This change renames the IMemory raw pointer accessors to
unsecure*() to make it apparent to coders and code reviewers
that the returned buffer may potentially be shared with
untrusted processes, who may, after the fact, attempt to
read and/or modify the contents. This may lead to hard to
find security bugs and hopefully the rename makes it harder
to forget.
The change also attempts to fix all the callsites to make
everything build correctly, but in the processes, wherever the
callsite code was not obviously secure, I added a TODO requesting
the owners to either document why it's secure or to change the
code. Apologies in advance to the owners if there are some false
positives here - I don't have enough context to reason about all
the different callsites.
Test: Completely syntactic change. Made sure code still builds.
Change-Id: I5fb99aa797c488406083178a6b05355d98710d3b
This does two things:
- makes sure that HALs configured as lazy HALs will be retrieved
- will detect bad manifest entries earlier
Bug: 131703193
Test: boot
Change-Id: I69fb80b023cc17f94e4f6a10203ee077a5e61e19
New codes are being added to handle resource
contention, lost session state, frame size too
large and insufficient security level for
decryption. Also cleans up inconsistent use of
tamper detected error where invalid state error
should have been used.
bug:111504510
bug:111505796
test:cts and gts media test cases
Change-Id: I28ca04cdc8ce64047d189fcf4d59bab24208e1a7
When clearHeapBase is called after a plugin is
closed, a null pointer is dereferenced. Protect
against it with a null pointer check.
Test: GTS media tests, check logcat for faults
bug:80434750
Change-Id: Ib568694c44fe22887c3db4f88e67cb598fd9e36a
CryptoHal in mediadrmserver was not releasing the
shared memory allocated remotely in the drm HAL
module until the HAL was closed, which could cause
shared memory allocation failures in situations
where multiple memory regions get mapped during
playback. This change releases the shared mapping
in the HAL when it is no longer needed.
bug:80104026
test:
1. manual tests with logging to ensure
shared memory is released
2. gts media tests on walleye
Change-Id: Ie2f306bce6aec697ae584da3f55b3cf72edaa07b
CryptoHal was not checking that the memory heap set by setHeap
was the same one that was actually used for the decrypt call, allowing
the caller to spoof the decrypt call into accessing arbitrary memory.
bug:76221123
test: mediadrmserverpoc included in the bug & GTS media tests
Change-Id: I35214a1a6d0a4b864123e147d1a1adc2377bfbc5
A method in CryptoHal was not checking the
hidl transaction status which causes an abort
if the transaction fails.
bug:79170524
test:gts media tests, netflix playback
Change-Id: Ia58500f0f2c64f987809360d3d7ead810ee01180
Relocate drm and crypto headers from media
to mediadrm to have finer grained ownership
bug:73556221
Change-Id: I7d1b5944f261f9b1fdeed7605e4c0b4b4ca43e1a
This reverts commit a3c77911df.
Reason for revert: build cop here. The original CL broke build git_master / walleye_asan, hence I'm reverting.
https://android-build.googleplex.com/builds/submitted/4597721/walleye_asan-userdebug/latest/view/logs/build_error.log
In file included from vendor/google/tools/security/fuzzers/libFuzzer/ICrypto_fuzzer/ICrypto_fuzzer.cpp:24:
frameworks/av/include/media/CryptoHal.h:23:10: fatal error: 'android/hardware/drm/1.1/ICryptoFactory.h' file not found
Change-Id: I185d5310cadb9990b864d71e42bba94f4740160c
Now that this API is available.
This keeps the implementation details of hidl's
ashmem allocator in libhidl itself (it should be
opaque).
Test: try and succeed watching (part of a) DRM protected movie
Bug: 34234561
Change-Id: Ied9beddace2ccfc859833ac55f4e3837db5f495e
Heap base for the same heap could be mapped to different values
after they go across binder to CryptoHal. So we can't use heapbase
to index the heaps.
Since each ACodec instance allocates all its shared memory buffers
from the same memory dealer, we let CryptoHal assign a sequence
number to the ACodec when it calls setHeap. In subsequent calls
to CryptoHal::decrypt, reference the heap by the seq num, and ignore
the heap base address.
Bug: 36479980
Bug: 36209723
Bug: 36660223
Test: the above bugs don't repro
Change-Id: I2f519a689a5891447385d1bf9d6e668bb3b4dbe2
(cherry-picked from bf628da1e2)
When a decoder is created while another decoder
is in use and the two decoders share a common
crypto instance, decryption results would become
indeterminate, which could cause the decoder to
hang. This change adds a notification to the
crypto instance so it can update state when its
ownership changes.
bug: 36209723
Test: playbacktests-debug-androidTest.apk as
described in the bug.
Change-Id: I453c260eace5543dd79a3569bf6a9592394c4113
MediaCodecTest.android.media.cts.MediaCodecTest.testCryptoError
was failing due to incorrect error code translation introduced
by the drm hidl hal.
bug: 35137940
Change-Id: Ia5e16809872c19335b4b9c1a8ddd1e625a4781b4
Prior to this change, the default legacy hal
module was explicitly referenced. This change
uses the service manager to iterate through
any hal instances so vendor-provided hals
can be loaded.
bug:34507158
Change-Id: I23bc4fdb2dc7d5254833c9a977241f1fede726a9
The initial drm hidl hal implementation assumed one
codec per crypto instance, but in fact there can be
multiple codecs per crypto instance. This change
extends the drm hal to allow multiple memory heaps
per crypto plugin. It fixes the issue of mapping
memory frequently during playback.
bug:35275191
Test: manual verification with Play Movies on angler
in passthrough mode and on marlin in binderized mode.
Change-Id: Icada005f515483d7bc214b08caf6eea46ca354a7
This change adds DrmHal & CryptoHal classes that connect to the Treble
HAL interfaces for drm. These classes mirror the existing Drm and
Crypto classes that connect to the DrmPlugin and CryptoPlugin
interfaces. Having both allows mediadrmserver to run in either mode
while the HAL is stabilized.
The shared memory interfaces between mediaserver's ACodecBufferChannel
and ICrypto had to be reworked to use the Treble HALs. Specifically,
the shared memory path for returning decrypted buffers in the
non-secure case had to become separate instead of piggy-backing on the
source shared memory buffer. A separate shared memory destination
buffer is now allocated on the buffer channel. An abstraction for a
decrypt destination buffer was also introduced to clarify ICrypto's
decrypt method.
Tests: Playback using Play Movies and ExoPlayer works on angler
with and without the treble hal enabled.
bug: 32815560
Change-Id: I5a3dc84f99902eb8cf8eabab9ad074d307744950
Robert Shih
Ytai Ben-Tsvi
Steven Moreland
Jeff Tinker
Tobias Thierer
Chong Zhang