || p.length() == 0) { return -ENOENT; } @@ -358,8 +358,7 @@ void ResolverController::dump(DumpWriter& dw, unsigned netId) { params.sample_validity, params.success_threshold, params.min_samples, params.max_samples, params.base_timeout_msec, params.retry_count); } - - mDns64Configuration.dump(dw, netId); + mDns64Configuration->dump(dw, netId); const auto privateDnsStatus = PrivateDnsConfiguration::getInstance().getStatus(netId); dw.println("Private DNS mode: %s", getPrivateDnsModeString(privateDnsStatus.mode)); if (privateDnsStatus.dotServersMap.size() == 0) { |