Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit de914f78 authored by Peter Collingbourne's avatar Peter Collingbourne
Browse files

Fix use-after-free in async_manager.cc. 

std::condition_variable::wait_until() takes a reference
to its time_point argument, and reads it after waiting (see
external/libcxx/include/__mutex_base line 385), which means that
it's possible for the Task object containing the time_point to be
read after having been deallocated (e.g. via CancelAsyncTask). Fix
the problem by making a copy of the time_point.

Found with the help of MTE.

Bug: 135772972
Test: Verified fixed crash on fvp-eng with MTE enabled everywhere
Change-Id: I8437583bfd295e563916a87aad23b947185694bb
parent 86b13b04
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment