Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit de914f78 authored by Peter Collingbourne's avatar Peter Collingbourne
Browse files

Fix use-after-free in async_manager.cc. 

std::condition_variable::wait_until() takes a reference
to its time_point argument, and reads it after waiting (see
external/libcxx/include/__mutex_base line 385), which means that
it's possible for the Task object containing the time_point to be
read after having been deallocated (e.g. via CancelAsyncTask). Fix
the problem by making a copy of the time_point.

Found with the help of MTE.

Bug: 135772972
Test: Verified fixed crash on fvp-eng with MTE enabled everywhere
Change-Id: I8437583bfd295e563916a87aad23b947185694bb
parent 86b13b04

system/vendor_libs/test_vendor_lib/model/setup/async_manager.cc

+6 −1
Original line number Diff line number Diff line
@@ -465,7 +465,12 @@ class AsyncManager::AsyncTaskManager { 
        if (!running_) break;

        // wait until time for the next task (if any)

        if (task_queue_.size() > 0) {

          internal_cond_var_.wait_until(guard, (*task_queue_.begin())->time);

          // Make a copy of the time_point because wait_until takes a reference

          // to it and may read it after waiting, by which time the task may

          // have been freed (e.g. via CancelAsyncTask).

          std::chrono::steady_clock::time_point time =

              (*task_queue_.begin())->time;

          internal_cond_var_.wait_until(guard, time);

        } else {

          internal_cond_var_.wait(guard);

        }