Linaro / OpenCSD

CoreSight trace stream decoder developed openly
https://github.com/Linaro/opencsd/wiki
Other
141 stars 53 forks source link

Use after free in TrcPktDecodeEtmV4I::mispredictAtom #53

Closed yabinc closed 1 year ago

yabinc commented 1 year ago

The problem was reported in Android, but not reproduced by real ETM data.

In TrcPktDecodeEtmV4I::mispredictAtom, there is a loop calling m_P0_stack.from_front_next() and m_P0_stack.erase_curr_from_front(). In m_P0_stack, it uses m_iter to point to the next TrcStackElem to read. The problem happens in below case: 1) pElem points to the last element in m_P0_stack, m_P0_stack.m_iter == m_P0_stack.m_P0_stack.end(). 2) pElem->getP0Type() == P0_ADDR.

Since pElem->getP0Type() == P0_ADDR, m_P0_stack.erase_curr_from_front() is called. After the call, m_P0_stack.m_iter points to one position past m_P0_stack.m_P0_stack.end(). Then *m_iter is read in m_P0_stack.from_front_next().

From https://en.cppreference.com/w/cpp/container/deque/erase: All iterators and references are invalidated after erase. So a fix suggestion is: m_iter = m_P0_stack.erase(erase_iter);

mikel-armbb commented 1 year ago

Hi,

Agreed. Will fix next release

Mike

mikel-armbb commented 1 year ago

fixed on v1.4.1

yabinc commented 1 year ago

Thanks for the fix!