search

dterletskiy / carpc

Component Architecture RPC Framework
MIT License
2 stars 0 forks source link

[BUG] Memory corruption in IRunnable.cpp #21

Closed svlad-90 closed 2 years ago

svlad-90 commented 2 years ago

The following line is causing a memory corruption: https://github.com/dterletskiy/carpc/blob/main/runtime/imp/carpc/comm/async/runnable/IRunnable.cpp#L29

According to Address sanitizer:

09-15 17:42:19.242 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service: =================================================================
09-15 17:42:19.242 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service: ==12762==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7a12a42fafcc at pc 0x7a1545d5274c bp 0x7a1534efb530 sp 0x7a1534efb528
09-15 17:42:19.243 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service: WRITE of size 4 at 0x7a12a42fafcc thread T1
09-15 17:42:19.246 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #0 0x7a1545d5274b  (/data/asan/vendor/lib64/tda.carpc.framework.shared.so+0xdf74b)
09-15 17:42:19.247 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #1 0x7a1545cf3152  (/data/asan/vendor/lib64/tda.carpc.framework.shared.so+0x80152)
09-15 17:42:19.247 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #2 0x7a1545cf1e54  (/data/asan/vendor/lib64/tda.carpc.framework.shared.so+0x7ee54)
09-15 17:42:19.247 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #3 0x7a1545d5aa95  (/data/asan/vendor/lib64/tda.carpc.framework.shared.so+0xe7a95)
09-15 17:42:19.247 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #4 0x7a153b7cd53a  (/apex/com.android.runtime/lib64/bionic/libc.so+0xc753a)
09-15 17:42:19.247 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #5 0x7a153b765cc7  (/apex/com.android.runtime/lib64/bionic/libc.so+0x5fcc7)
09-15 17:42:19.247 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:
09-15 17:42:19.247 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service: Address 0x7a12a42fafcc is located in stack of thread T6 (HwBinder:12762_)
09-15 17:42:19.247 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:  at offset 236 in frame
09-15 17:42:19.247 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #0 0x7a1545d1c0ff  (/data/asan/vendor/lib64/tda.carpc.framework.shared.so+0xa90ff)
09-15 17:42:19.248 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:
09-15 17:42:19.248 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   This frame has 9 object(s):
09-15 17:42:19.248 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     [32, 80) 'ref.tmp.i'
09-15 17:42:19.248 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     [112, 176) 'agg.tmp.i'
09-15 17:42:19.248 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     [208, 224) 'ref.tmp' (line 18)
09-15 17:42:19.248 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     [240, 241) 'ref.tmp5' (line 20) <== Memory access at offset 236 underflows this variable
09-15 17:42:19.248 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     [256, 280) 'ref.tmp6' (line 20)
09-15 17:42:19.248 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     [320, 344) 'ref.tmp8' (line 20)
09-15 17:42:19.254 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     [384, 400) 'ref.tmp9' (line 20)
09-15 17:42:19.254 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     [416, 544) 'cond_var' (line 29)
09-15 17:42:19.254 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     [576, 640) 'operation_wrapper' (line 32)
09-15 17:42:19.255 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service: HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
09-15 17:42:19.255 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:       (longjmp and C++ exceptions *are* supported)
09-15 17:42:19.255 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service: Thread T6 (HwBinder:12762_) created by T1 here:
09-15 17:42:19.255 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #0 0x7a1539912b1a  (/system/lib64/libclang_rt.asan-x86_64-android.so+0xa8b1a)
09-15 17:42:19.255 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #1 0x7a15485db1ad  (/apex/com.android.vndk.v32/lib64/libutils.so+0x131ad)
09-15 17:42:19.256 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:
09-15 17:42:19.256 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service: Thread T1 created by T0 here:
09-15 17:42:19.256 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #0 0x7a1539912b1a  (/system/lib64/libclang_rt.asan-x86_64-android.so+0xa8b1a)
09-15 17:42:19.257 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #1 0x7a1545d5aeeb  (/data/asan/vendor/lib64/tda.carpc.framework.shared.so+0xe7eeb)
09-15 17:42:19.257 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #2 0x7a1545cf43bb  (/data/asan/vendor/lib64/tda.carpc.framework.shared.so+0x813bb)
09-15 17:42:19.257 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #3 0x7a1545cccc05  (/data/asan/vendor/lib64/tda.carpc.framework.shared.so+0x59c05)
09-15 17:42:19.257 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #4 0x5cccebbfb9db  (/vendor/bin/comp/comp_android.hardware.automotive.vehicle@2.0-service+0x5f9db)
09-15 17:42:19.258 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #5 0x5cccebbfc7fc  (/vendor/bin/comp/comp_android.hardware.automotive.vehicle@2.0-service+0x607fc)
09-15 17:42:19.258 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:     #6 0x7a153b755fb9  (/apex/com.android.runtime/lib64/bionic/libc.so+0x4ffb9)
09-15 17:42:19.258 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:
09-15 17:42:19.259 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service: SUMMARY: AddressSanitizer: stack-buffer-overflow (/data/asan/vendor/lib64/tda.carpc.framework.shared.so+0xdf74b)
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service: Shadow bytes around the buggy address:
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   0x0f42d48575a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   0x0f42d48575b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   0x0f42d48575c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   0x0f42d48575d0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   0x0f42d48575e0: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service: =>0x0f42d48575f0: f8 f8 f2 f2 f2 f2 f8 f8 f2[f2]f8 f2 f8 f8 f8 f2
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   0x0f42d4857600: f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f2 f2
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   0x0f42d4857610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   0x0f42d4857620: f2 f2 f2 f2 00 00 00 00 00 00 00 00 f3 f3 f3 f3
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   0x0f42d4857630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   0x0f42d4857640: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service: Shadow byte legend (one shadow byte represents 8 application bytes):
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Addressable:           00
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Partially addressable: 01 02 03 04 05 06 07
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Heap left redzone:       fa
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Freed heap region:       fd
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Stack left redzone:      f1
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Stack mid redzone:       f2
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Stack right redzone:     f3
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Stack after return:      f5
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Stack use after scope:   f8
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Global redzone:          f9
09-15 17:42:19.263 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Global init order:       f6
09-15 17:42:19.264 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Poisoned by user:        f7
09-15 17:42:19.264 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Container overflow:      fc
09-15 17:42:19.264 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Array cookie:            ac
09-15 17:42:19.264 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Intra object redzone:    bb
09-15 17:42:19.264 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   ASan internal:           fe
09-15 17:42:19.264 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Left alloca redzone:     ca
09-15 17:42:19.264 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Right alloca redzone:    cb
09-15 17:42:19.264 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service:   Shadow gap:              cc
09-15 17:42:19.264 12762 12769 I comp_android.hardware.automotive.vehicle@2.0-service: ==12762==ABORTING

The condition variable should stay alive until any of the threads are using it. But, currently, the following happens:

  1. Thread 1 is in "wait"
  2. Thread 2 calls "notify"
  3. Thread 1 awakes, goes out of "wait" and out of the outer function, and destroys the condition variable instance, which was created on the stack
  4. Thread 2 is still inside "notify" and is using the already destroyed instance of the condition variable

The fix is quite trivial - create the shared_ptr to ConditionVariable and capture it inside the operation_wrapper lambda, in order to prolong the life of the ConditionVariable until the required point of time.

dterletskiy commented 2 years ago

Fixed in version 3.10.8 (commit 587b57e2547a48d7a89b2d1d7c6a3b2d7860c87b)