search

ONLYOFFICE / documents-app-android

GNU Affero General Public License v3.0
131 stars 26 forks source link

Memory corruption in Onlyoffice Documents: hardware MTE reports a buffer overflow #327

Open FID02 opened 7 months ago

FID02 commented 7 months ago

When running the Onlyoffice app with ARMv8.5 memory tagging enabled, it will crash upon creating and opening a document, with the below error. You will only be able to reproduce this currently on a Google Pixel 8 or Google Pixel 8 Pro device, running GrapheneOS with memory tagging enabled for Onlyoffice.

Notice: This is not a bug with GrapheneOS, it is a memory corruption bug which is exposed by GrapheneOS, which is in the Onlyoffice app. Android will be eventually deploying memory tagging by default, so this needs to be resolved, it cannot be ignored. An engineer with good understanding of debugging native code need to deal with this.

Steps to reproduce

  1. Install and open the Onlyoffice app
  2. Complete or skip the first-run wizard
  3. Press the + button to create a new document, and select any document type

The crash occurs during loading of the document.

Additional information version 8.0.1 com.onlyoffice.documents versionCode 533

Crash log

type: crash
osVersion: google/shiba/shiba:14/AP1A.240405.002/2024040300:user/release-keys
uid: 10224 (u:r:untrusted_app:s0:c224,c256,c512,c768)
cmdline: com.onlyoffice.documents:DocumentsActivity
processUptime: 5s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr 800dc74746c71d0
cause: [MTE]: Buffer Overflow, 32 bytes right of a 32-byte allocation at 0xdc74746c7190
cause: [MTE]: Buffer Underflow, 128 bytes left of a 24-byte allocation at 0xdc74746c7250
cause: [MTE]: Buffer Underflow, 272 bytes left of a 24-byte allocation at 0xdc74746c72e0
threadName: GLThread 38
MTE: enabled

backtrace:
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libkernel.so (NSThreads::CBaseThreadMonitor::GetBaseThread(long const&)+144, pc e7d90)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CThreadsMonitor::CheckAttach()+52, pc 1b24ec)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (JniBaseCallbacks::callback(std::__ndk1::function<void (_JNIEnv*)>)+68, pc 1b22b4)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (JniEditorsCallbacks::callbackCommentsEvent(int, std::__ndk1::basic_string<wchar_t, std::__ndk1::char_traits<wchar_t>, std::__ndk1::allocator<wchar_t> >)+112, pc 1bbdb8)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CPlatformController::OnCommentsEvent(int, std::__ndk1::basic_string<wchar_t, std::__ndk1::char_traits<wchar_t>, std::__ndk1::allocator<wchar_t> >)+72, pc 1b19a8)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (ASC::CBaseEditorsController::OnEvent(NSEditorApi::CAscMenuEvent*)+228, pc 1adaac)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (ASC::CDEditorController::OnEvent(NSEditorApi::CAscMenuEvent*)+52, pc 1a4414)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CEditorCtrl::OnEventInternal(int, NSJSON::CValue)+636, pc 1fe150)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CWordCtrlEmbed::OnCallMenuEvent(NSCommon::smart_ptr<NSJSBase::CJSValue>, NSCommon::smart_ptr<NSJSBase::CJSValue>)+152, pc 2905bc)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdocs.so (CWordCtrlEmbedAdapter::initFunctions(NSJSBase::CJSEmbedObject*)::'lambda11'(NSJSBase::CJSFunctionArguments*)::operator()(NSJSBase::CJSFunctionArguments*) const+120, pc 264de0)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (NSJSBase::_Call(v8::FunctionCallbackInfo<v8::Value> const&)+300, pc 1734e4)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo)+548, pc 85a46c)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments)+640, pc 859ad0)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*)+244, pc 859290)
    /data/app/~~kz_ukYJYI62_tLfBgl76YA==/com.onlyoffice.documents-oR4gE8Yg5yGt2j-M0KuB-g==/lib/arm64/libdoctrenderer.so (Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit+104, pc 758a08)
Andrew-Dudov commented 6 months ago

Hello @FID02 Thank your for your request. I created ticket 68151 with your proposal

Andrew-Dudov commented 3 months ago

Hello @FID02 Is your bug repeated on version 8.1.2?

FID02 commented 3 months ago

Hello @FID02 Is your bug repeated on version 8.1.2?

Yes, I can reproduce a memory corruption bug on version 8.1.2 with the same steps as noted in my first post.

New crash log from MTE:

type: crash
osVersion: google/shiba/shiba:14/AP2A.240805.005/2024082000:user/release-keys
uid: 10277 (u:r:untrusted_app:s0:c21,c257,c512,c768)
cmdline: com.onlyoffice.documents:DocumentsActivity
processUptime: 3s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr 700db78bc11c250
cause: [MTE]: Buffer Overflow, 616 bytes right of a 24-byte allocation at 0xdb78bc11bfd0
cause: [MTE]: Buffer Underflow, 704 bytes left of a 24-byte allocation at 0xdb78bc11c510
threadName: GLThread 37
MTE: enabled

backtrace:
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libkernel.so (NSThreads::CBaseThreadMonitor::GetBaseThread(long const&)+144, pc e6d3c)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libdocs.so (CThreadsMonitor::CheckAttach()+52, pc 68d18)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libdocs.so (JniBaseCallbacks::callback(std::__ndk1::function<void (_JNIEnv*)>)+68, pc 68ae0)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libdocs.so (JniEditorsCallbacks::callbackCommentsEvent(int, std::__ndk1::basic_string<wchar_t, std::__ndk1::char_traits<wchar_t>, std::__ndk1::allocator<wchar_t> >)+112, pc 726f8)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libdocs.so (virtual thunk to CPlatformController::OnCommentsEvent(int, std::__ndk1::basic_string<wchar_t, std::__ndk1::char_traits<wchar_t>, std::__ndk1::allocator<wchar_t> >)+100, pc b43b4)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libengine.so (ASC::CBaseEditorsController::OnEvent(NSEditorApi::CAscMenuEvent*)+228, pc 212850)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libengine.so (ASC::CDEditorController::OnEvent(NSEditorApi::CAscMenuEvent*)+52, pc 21a014)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libengine.so (CWordEditorCtrl::OnEventInternal(int, NSJSON::CValue)+616, pc 1763c4)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libengine.so (CWordCtrlEmbed::OnCallMenuEvent(NSCommon::smart_ptr<NSJSBase::CJSValue>, NSCommon::smart_ptr<NSJSBase::CJSValue>)+148, pc 84858)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libengine.so (CWordCtrlEmbedAdapter::initFunctions(NSJSBase::CJSEmbedObject*)::'lambda11'(NSJSBase::CJSFunctionArguments*)::operator()(NSJSBase::CJSFunctionArguments*) const+120, pc 10aa38)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libdoctrenderer.so (NSJSBase::_Call(v8::FunctionCallbackInfo<v8::Value> const&)+300, pc 173b20)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libdoctrenderer.so (v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo)+548, pc 856a8c)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libdoctrenderer.so (v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments)+640, pc 8560f0)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libdoctrenderer.so (v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*)+244, pc 8558b0)
    /data/app/~~AyQDkSdw5r5kOSRDPRMIVA==/com.onlyoffice.documents-XzWrK9XI_h5qXgYky3fSIw==/lib/arm64/libdoctrenderer.so (Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit+104, pc 755028)
Andrew-Dudov commented 4 weeks ago

Hello @FID02 Is your bug repeated on version 8.2.0?

FID02 commented 4 weeks ago

Hello @FID02 Is your bug repeated on version 8.2.0?

Yes, there is still a memory safety issue in version 8.2.0 that can be triggered with the same steps to reproduce.

I wrote in my first post that this can only be reproduced on GrapheneOS. That's likely wrong; I am reproducing it with equal success when running Onlyoffice with Scudo on GrapheneOS, so I think it should be equally reproducible on a Pixel 8 and 9 series device running Google's stock OS with memory tagging enabled.

MTE backtrace from 8.2.0:

type: crash
package: com.onlyoffice.documents:583, targetSdk 34
osVersion: google/shiba/shiba:15/AP3A.241005.015/2024103100:user/release-keys
uid: 10221 (u:r:untrusted_app:s0:c221,c256,c512,c768)
cmdline: com.onlyoffice.documents:DocumentsActivity
processUptime: 3s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr 800c5e5c76879e0
cause: [MTE]: Buffer Overflow, 472 bytes right of a 24-byte allocation at 0xc5e5c76877f0
cause: [MTE]: Buffer Underflow, 512 bytes left of a 24-byte allocation at 0xc5e5c7687be0
threadName: GLThread 38
MTE: enabled

backtrace:
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libkernel.so (NSThreads::CBaseThreadMonitor::GetBaseThread(long const&)+144, pc e6f8c)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libdocs.so (CThreadsMonitor::CheckAttach()+52, pc 692f8)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libdocs.so (JniBaseCallbacks::callback(std::__ndk1::function<void (_JNIEnv*)>)+68, pc 690c0)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libdocs.so (JniEditorsCallbacks::callbackCommentsEvent(int, std::__ndk1::basic_string<wchar_t, std::__ndk1::char_traits<wchar_t>, std::__ndk1::allocator<wchar_t>>)+112, pc 72e44)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libdocs.so (virtual thunk to CPlatformController::OnCommentsEvent(int, std::__ndk1::basic_string<wchar_t, std::__ndk1::char_traits<wchar_t>, std::__ndk1::allocator<wchar_t>>)+100, pc b56f4)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libengine.so (ASC::CBaseEditorsController::OnEvent(NSEditorApi::CAscMenuEvent*)+148, pc 215168)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libengine.so (ASC::CDEditorController::OnEvent(NSEditorApi::CAscMenuEvent*)+52, pc 21c964)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libengine.so (CWordEditorCtrl::OnEventInternal(int, NSJSON::CValue)+616, pc 179874)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libengine.so (CWordCtrlEmbed::OnCallMenuEvent(NSCommon::smart_ptr<NSJSBase::CJSValue>, NSCommon::smart_ptr<NSJSBase::CJSValue>)+148, pc 86298)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libengine.so (CWordCtrlEmbedAdapter::initFunctions(NSJSBase::CJSEmbedObject*)::'lambda11'(NSJSBase::CJSFunctionArguments*)::operator()(NSJSBase::CJSFunctionArguments*) const+120, pc 10d71c)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libdoctrenderer.so (NSJSBase::_Call(v8::FunctionCallbackInfo<v8::Value> const&)+300, pc 182b74)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libdoctrenderer.so (v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo)+548, pc 8748ec)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libdoctrenderer.so (v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments)+640, pc 873f50)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libdoctrenderer.so (v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*)+244, pc 873710)
    /data/app/~~9prmPAHEqLp-_PPK6NDqAw==/com.onlyoffice.documents-yCqKKKG_i7fdhd4lL0RXmg==/lib/arm64/libdoctrenderer.so (Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit+104, pc 772e88)
FID02 commented 3 weeks ago

Hello @FID02 Is your bug repeated on version 8.2.0?

Have you been able to reproduce the issue?

A reproduction of the issue on a device set up to debug with MTE is likely to produce a more useful stacktrace than I have provided – a stacktrace that a developer with experience in native code debugging might make sense of. Both Arm and Google have published guides aimed at developers on how to set up Google's stock OS with memory tagging support on Pixel 8 and 9 series devices.

Andrew-Dudov commented 3 weeks ago

@FID02 Are you talking about installing chrome os on pixel?

FID02 commented 3 weeks ago

@FID02 Are you talking about installing chrome os on pixel?

Not at all. I'm talking about debugging memory with memory tagging extension. It's highly relevant in debugging the memory corruption that this GitHub issue is about.

Here are some readings on the topic.

Background and instructional text: https://developer.android.com/ndk/guides/arm-mte

How to enable memory tagging on Google Pixel devices: https://learn.arm.com/learning-paths/smartphones-and-mobile/mte_on_pixel8/

Background with detailed debug instructions: https://developer.arm.com/documentation/108035/0100/Introduction-to-the-Memory-Tagging-Extension

Andrew-Dudov commented 3 weeks ago

so I think it should be equally reproducible on a Pixel 8 and 9 series device running Google's stock OS with memory tagging enabled.

I'm talking about your phrase "on Pixel 8 and 9 series devices running the standard Google OS". You call ChromeOS the standard Google OS? And are you saying that the bug can be reproduced on this OS that will be installed on Pixel, or only on GrapheOS with Scudo? Need to check on ChromeOS or only GrapheneOS?

FID02 commented 3 weeks ago

By "standard Google OS" I only meant the OS that is included by default when you buy a Google Pixel device – otherwise known as the stock PixelOS. Sorry, I thought that was clear.

The memory corruption is in the Onlyoffice app, and you will be able to gather stacktraces by running the app on either GrapheneOS or the stock PixelOS. The latter requires memory tagging to be enabled by following one of the guides I linked above. You just need to acquire a Pixel 8 or Pixel 9 series device and follow the documentation on how to enable and debug with memory tagging.

Andrew-Dudov commented 3 weeks ago

I'm sorry, the bug can't be reproduced on Pixel. Crash log is useless for the developer to debug this. I'll write if there is news on your request

FID02 commented 3 weeks ago

I'm sorry, the bug can't be reproduced on Pixel.

Interesting. The memory safety issue can be reproduced and debugged with Scudo MTE usage on a Pixel that is running GrapheneOS. If it is not debuggable on stock PixelOS, that is unfortunate.

Crash log is useless for the developer to debug this.

It probably is. Will a tombstone be slightly more useful? I'm attaching one that I gathered today from running adb bugreport immediately after having reproduced the issue on GrapheneOS again. tombstone_01.txt