Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 24a7874b authored by sergiuferentz's avatar sergiuferentz Committed by Sergiu Ferentz
Browse files

Fix for heap-use-after-free in GPUService.cpp 

This adds a unit test and fix for the bug reported by libfuzzer.
Changes made:
 * Expose GPUService as testable code.
 * Update main_gpuservice.cpp to use the new GpuService now located at
   gpuservice/GpuService.h
 * Make initializer threads members of GpuService
 * Join the threads in destructor to prevent heap-use-after-free.
 * Add unit test that waits 3 seconds after deallocation to ensure no
   wrong access is made.

Merged-In: I4d1d2d4658b575bf2c8f425f91f68f03114ad029
Bug: 282919145
Test: Added unit test and ran on device with ASAN
Change-Id: I4d1d2d4658b575bf2c8f425f91f68f03114ad029
(cherry picked from commit 3c00cbc0)
parent 08e184f8

services/gpuservice/Android.bp

+1 −0
Original line number Diff line number Diff line
@@ -70,6 +70,7 @@ filegroup { 
cc_library_shared {

    name: "libgpuservice",

    defaults: ["libgpuservice_production_defaults"],

    export_include_dirs: ["include"],

    srcs: [

        ":libgpuservice_sources",

    ],

services/gpuservice/GpuService.cpp

+7 −3
Original line number Diff line number Diff line
@@ -16,7 +16,7 @@ 


#define ATRACE_TAG ATRACE_TAG_GRAPHICS



#include "GpuService.h"

#include "gpuservice/GpuService.h"



#include <android-base/stringprintf.h>

#include <binder/IPCThreadState.h>
@@ -33,6 +33,7 @@ 
#include <vkjson.h>



#include <thread>

#include <memory>



namespace android {
@@ -52,13 +53,16 @@ GpuService::GpuService() 
      : mGpuMem(std::make_shared<GpuMem>()),

        mGpuStats(std::make_unique<GpuStats>()),

        mGpuMemTracer(std::make_unique<GpuMemTracer>()) {

    std::thread asyncInitThread([this]() {

    mGpuMemAsyncInitThread = std::make_unique<std::thread>([this] (){

        mGpuMem->initialize();

        mGpuMemTracer->initialize(mGpuMem);

    });

    asyncInitThread.detach();

};



GpuService::~GpuService() {

    mGpuMemAsyncInitThread->join();

}



void GpuService::setGpuStats(const std::string& driverPackageName,

                             const std::string& driverVersionName, uint64_t driverVersionCode,

                             int64_t driverBuildTime, const std::string& appPackageName,

services/gpuservice/GpuService.hservices/gpuservice/include/gpuservice/GpuService.h

+3 −0
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ 
#include <serviceutils/PriorityDumper.h>



#include <mutex>

#include <thread>

#include <vector>



namespace android {
@@ -37,6 +38,7 @@ public: 
    static const char* const SERVICE_NAME ANDROID_API;



    GpuService() ANDROID_API;

    ~GpuService();



protected:

    status_t shellCommand(int in, int out, int err, std::vector<String16>& args) override;
@@ -81,6 +83,7 @@ private: 
    std::unique_ptr<GpuMemTracer> mGpuMemTracer;

    std::mutex mLock;

    std::string mDeveloperDriverPath;

    std::unique_ptr<std::thread> mGpuMemAsyncInitThread;

};



} // namespace android

services/gpuservice/main_gpuservice.cpp

+1 −1
Original line number Diff line number Diff line
@@ -18,7 +18,7 @@ 
#include <binder/IServiceManager.h>

#include <binder/ProcessState.h>

#include <sys/resource.h>

#include "GpuService.h"

#include "gpuservice/GpuService.h"



using namespace android;

services/gpuservice/tests/unittests/Android.bp

+2 −0
Original line number Diff line number Diff line
@@ -31,6 +31,7 @@ cc_test { 
        "GpuMemTest.cpp",

        "GpuMemTracerTest.cpp",

        "GpuStatsTest.cpp",

        "GpuServiceTest.cpp",

    ],

    shared_libs: [

        "libbase",
@@ -47,6 +48,7 @@ cc_test { 
        "libstatslog",

        "libstatspull",

        "libutils",

        "libgpuservice",

    ],

    static_libs: [

        "libgmock",