Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d2ecde5c authored by Xusong Wang's avatar Xusong Wang
Browse files

Fix use-after-free crash in VtsHalNeuralnetworksTargetTest. 

Prior to this CL, the AHardwareBuffer in TestBlobAHWB is released in the
destructor, but later used (unlock) during the destruction of the
mMapping member. This CL fixed this issue by managing the lifetime of
AHardwareBuffer with SharedMemory.

Bug: 197199690
Test: VtsHalNeuralnetworksTargetTest
Change-Id: I00748aaaa1a3a3d9b3b62bedb77a655ddb6e210f
parent 7f23524b

neuralnetworks/aidl/vts/functional/Utils.cpp

+6 −13
Original line number Diff line number Diff line
@@ -153,26 +153,19 @@ void TestBlobAHWB::initialize(uint32_t size) { 
            .stride = size,

    };



    ASSERT_EQ(AHardwareBuffer_allocate(&desc, &mAhwb), 0);

    ASSERT_NE(mAhwb, nullptr);

    AHardwareBuffer* ahwb = nullptr;

    ASSERT_EQ(AHardwareBuffer_allocate(&desc, &ahwb), 0);

    ASSERT_NE(ahwb, nullptr);



    const auto sharedMemory =

            nn::createSharedMemoryFromAHWB(mAhwb, /*takeOwnership=*/false).value();

    mMapping = nn::map(sharedMemory).value();

    mMemory = nn::createSharedMemoryFromAHWB(ahwb, /*takeOwnership=*/true).value();

    mMapping = nn::map(mMemory).value();

    mPtr = static_cast<uint8_t*>(std::get<void*>(mMapping.pointer));

    CHECK_NE(mPtr, nullptr);

    mAidlMemory = utils::convert(sharedMemory).value();

    mAidlMemory = utils::convert(mMemory).value();



    mIsValid = true;

}



TestBlobAHWB::~TestBlobAHWB() {

    if (mAhwb) {

        AHardwareBuffer_unlock(mAhwb, nullptr);

        AHardwareBuffer_release(mAhwb);

    }

}



std::string gtestCompliantName(std::string name) {

    // gtest test names must only contain alphanumeric characters

    std::replace_if(

neuralnetworks/aidl/vts/functional/Utils.h

+1 −2
Original line number Diff line number Diff line
@@ -102,11 +102,10 @@ class TestBlobAHWB : public TestMemoryBase { 
    // The constructor calls initialize, which constructs the memory resources. This is a

    // workaround that gtest macros cannot be used directly in a constructor.

    TestBlobAHWB(uint32_t size) { initialize(size); }

    ~TestBlobAHWB();



  private:

    void initialize(uint32_t size);

    AHardwareBuffer* mAhwb = nullptr;

    nn::SharedMemory mMemory;

    nn::Mapping mMapping;

};