search

ONLYOFFICE / documents-app-android

GNU Affero General Public License v3.0
102 stars 22 forks source link

8.0.1 crashes when being run with ARMv8.5 MTE (Memory Tagging) #327

Open FID02 opened 2 months ago

FID02 commented 2 months ago

When running the Onlyoffice app with ARMv8.5 memory tagging enabled, it will crash upon creating and opening a document, with the below error. You will only be able to reproduce this currently on a Google Pixel 8 or Google Pixel 8 Pro device, running GrapheneOS with memory tagging enabled for Onlyoffice.

Notice: This is not a bug with GrapheneOS, it is a memory corruption bug which is exposed by GrapheneOS, which is in the Onlyoffice app. Android will be eventually deploying memory tagging by default, so this needs to be resolved, it cannot be ignored. An engineer with good understanding of debugging native code need to deal with this.

Steps to reproduce

  1. Install and open the Onlyoffice app
  2. Complete or skip the first-run wizard
  3. Press the + button to create a new document, and select any document type

The crash occurs during loading of the document.

Additional information version 8.0.1 com.onlyoffice.documents versionCode 533

Crash log

type: crash
osVersion: google/shiba/shiba:14/AP1A.240405.002/2024040300:user/release-keys
uid: 10224 (u:r:untrusted_app:s0:c224,c256,c512,c768)
cmdline: com.onlyoffice.documents:DocumentsActivity
processUptime: 5s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr 800dc74746c71d0
cause: [MTE]: Buffer Overflow, 32 bytes right of a 32-byte allocation at 0xdc74746c7190
cause: [MTE]: Buffer Underflow, 128 bytes left of a 24-byte allocation at 0xdc74746c7250
cause: [MTE]: Buffer Underflow, 272 bytes left of a 24-byte allocation at 0xdc74746c72e0
threadName: GLThread 38
MTE: enabled

backtrace:
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libkernel.so (NSThreads::CBaseThreadMonitor::GetBaseThread(long const&)+144, pc e7d90)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CThreadsMonitor::CheckAttach()+52, pc 1b24ec)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (JniBaseCallbacks::callback(std::__ndk1::function<void (_JNIEnv*)>)+68, pc 1b22b4)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (JniEditorsCallbacks::callbackCommentsEvent(int, std::__ndk1::basic_string<wchar_t, std::__ndk1::char_traits<wchar_t>, std::__ndk1::allocator<wchar_t> >)+112, pc 1bbdb8)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CPlatformController::OnCommentsEvent(int, std::__ndk1::basic_string<wchar_t, std::__ndk1::char_traits<wchar_t>, std::__ndk1::allocator<wchar_t> >)+72, pc 1b19a8)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (ASC::CBaseEditorsController::OnEvent(NSEditorApi::CAscMenuEvent*)+228, pc 1adaac)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (ASC::CDEditorController::OnEvent(NSEditorApi::CAscMenuEvent*)+52, pc 1a4414)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CEditorCtrl::OnEventInternal(int, NSJSON::CValue)+636, pc 1fe150)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CWordCtrlEmbed::OnCallMenuEvent(NSCommon::smart_ptr<NSJSBase::CJSValue>, NSCommon::smart_ptr<NSJSBase::CJSValue>)+152, pc 2905bc)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CWordCtrlEmbedAdapter::initFunctions(NSJSBase::CJSEmbedObject*)::'lambda11'(NSJSBase::CJSFunctionArguments*)::operator()(NSJSBase::CJSFunctionArguments*) const+120, pc 264de0)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (NSJSBase::_Call(v8::FunctionCallbackInfo<v8::Value> const&)+300, pc 1734e4)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo)+548, pc 85a46c)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments)+640, pc 859ad0)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*)+244, pc 859290)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit+104, pc 758a08)
Andrew-Dudov commented 1 month ago

Hello @FID02 Thank your for your request. I created ticket 68151 with your proposal