search

element-hq / element-x-android

Android Matrix messenger application using the Matrix Rust Sdk and Jetpack Compose
GNU Affero General Public License v3.0
1.04k stars 146 forks source link

Use after free after opening a recently joined room for the first time. #1740

Open Panther7170 opened 11 months ago

Panther7170 commented 11 months ago

Steps to reproduce

  1. Joined a room through element
  2. Clicked on the room
  3. Hardened malloc detects a use after free and terminates the process. ElementX.txt (contents of this file copied below)

Outcome

What did you expect?

The room loads.

What happened instead?

The program terminates due to a memory safety bug.

Your phone model

Pixel 6

Operating system version

No response

Application version and app store

Element X 0.24

Homeserver

matrix.org

Will you send logs?

Yes

Are you willing to provide a PR?

No

jonnyandrew commented 11 months ago

Contents of the attached file:

type: crash
osVersion: google/oriole/oriole:14/UP1A.231005.007/2023103100:user/release-keys
package: io.element.android.x:40002040
process: io.element.android.x
processUptime: 0 + 0 ms
installer: com.android.vending

signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
Abort message: 'hardened_malloc: fatal allocator error: detected write after free'

backtrace:
      #00 pc 0000000000063ca4  /apex/com.android.runtime/lib64/bionic/libc.so (abort+164) (BuildId: 9eff313ac84c009030196c7e562d7077)
      #01 pc 000000000004dc70  /apex/com.android.runtime/lib64/bionic/libc.so (fatal_error+24) (BuildId: 9eff313ac84c009030196c7e562d7077)
      #02 pc 000000000004aca8  /apex/com.android.runtime/lib64/bionic/libc.so (allocate+1912) (BuildId: 9eff313ac84c009030196c7e562d7077)
      #03 pc 00000000000465f4  /apex/com.android.runtime/lib64/bionic/libc.so (malloc+36) (BuildId: 9eff313ac84c009030196c7e562d7077)
      #04 pc 0000000002d55774  /data/app/~~1Mum3RC8LN590tHN9W_6Hw==/io.element.android.x-0IegJ_a7D-9eh4OZoA-1yQ==/split_config.arm64_v8a.apk (offset 0x99f000)
      #05 pc 0000000002c69f60  /data/app/~~1Mum3RC8LN590tHN9W_6Hw==/io.element.android.x-0IegJ_a7D-9eh4OZoA-1yQ==/split_config.arm64_v8a.apk (offset 0x99f000)
      #06 pc 0000000002d5598c  /data/app/~~1Mum3RC8LN590tHN9W_6Hw==/io.element.android.x-0IegJ_a7D-9eh4OZoA-1yQ==/split_config.arm64_v8a.apk (offset 0x99f000)
      #07 pc 0000000002c91f18  /data/app/~~1Mum3RC8LN590tHN9W_6Hw==/io.element.android.x-0IegJ_a7D-9eh4OZoA-1yQ==/split_config.arm64_v8a.apk (offset 0x99f000)
      #08 pc 0000000002ca90c8  /data/app/~~1Mum3RC8LN590tHN9W_6Hw==/io.element.android.x-0IegJ_a7D-9eh4OZoA-1yQ==/split_config.arm64_v8a.apk (offset 0x99f000)
      #09 pc 0000000002c70678  /data/app/~~1Mum3RC8LN590tHN9W_6Hw==/io.element.android.x-0IegJ_a7D-9eh4OZoA-1yQ==/split_config.arm64_v8a.apk (offset 0x99f000)
      #10 pc 000000000229521c  /data/app/~~1Mum3RC8LN590tHN9W_6Hw==/io.element.android.x-0IegJ_a7D-9eh4OZoA-1yQ==/split_config.arm64_v8a.apk (offset 0x99f000)
      #11 pc 00000000022950a8  /data/app/~~1Mum3RC8LN590tHN9W_6Hw==/io.element.android.x-0IegJ_a7D-9eh4OZoA-1yQ==/split_config.arm64_v8a.apk (offset 0x99f000)
      #12 pc 0000000002233ec0  /data/app/~~1Mum3RC8LN590tHN9W_6Hw==/io.element.android.x-0IegJ_a7D-9eh4OZoA-1yQ==/split_config.arm64_v8a.apk (offset 0x99f000)
      #13 pc 0000000002b62f90  /data/app/~~1Mum3RC8LN590tHN9W_6Hw==/io.element.android.x-0IegJ_a7D-9eh4OZoA-1yQ==/split_config.arm64_v8a.apk (offset 0x99f000)
      #14 pc 0000000002b641dc  /data/app/~~1Mum3RC8LN590tHN9W_6Hw==/io.element.android.x-0IegJ_a7D-9eh4OZoA-1yQ==/split_config.arm64_v8a.apk (offset 0x99f000)
      #15 pc 0000000002b41b60  /data/app/~~1Mum3RC8LN590tHN9W_6Hw==/io.element.android.x-0IegJ_a7D-9eh4OZoA-1yQ==/split_config.arm64_v8a.apk (offset 0x99f000)
      #16 pc 00000000000d093c  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204) (BuildId: 9eff313ac84c009030196c7e562d7077)
      #17 pc 0000000000065570  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 9eff313ac84c009030196c7e562d7077)
jonnyandrew commented 11 months ago

I've marked this issue as minor/uncommon given the crash only occurs under hardened malloc on GrapheneOS (please correct me if I'm wrong @Panther7170).

However, I'll flag this with the security team for review and see if we can upgrade the priority.

jonnyandrew commented 11 months ago

@Panther7170 it will help us if we are able to see the function names and locations in the backtrace. Would you be able to repeat your experiment with a debug build and attach a backtrace with the full information?

Panther7170 commented 11 months ago

Certainly, I can try. Is there anyway I can get a debug build matching the app version I have installed?

bmarty commented 11 months ago

Easiest way is to install the application from Android Studio. You can get instructions here: https://github.com/vector-im/element-x-android/blob/develop/CONTRIBUTING.md#compilation