search

GrapheneOS-Archive / legacy_bugtracker

See the new issue tracker for GrapheneOS at https://github.com/GrapheneOS/os_issue_tracker.
112 stars 11 forks source link

use-after-free in bootanimation #805

Closed thestinger closed 6 years ago

thestinger commented 6 years ago 
--------- beginning of crash
01-01 00:04:54.985  2193  2193 F libc    : free(): use after free 0x7fb7772500
01-01 00:04:54.985  2353  2563 D vndksupport: Loading /vendor/lib64/hw/gralloc.hikey960.so from current namespace instead of sphal namespace.
01-01 00:04:54.985  2193  2193 F libc    : Fatal signal 6 (SIGABRT), code -6 in tid 2193 (bootanimation), pid 2193 (bootanimation)
01-01 00:04:54.991  2157  2173 W StreamHAL: Error from HAL stream in function get_presentation_position: Operation not permitted
01-01 00:04:54.997  2642  2642 E cutils-trace: Error opening trace file: Permission denied (13)
01-01 00:04:55.002  2157  2173 W StreamHAL: Error from HAL stream in function get_presentation_position: Operation not permitted
01-01 00:04:55.003  2353  2353 D mali_winsys: EGLint new_window_surface(egl_winsys_display*, void*, EGLSurface, EGLConfig, egl_winsys_surface**, egl_color_buffer_format*, EGLBoolean) returns 0x3000
01-01 00:04:55.005  2643  2643 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
01-01 00:04:55.005  2126  2126 I /system/bin/tombstoned: received crash request for pid 2193
01-01 00:04:55.006  2643  2643 I crash_dump64: performing dump of process 2193 (target tid = 2193)
01-01 00:04:55.006  2643  2643 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
01-01 00:04:55.006  2643  2643 F DEBUG   : Build fingerprint: 'Android/hikey960/hikey960:8.1.0/OPM1.171019.011/2017.12.07.19:userdebug/release-keys'
01-01 00:04:55.006  2643  2643 F DEBUG   : Revision: '0'
01-01 00:04:55.006  2643  2643 F DEBUG   : ABI: 'arm64'
01-01 00:04:55.006  2643  2643 F DEBUG   : pid: 2193, tid: 2193, name: bootanimation  >>> /system/bin/bootanimation <<<
01-01 00:04:55.006  2643  2643 F DEBUG   : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
01-01 00:04:55.009  2643  2643 F DEBUG   : Abort message: 'free(): use after free 0x7fb7772500'
01-01 00:04:55.009  2643  2643 F DEBUG   :     x0   0000000000000000  x1   0000000000000891  x2   0000000000000006  x3   0000000000000008
01-01 00:04:55.009  2643  2643 F DEBUG   :     x4   0000008080808080  x5   0000008080808080  x6   0000008080808080  x7   0000000000000020
01-01 00:04:55.009  2643  2643 F DEBUG   :     x8   0000000000000083  x9   0000007ffffff720  x10  0000000010000000  x11  0000000000000001
01-01 00:04:55.009  2643  2643 F DEBUG   :     x12  0000000000000018  x13  0000000000000126  x14  000ea9a97efd5e00  x15  0000067ba5caa66b
01-01 00:04:55.010  2643  2643 F DEBUG   :     x16  0000007fb5ee12e0  x17  0000007fb5e6a134  x18  000000006b206574  x19  0000000000000891
01-01 00:04:55.010  2643  2643 F DEBUG   :     x20  0000000000000891  x21  0000000000000083  x22  0000007fb7ffb0a8  x23  0000000000000000
01-01 00:04:55.010  2643  2643 F DEBUG   :     x24  0000007fb5ee9000  x25  0000000000000080  x26  0000007fb5eec000  x27  0000000000000018
01-01 00:04:55.010  2643  2643 F DEBUG   :     x28  0000000000000083  x29  0000007ffffff760  x30  0000007fb5e5f668
01-01 00:04:55.010  2643  2643 F DEBUG   :     sp   0000007ffffff720  pc   0000007fb5e5f694  pstate 0000000060000000
01-01 00:04:55.013  2157  2173 W StreamHAL: Error from HAL stream in function get_presentation_position: Operation not permitted
01-01 00:04:55.014  2643  2643 F DEBUG   : 
01-01 00:04:55.014  2643  2643 F DEBUG   : backtrace:
01-01 00:04:55.014  2643  2643 F DEBUG   :     #00 pc 000000000001b694  /system/lib64/libc.so (abort+128)
01-01 00:04:55.014  2643  2643 F DEBUG   :     #01 pc 000000000004b6a4  /system/lib64/libc.so (wrterror+340)
01-01 00:04:55.014  2643  2643 F DEBUG   :     #02 pc 000000000004e69c  /system/lib64/libc.so (validate_junk+364)
01-01 00:04:55.014  2643  2643 F DEBUG   :     #03 pc 000000000004cb54  /system/lib64/libc.so (ofree+852)
01-01 00:04:55.014  2643  2643 F DEBUG   :     #04 pc 000000000004c78c  /system/lib64/libc.so (o_free+172)
01-01 00:04:55.014  2643  2643 F DEBUG   :     #05 pc 000000000000dcc8  /system/lib64/libutils.so (android::SharedBuffer::release(unsigned int) const+28)
01-01 00:04:55.014  2643  2643 F DEBUG   :     #06 pc 000000000007d558  /system/lib64/libc.so (__cxa_finalize+192)
01-01 00:04:55.014  2643  2643 F DEBUG   :     #07 pc 0000000000018558  /system/lib64/libc.so (exit+24)
01-01 00:04:55.014  2643  2643 F DEBUG   :     #08 pc 000000000007d77c  /system/lib64/libc.so (__libc_init+92)
01-01 00:04:55.014  2643  2643 F DEBUG   :     #09 pc 00000000000019cc  /system/bin/bootanimation (_start_main+80)
thestinger commented 6 years ago

Not device-specific anymore, or at least there's a generic bug too.