Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2ffa65df authored by Hui Peng's avatar Hui Peng
Browse files

Fix a use-after-free bug in AttributionProcessor::OnWakelockReleased 

There is a use-after-free bug in AttributionProcessor::OnWakelockReleased
resulted from a well-known misuse of using iterators to delete
items in containers (the deleted items are used for calculating the next iterator
in the next round). This patch fix it with correct usage.

see the regression test is in I1709af943b6fa238dd4df41a62e6add36984c9ec

Bug: 254774758
Ignore-AOSP-First: security
Test: atest bluetooth_test_gd_unit

Change-Id: If9f14d5fe2fbf2150f2ab0d1f90ce0f263399227
parent 780b0804

system/gd/btaa/linux_generic/attribution_processor.cc

+14 −8
Original line number Diff line number Diff line
@@ -126,23 +126,29 @@ void AttributionProcessor::OnWakelockReleased(uint32_t duration_ms) { 
  }

  // Trim down the transient entries in the aggregator to avoid that it overgrows

  if (btaa_aggregator_.size() > kMapSizeTrimDownAggregationEntry) {

    for (auto& it : btaa_aggregator_) {

    auto it = btaa_aggregator_.begin();

    while (it != btaa_aggregator_.end()) {

      auto elapsed_time_sec =

          std::chrono::duration_cast<std::chrono::seconds>(cur_time - it.second.creation_time).count();

          std::chrono::duration_cast<std::chrono::seconds>(cur_time - it->second.creation_time).count();

      if (elapsed_time_sec > kDurationTransientDeviceActivityEntrySecs &&

          it.second.byte_count < kByteCountTransientDeviceActivityEntry) {

        btaa_aggregator_.erase(it.first);

          it->second.byte_count < kByteCountTransientDeviceActivityEntry) {

        it = btaa_aggregator_.erase(it);

      } else {

        it++;

      }

    }

  }



  if (app_activity_aggregator_.size() > kMapSizeTrimDownAggregationEntry) {

    for (auto& it : app_activity_aggregator_) {

    auto it = app_activity_aggregator_.begin();

    while (it != app_activity_aggregator_.end()) {

      auto elapsed_time_sec =

          std::chrono::duration_cast<std::chrono::seconds>(cur_time - it.second.creation_time).count();

          std::chrono::duration_cast<std::chrono::seconds>(cur_time - it->second.creation_time).count();

      if (elapsed_time_sec > kDurationTransientDeviceActivityEntrySecs &&

          it.second.byte_count < kByteCountTransientDeviceActivityEntry) {

        app_activity_aggregator_.erase(it.first);

          it->second.byte_count < kByteCountTransientDeviceActivityEntry) {

        it = app_activity_aggregator_.erase(it);

      } else {

        it++;

      }

    }

  }