diff options
| author | Lin Lee <linlee@google.com> | 2023-08-07 09:34:41 +0000 |
|---|---|---|
| committer | Julian Veit <Claymore1298@gmail.com> | 2024-01-03 10:59:17 +0100 |
| commit | f0a5a60e2b27266c376e0b98284bdd139bb73740 (patch) | |
| tree | 8609eece3e680a219e1d7e14f68fe1592620faeb | |
| parent | c3f365dc31144a2db5fa6d0a3371c0df202c0dc7 (diff) | |
Fix Heap-use-after-free in MDnsSdListener::Monitor::runs12.1
Use thread join to avoid thread exiting after instance
recycled.
Prior to implementing this patch, fuzzing would lead to a segmentation fault after approximately 500 rounds. With the addition of the patch, the fuzzing process can now be repeated for over 30,000 rounds.
Test: m, fuzzing
Fuzzing: mma mdns_service_fuzzer && adb sync data && adb shell /data/fuzz/arm64/mdns_service_fuzzer/mdns_service_fuzzer
Bug: 272382770
Ignore-AOSP-First: Security Issue
(cherry picked from commit 9c0c15f80cffb98b36284dd169a2e62e059dbbe3)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:75e5e2e1faec7aa2812fc6fba30d6fe80558bacd)
Merged-In: I5bc85451b4e6539bad45ceb672924a37952cc138
Change-Id: I5bc85451b4e6539bad45ceb672924a37952cc138
| -rw-r--r-- | server/MDnsSdListener.cpp | 35 | ||||
| -rw-r--r-- | server/MDnsSdListener.h | 4 |
2 files changed, 26 insertions, 13 deletions
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp index 42dcddf3..d551d37c 100644 --- a/server/MDnsSdListener.cpp +++ b/server/MDnsSdListener.cpp @@ -29,6 +29,7 @@ #include <sys/poll.h> #include <sys/socket.h> #include <sys/types.h> +#include <thread> #define LOG_TAG "MDnsDS" #define DBG 1 @@ -527,12 +528,18 @@ MDnsSdListener::Monitor::Monitor() { mPollSize = 10; socketpair(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, mCtrlSocketPair); - const int rval = ::android::netdutils::threadLaunch(this); - if (rval != 0) { - ALOGW("Error spawning monitor thread: %s (%d)", strerror(-rval), -rval); - } + mRescanThread = new std::thread(&Monitor::run, this); + if (!mRescanThread->joinable()) ALOGE("Unable to launch thread."); } +MDnsSdListener::Monitor::~Monitor() { + if (VDBG) ALOGD("Monitor recycling"); + close(mCtrlSocketPair[1]); // interrupt poll in MDnsSdListener::Monitor::run() and revent will + // be 17 = POLLIN | POLLHUP + mRescanThread->join(); + delete mRescanThread; + if (VDBG) ALOGD("Monitor recycled"); +} #define NAP_TIME 200 // 200 ms between polls static int wait_for_property(const char *name, const char *desired_value, int maxwait) { @@ -611,14 +618,18 @@ void MDnsSdListener::Monitor::run() { } } if (VDBG) ALOGD("controlSocket shows revent= %d", mPollFds[0].revents); - switch (mPollFds[0].revents) { - case POLLIN: { - char readBuf[2]; - read(mCtrlSocketPair[0], &readBuf, 1); - if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]); - if (memcmp(RESCAN, readBuf, 1) == 0) { - pollCount = rescan(); - } + if (mPollFds[0].revents & POLLHUP) { + free(mPollFds); + free(mPollRefs); + if (VDBG) ALOGD("Monitor thread leaving."); + return; + } + if (mPollFds[0].revents == POLLIN) { + char readBuf[2]; + read(mCtrlSocketPair[0], &readBuf, 1); + if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]); + if (memcmp(RESCAN, readBuf, 1) == 0) { + pollCount = rescan(); } } mPollFds[0].revents = 0; diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h index 83cf23e3..196419b1 100644 --- a/server/MDnsSdListener.h +++ b/server/MDnsSdListener.h @@ -22,6 +22,7 @@ #include <sysutils/FrameworkListener.h> #include <mutex> #include <string> +#include <thread> #include "NetdCommand.h" @@ -71,7 +72,7 @@ private: class Monitor { public: Monitor(); - virtual ~Monitor() {} + ~Monitor(); DNSServiceRef *allocateServiceRef(int id, Context *c); void startMonitoring(int id); DNSServiceRef *lookupServiceRef(int id); @@ -102,6 +103,7 @@ private: int mPollSize; int mCtrlSocketPair[2]; std::mutex mMutex; + std::thread* mRescanThread; }; class Handler : public NetdCommand { |