search

GrapheneOS / os-issue-tracker

Issue tracker for GrapheneOS Android Open Source Project hardening work. Standalone projects like Auditor, AttestationServer and hardened_malloc have their own dedicated trackers.
https://grapheneos.org/
350 stars 19 forks source link

SIGSEGV null pointer dereference in Bluetooth Audio Latency Configuration #3585

Open davidhaley opened 3 months ago

davidhaley commented 3 months ago

I was trying to connect wireless earbuds, stopped, switched profiles a few minutes later, and then noticed a notification for this crash.

type: crash
osVersion: google/raven/raven:14/AP1A.240505.004/2024052100:user/release-keys
uid: 1002 (u:r:bluetooth:s0)
cmdline: com.android.bluetooth
processUptime: 0s

signal: 11 (SIGSEGV), code 1 (SEGV_MAPERR), faultAddr 0
cause: null pointer dereference
threadName: e.StateMachines

backtrace:
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (bluetooth::audio::aidl::BluetoothAudioClientInterface::SetAllowedLatencyModes(std::__1::vector<aidl::android::hardware::bluetooth::audio::LatencyMode, std::__1::allocator<aidl::android::hardware::bluetooth::audio::LatencyMode> >)+820, pc 7514c4)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (bluetooth::audio::aidl::a2dp::set_low_latency_mode_allowed(bool)+316, pc 73599c)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (allow_low_latency_audio(bool, RawAddress const&)+96, pc 3a7120)
    /apex/com.android.btservices/lib64/libbluetooth_jni.so (android::allowLowLatencyAudioNative(_JNIEnv*, _jobject*, unsigned char, _jbyteArray*)+164, pc 3752f4)
    /data/dalvik-cache/arm64/apex@com.android.btservices@app@Bluetooth@AP1A.240505.004@Bluetooth.apk@classes.dex (art_jni_trampoline+132, pc 2e15d4)
    /data/dalvik-cache/arm64/apex@com.android.btservices@app@Bluetooth@AP1A.240505.004@Bluetooth.apk@classes.dex (com.android.bluetooth.btservice.AdapterNativeInterface.allowLowLatencyAudio+44, pc 2e200c)
    /data/dalvik-cache/arm64/apex@com.android.btservices@app@Bluetooth@AP1A.240505.004@Bluetooth.apk@classes.dex (com.android.bluetooth.btservice.AdapterService.allowLowLatencyAudio+116, pc 30a5d4)
    /data/dalvik-cache/arm64/apex@com.android.btservices@app@Bluetooth@AP1A.240505.004@Bluetooth.apk@classes.dex (com.android.bluetooth.a2dp.A2dpService.updateLowLatencyAudioSupport+480, pc 63d000)
    /data/dalvik-cache/arm64/apex@com.android.btservices@app@Bluetooth@AP1A.240505.004@Bluetooth.apk@classes.dex (com.android.bluetooth.a2dp.A2dpStateMachine.processCodecConfigEvent+1132, pc 6405ac)
    /data/dalvik-cache/arm64/apex@com.android.btservices@app@Bluetooth@AP1A.240505.004@Bluetooth.apk@classes.dex (com.android.bluetooth.a2dp.A2dpStateMachine$Connected.processMessage+1468, pc 8a98cc)
    /data/dalvik-cache/arm64/apex@com.android.btservices@app@Bluetooth@AP1A.240505.004@Bluetooth.apk@classes.dex (com.android.bluetooth.x.com.android.internal.util.StateMachine$SmHandler.processMsg+372, pc 575ff4)
    /data/dalvik-cache/arm64/apex@com.android.btservices@app@Bluetooth@AP1A.240505.004@Bluetooth.apk@classes.dex (com.android.bluetooth.x.com.android.internal.util.StateMachine$SmHandler.handleMessage+632, pc 575258)
    /system/framework/arm64/boot-framework.oat (android.os.Handler.dispatchMessage+152, pc 5360a8)
    /system/framework/arm64/boot-framework.oat (android.os.Looper.loopOnce+980, pc 539114)
    /system/framework/arm64/boot-framework.oat (android.os.Looper.loop+244, pc 538cc4)
    /system/framework/arm64/boot-framework.oat (android.os.HandlerThread.run+548, pc 538074)
    /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612, pc 3e1d74)
    /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+220, pc 3c60ec)
    /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallback(void*)+1656, pc 4d2cb8)
    /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallbackWithUffdGc(void*)+8, pc 4d2628)
    /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204, pc cf93c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64, pc 66730)
hpsaturn commented 1 week ago

Hi, I have a similar issue in my app. I'm not sure, but I think that this issue was not in the previous versions of Grapheno. I'm going to proof that. In my case I have a similar output around the native sound libraries using the Oboe library when I perform a Bluetooth switch off/on. I have also a messages around the Bluetooth headset interface like:

12:01:17.548 HeadsetSystemInterface  com...roid.bluetooth  E  getSubscriberNumber() failed: mBluetoothInCallService is null
12:01:17.548 HeadsetSystemInterface  com...roid.bluetooth  I  Try to get phone number without mBluetoothInCallService.
12:01:17.548 bluetooth               com...roid.bluetooth  I  bta_ag_better_state_machine: Opening sco for EVT BTA_AG_SCO_OPEN_EVT
12:01:17.548 bluetooth               com...roid.bluetooth  I  bta_ag_sco_event: device:xx:xx:xx:xx:29:89 index:0x0000 state:BTA_AG_SCO_OPENING_ST[3] event:BTA_AG_SCO_CONN_OPEN_E[7]
12:01:17.548 bluetooth               com...roid.bluetooth  W  bta_ag_sco_event: SCO_state_change: [BTA_AG_SCO_OPENING_ST(0x03)]->[BTA_AG_SCO_OPEN_ST(0x06)] after event [BTA_AG_SCO_CONN_OPEN_E(0x07)]
12:01:17.548 BluetoothH...ServiceJni com...roid.bluetooth  I  AudioStateCallback: 2 for xx:xx:xx:xx:29:89

And the native crash also is a "null pointer dereference" maybe of the system sound library in my case, but all here around the Bluetooth headset.

A  ABI: 'arm64'
A  Process uptime: 34s
A  tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
A  signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0000000000000000
A  Cause: null pointer dereference
A      x0  0000000000000000  x1  b400cd33e06ac7f0  x2  b400cd68b34853de  x3  b400cd68b34853e0
A      x4  b400cd68b3485200  x5  000000006d8d9e5a  x6  0000000079622d32  x7  000000003320646e
A      x8  b400cd33e06ac748  x9  0000000000000001  x10 0000000000000000  x11 0000000000013200
A      x12 0000000000000aeb  x13 0000000000000000  x14 00000000421a3242  x15 00000000024984a9
A      x16 0000cc611d987220  x17 0000cf9a0f72e8d0  x18 0000cc605eec8000  x19 0000cc60606c0000
A      x20 0000cf9a0f7af000  x21 0000cc60606c0000  x22 0000000000001811  x23 000000000000177b
A      x24 0000cc60606c0000  x25 0000cc6060464d90  x26 0000cc60606c1030  x27 0000000000a78000
A      x28 0000000000a58000  x29 0000cc60604649a0
A      lr  0000cc61184b93a4  sp  0000cc6060464900  pc  0000cc61184b93a4  pst 0000000060001000
A  12 total frames
A  backtrace:
A        #00 pc 00000000000373a4  /base.apk!libsystemsound.so (offset 0x2005000) (AndroidAudioDeviceManager::start_recording()+368) (BuildId: dde9dc177472c52a527db7ff32ecfc54b9bc606e)
A        #01 pc 00000000000c2ca8  /base.apk!libnative-lib.so (offset 0x1cc4000) (AndroidAudioDevice::record(std::__ndk1::vector<short, std::__ndk1::allocator<short> >&)+60) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A        #02 pc 00000000003db9dc  /base.apk!libclientlib.so (offset 0x13a2000) (WebRtcAudioProcessingDevice::record(std::__ndk1::vector<short, std::__ndk1::allocator<short> >&)+108) (BuildId: 5d5df3f1860b7d3e0c13b43a11f7adad023fee58)
A        #03 pc 00000000003a2fa0  /base.apk!libclientlib.so (offset 0x13a2000) (record::service()+148) (BuildId: 5d5df3f1860b7d3e0c13b43a11f7adad023fee58)
A        #04 pc 0000000000086dac  /base.apk!libnative-lib.so (offset 0x1cc4000) (process::operator()()+308) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A        #05 pc 0000000000086c3c  /base.apk!libnative-lib.so (offset 0x1cc4000) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A        #06 pc 0000000000086c14  /base.apk!libnative-lib.so (offset 0x1cc4000) (std::__ndk1::__invoke_of<process&>::type std::__ndk1::reference_wrapper<process>::operator()<>() const+24) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A        #07 pc 0000000000086bb0  /base.apk!libnative-lib.so (offset 0x1cc4000) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A        #08 pc 0000000000086b10  /base.apk!libnative-lib.so (offset 0x1cc4000) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A        #09 pc 00000000000864a4  /base.apk!libnative-lib.so (offset 0x1cc4000) (BuildId: 73001af52afe078da681e0d6dcd9ddcc317d5013)
A        #10 pc 000000000007635c  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204) (BuildId: 7193576d5829f1a9df65e69f55c40039)
A        #11 pc 0000000000067d90  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 7193576d5829f1a9df65e69f55c40039)
E  Tombstone written to: tombstone_41
thestinger commented 1 week ago

@hpsaturn Doesn't look related.

hpsaturn commented 1 week ago

I think that yes, of course the backtraces are different and seems that it has not relation, but the both outputs are jni implementations, in the first case is libbluetooth_jni.so that is an implementation that uses the low latency audio library. From the original output of @davidhaley we have:

 /apex/com.android.btservices/lib64/libbluetooth_jni.so (bluetooth::audio::aidl::BluetoothAudioClientInterface::SetAllowedLatencyModes(std::__1::vector<aidl::android::hardware::bluetooth::audio::LatencyMode, std::__1::allocator<aidl::android::hardware::bluetooth::audio::LatencyMode> >)+820, pc 7514c4)

In my case, my implementation also uses the Oboe library that is the same low latency audio of the system, it is an abstraction of the aaudio library. On the other hand the both apps have the same behavior after that the Bluetooth has changes in the connection state. In my backtrace you can see the calls of my audiomanager that uses the same low level library of libbluetooth_jni.so, and both apps have the same cause: null pointer dereference

thestinger commented 1 week ago

Did you try using exploit protection compatibility mode, specifically disabling hardened_malloc for the app?