search

GrapheneOS / os-issue-tracker

Issue tracker for GrapheneOS Android Open Source Project hardening work. Standalone projects like Auditor, AttestationServer and hardened_malloc have their own dedicated trackers.
https://grapheneos.org/
365 stars 21 forks source link

MTE issue with Microsoft Teams #4267

Closed snrkl closed 3 weeks ago

snrkl commented 3 weeks ago

MTE crash in MS Teams running from a Private profile.

type: crash
userType: profile.private
flags: dev options enabled
package: com.microsoft.teams:2024193125, targetSdk 34
osVersion: google/husky/husky:15/AP3A.241005.015/2024103100:user/release-keys
uid: 1210198 (u:r:untrusted_app:s0:c198,c256,c524,c768)
cmdline: com.microsoft.teams
processUptime: 37s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr bd983a2692a0
threadName: Thread-37
MTE: enabled

backtrace:
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 1368820)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc dd5770)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc e37784)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc e37690)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc f520f4)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc ffe184)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 10018d0)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 923e2c)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 923840)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 91bce8)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 85b268)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 85acec)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 80563c)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 807f9c)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 807f5c)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 1372818)
    /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+200, pc 7bac8)
    /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68, pc 6b6d4)
snrkl commented 3 weeks ago

same crash occurs in a work profile...

type: crash
userType: profile.managed
flags: dev options enabled
package: com.microsoft.teams:2024193125, targetSdk 34
osVersion: google/husky/husky:15/AP3A.241005.015/2024103100:user/release-keys
uid: 1010198 (u:r:untrusted_app:s0:c198,c256,c522,c768)
cmdline: com.microsoft.teams
processUptime: 3s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr c67989b507a0
threadName: Thread-36
MTE: enabled

backtrace:
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 1368820)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc dd5770)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc e37784)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc e37690)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc f520f4)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc ffe184)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 10018d0)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 923e2c)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 923840)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 91bce8)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 85b268)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 85acec)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 80563c)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 807f9c)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 807f5c)
    /data/app/~~EFYBS9mfSZOLzbYJ8aGsCQ==/com.microsoft.teams-TEflvvLZI54B3dkKMVNi_g==/split_config.arm64_v8a.apk!libRtmMediaManagerDyn.so (pc 1372818)
    /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+200, pc 7bac8)
    /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68, pc 6b6d4)
FID02 commented 3 weeks ago

@snrkl You might want to see my post on this issue: https://discuss.grapheneos.org/d/16069-microsoft-teams-memory-corruption-bug-uncovered-by-mte-usage-on-grapheneos

It's a memory safety issue that Microsoft will have to fix.

snrkl commented 3 weeks ago

Yep.. I understand it is an MS flaw to fix (as are all MTE picked up things, AFAIK...)

I seem to recall @thestinger suggesting that they really do want GOS users submitting MTE dumps when this happens, as it helps them in some way... Maybe it is just understanding the impacts of MTE as a feature on popular apps in the wild, or maybe it helps them understand which apps need to have MTE disabled by default to aid compatibility? unsure.. I just try to log what I can when I can...

thestinger commented 3 weeks ago

@snrkl Does it work with MTE disabled? We could add a default exception.

snrkl commented 3 weeks ago

@snrkl Does it work with MTE disabled? We could add a default exception.

Yes, it does..