Pixel camera crashes (Buffer overflow + underflow)

[Am0rphous]

Hi! Please point me in the right direction if this is not the appropriate repo to report this.

I got a couple of crashes in the last 24 hours. The first crash seem to be the Google Pixel Camera. I exported the following info from the phone:

type: crash
osVersion: google/husky/husky:14/AP1A.240505.005/2024050700:user/release-keys
uid: 1000 (u:r:hal_camera_default:s0)
cmdline: /apex/com.google.pixel.camera.hal/bin/hw/android.hardware.camera.provider@2.7-service-google
processUptime: 0s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr b00de566f4db7d6
cause: [MTE]: Buffer Overflow, 22 bytes into a 504-byte allocation at 0xde566f4db7c0
cause: [MTE]: Buffer Underflow, 5898 bytes left of a 512-byte allocation at 0xde566f4dcee0
cause: [MTE]: Buffer Underflow, 7082 bytes left of a 552-byte allocation at 0xde566f4dd380
threadName: NodeStartThread
MTE: enabled

backtrace:
    /apex/com.google.pixel.camera.hal/lib64/libgoog_catpipe.so (pc de2a50)
    /apex/com.google.pixel.camera.hal/lib64/libgoog_catpipe.so (CatNodeGetNumOfStaticSystemProperty+208, pc de2950)
    /apex/com.google.pixel.camera.hal/lib64/liblyric_hwl.so (pc a47a58)
    /apex/com.google.pixel.camera.hal/lib64/liblyric_hwl.so (pc 97082c)
    /apex/com.google.pixel.camera.hal/lib64/liblyric_hwl.so (pc 973460)
    /apex/com.google.pixel.camera.hal/lib64/liblyric_hwl.so (pc 97356c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204, pc d5e6c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68, pc 69a64)

The second crash i received is on Google Pixel Wifi Ext with following error message. (Let me know if I whould create a new issue for this one:

type: crash
osVersion: google/husky/husky:14/AP1A.240505.005/2024050700:user/release-keys
uid: 1010 (u:r:hal_wifi_ext:s0)
cmdline: /apex/com.google.pixel.wifi.ext/bin/hw/vendor.google.wifi_ext-service-vendor
processUptime: 0s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr 400d202bcf61a6c
threadName: binder:920_1
MTE: enabled

backtrace:
    /apex/com.google.pixel.wifi.ext/lib64/libwifi-hal.so (SetLogHandler::cancel()+348, pc 4abac)
    /apex/com.google.pixel.wifi.ext/lib64/libwifi-hal.so (wifi_get_cancel_cmd(int, wifi_interface_info*) (.cfi)+140, pc 2e3ec)
    /apex/com.google.pixel.wifi.ext/bin/hw/vendor.google.wifi_ext-service-vendor (aidl::android::hardware::wifi::WifiChip::stopLoggingToDebugRingBufferInternal()+104, pc 4a968)
    /apex/com.google.pixel.wifi.ext/bin/hw/vendor.google.wifi_ext-service-vendor (aidl::android::hardware::wifi::WifiChip::stopLoggingToDebugRingBuffer()+68, pc 4a8a4)
    /apex/com.google.pixel.wifi.ext/lib64/android.hardware.wifi-V2-ndk.so (aidl::android::hardware::wifi::_aidl_android_hardware_wifi_IWifiChip_onTransact(AIBinder*, unsigned int, AParcel const*, AParcel*)+3896, pc 41e78)
    /system/lib64/libbinder_ndk.so (ABBinder::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+140, pc 1035c)
    /system/lib64/libbinder.so (android::IPCThreadState::executeCommand(int)+1372, pc 54d3c)
    /system/lib64/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+704, pc 53c50)
    /system/lib64/libbinder.so (android::PoolThread::threadLoop()+28, pc 5396c)
    /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+376, pc 14508)
    /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204, pc d5e6c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68, pc 69a64)

Let mw know if there is something I should export (logs or anything). Im frequently ensuring i run latest software updates for both OS and apps.

Best regards

[thestinger]

These are upstream memory corruption bugs being correctly reported by GrapheneOS. It may crash with the stock OS too. We plan to disable MTE for the camera provider process though.