search

zhanghai / MaterialFiles

Material Design file manager for Android
https://play.google.com/store/apps/details?id=me.zhanghai.android.files
GNU General Public License v3.0
5.83k stars 394 forks source link

Found Fatal Exception Crashes from Testing #1245

Closed Mai-hh closed 3 months ago

Mai-hh commented 3 months ago

Hi! I'm a student researcher currently working on a project in the area of Android app analysis. As a part of the work centered around Intents, I found a bug that resulted in crashes after analyzing logs/execution traces. Below are the relevant activities, traces, and adb commands that triggered the crashes.

These bugs may be hidden in unexposed Receivers, but they are worth investigating into to prevent potential issues down the line and addressing to improve the overall robustness and quality. If anyone can be confirm these to be valid bugs first, I would appreciate it, and I can help provide more information as needed.

1. me.zhanghai.android.files.ftpserver.FtpServerReceiver

Execution trace:

01-22 11:46:12.177 27205 27205 E AndroidRuntime: FATAL EXCEPTION: main
01-22 11:46:12.177 27205 27205 E AndroidRuntime: Process: me.zhanghai.android.files, PID: 27205
01-22 11:46:12.177 27205 27205 E AndroidRuntime: java.lang.RuntimeException: Unable to start receiver me.zhanghai.android.files.ftpserver.FtpServerReceiver: java.lang.IllegalArgumentException
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    at android.app.ActivityThread.handleReceiver(ActivityThread.java:4357)
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    at android.app.ActivityThread.access$1600(ActivityThread.java:256)
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2101)
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    at android.os.Handler.dispatchMessage(Handler.java:106)
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    at android.os.Looper.loopOnce(Looper.java:201)
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    at android.os.Looper.loop(Looper.java:288)
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    at android.app.ActivityThread.main(ActivityThread.java:7842)
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    at java.lang.reflect.Method.invoke(Native Method)
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1003)
01-22 11:46:12.177 27205 27205 E AndroidRuntime: Caused by: java.lang.IllegalArgumentException
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    at me.zhanghai.android.files.ftpserver.FtpServerReceiver.onReceive(:2)
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    at android.app.ActivityThread.handleReceiver(ActivityThread.java:4348)
01-22 11:46:12.177 27205 27205 E AndroidRuntime:    ... 9 more

adb command that triggers it:

#!/bin/bash

adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.ftpserver.FtpServerReceiver" 
echo adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.ftpserver.FtpServerReceiver" 
sleep 3.0
adb shell am force-stop me.zhanghai.android.files
sleep 2.0
#!/bin/bash

adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.ftpserver.FtpServerReceiver" 
echo adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.ftpserver.FtpServerReceiver" 
sleep 3.0
adb shell am force-stop me.zhanghai.android.files
sleep 2.0
adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.ftpserver.FtpServerReceiver"  -a "android.content.Intent"
sleep 3.0
adb shell am force-stop me.zhanghai.android.files
sleep 2.0

2. me.zhanghai.android.files.filejob.FileJobReceiver

Execution trace:

01-22 11:46:27.924 27387 27387 E AndroidRuntime: FATAL EXCEPTION: main
01-22 11:46:27.924 27387 27387 E AndroidRuntime: Process: me.zhanghai.android.files, PID: 27387
01-22 11:46:27.924 27387 27387 E AndroidRuntime: java.lang.RuntimeException: Unable to start receiver me.zhanghai.android.files.filejob.FileJobReceiver: java.lang.IllegalArgumentException
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    at android.app.ActivityThread.handleReceiver(ActivityThread.java:4357)
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    at android.app.ActivityThread.access$1600(ActivityThread.java:256)
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2101)
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    at android.os.Handler.dispatchMessage(Handler.java:106)
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    at android.os.Looper.loopOnce(Looper.java:201)
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    at android.os.Looper.loop(Looper.java:288)
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    at android.app.ActivityThread.main(ActivityThread.java:7842)
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    at java.lang.reflect.Method.invoke(Native Method)
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1003)
01-22 11:46:27.924 27387 27387 E AndroidRuntime: Caused by: java.lang.IllegalArgumentException
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    at me.zhanghai.android.files.filejob.FileJobReceiver.onReceive(:7)
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    at android.app.ActivityThread.handleReceiver(ActivityThread.java:4348)
01-22 11:46:27.924 27387 27387 E AndroidRuntime:    ... 9 more

adb command that triggers it:

#!/bin/bash

adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.filejob.FileJobReceiver" 
echo adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.filejob.FileJobReceiver" 
sleep 3.0
adb shell am force-stop me.zhanghai.android.files
sleep 2.0
#!/bin/bash

adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.filejob.FileJobReceiver" 
echo adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.filejob.FileJobReceiver" 
sleep 3.0
adb shell am force-stop me.zhanghai.android.files
sleep 2.0
adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.filejob.FileJobReceiver"  -a "android.content.Intent"
sleep 3.0
adb shell am force-stop me.zhanghai.android.files
sleep 2.0
#!/bin/bash

adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.filejob.FileJobReceiver" --ei jobId 2 
echo adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.filejob.FileJobReceiver" --ei jobId 2 
sleep 3.0
adb shell am force-stop me.zhanghai.android.files
sleep 2.0
adb shell su 0 am broadcast -n "me.zhanghai.android.files/me.zhanghai.android.files.filejob.FileJobReceiver" --ei jobId 2  -a "android.content.Intent"
sleep 3.0
adb shell am force-stop me.zhanghai.android.files
sleep 2.0
zhanghai commented 3 months ago

These two receivers are not exported and is only invokable by this app itself normally. I intentionally crash on invalid input which should never happen, and that's why you saw the crashes when you forced an invocation with root.