Fix ref count management for g_variant used in the second
g_dbus_connection_emit_signal() like the first one.
This fixes below heap-use-after-free asan issue:
==crash-notify-send==1349==ERROR: AddressSanitizer: heap-use-after-free on address 0x007f8f808634 at pc 0x007f92e2b460 bp 0x007f8b5fe120 sp 0x007f8b5fe138
WRITE of size 4 at 0x007f8f808634 thread T3 (gdbus)
#0 0x7f92e2b45c in g_atomic_ref_count_dec /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/grefcount.c:270
#1 0x7f92e9edc8 in g_variant_unref /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gvariant-core.c:1007
#2 0x7f9340d0ac in g_dbus_message_finalize /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusmessage.c:532
#3 0x7f9304a3cc in g_object_unref /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gobject/gobject.c:3941
#4 0x7f93428a98 in message_to_write_data_free /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusprivate.c:954 (discriminator 1)
#5 0x7f9342c988 in write_message_cb /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusprivate.c:1420
#6 0x7f93341bd8 in g_task_return_now /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gtask.c:1371
#7 0x7f93341c90 in complete_in_idle_cb /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gtask.c:1385
#8 0x7f92df3b60 in g_main_dispatch /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gmain.c:3476
#9 0x7f92dfb300 in g_main_context_dispatch_unlocked /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gmain.c:4284
#10 0x7f92dfb300 in g_main_context_iterate_unlocked /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gmain.c:4349
#11 0x7f92dfc130 in g_main_loop_run /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gmain.c:4551
#12 0x7f93428328 in gdbus_shared_thread_func /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusprivate.c:288
#13 0x7f92e5e5f8 in g_thread_proxy /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gthread.c:831
#14 0x7f92b448f4 in start_thread /usr/src/debug/glibc-2.30-2.10.aarch64/nptl/pthread_create.c:479
#15 0x7f92c65468 in thread_start /usr/src/debug/glibc-2.30-2.10.aarch64/misc/../sysdeps/unix/sysv/linux/aarch64/clone.S:78
0x007f8f808634 is located 52 bytes inside of 64-byte region [0x007f8f808600,0x007f8f808640)
freed by thread T0 here:
#0 0x7f93801a68 in free /usr/src/debug/gcc-9.2.0-1.36.aarch64/obj/aarch64-tizen-linux-gnu/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cpp:128 (discriminator 2)
#1 0x555e772e24 in send_signals /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus_notify.c:279
#2 0x555e772e24 in main /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus_notify.c:379
#3 0x7f92bbbff0 in __libc_start_main /usr/src/debug/glibc-2.30-2.10.aarch64/csu/../csu/libc-start.c:308
#4 0x555e773588 in _start /home/abuild/rpmbuild/BUILD/glibc-2.30/csu/../sysdeps/aarch64/start.S:92
previously allocated by thread T0 here:
#0 0x7f93801cd8 in __interceptor_malloc /usr/src/debug/gcc-9.2.0-1.36.aarch64/obj/aarch64-tizen-linux-gnu/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cpp:149 (discriminator 2)
#1 0x7f92e0b23c in g_malloc /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gmem.c:130
#2 0x7f92e9e6f8 in g_variant_alloc /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gvariant-core.c:594
#3 0x7f92e9e6f8 in g_variant_new_from_children /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gvariant-core.c:631
#4 0x7f92e96d88 in g_variant_builder_end /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gvariant.c:3831
#5 0x555e773ad8 in build_message_data /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus_notify.c:223
#6 0x555e77312c in send_signals /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus_notify.c:272
#7 0x555e77312c in main /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus_notify.c:379
#8 0x7f92bbbff0 in __libc_start_main /usr/src/debug/glibc-2.30-2.10.aarch64/csu/../csu/libc-start.c:308
#9 0x555e773588 in _start /home/abuild/rpmbuild/BUILD/glibc-2.30/csu/../sysdeps/aarch64/start.S:92
Thread T3 (gdbus) created by T0 here:
#0 0x7f937857a0 in pthread_create /usr/src/debug/gcc-9.2.0-1.36.aarch64/obj/aarch64-tizen-linux-gnu/libsanitizer/asan/../../../../libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7f92ec5298 in g_system_thread_new /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gthread-posix.c:1298
#2 0x7f92e5ed6c in g_thread_new /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gthread.c:888
#3 0x7f93429f00 in _g_dbus_shared_thread_ref /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusprivate.c:313
#4 0x7f93429f00 in _g_dbus_worker_new /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusprivate.c:1758
#5 0x7f93409ca8 in initable_init /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusconnection.c:3494
#6 0x7f9340cd6c in g_bus_get_sync /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusconnection.c:8467
#7 0x555e7740f8 in bus_get /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus-util.h:19
#8 0x555e772d1c in main /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus_notify.c:376
#9 0x7f92bbbff0 in __libc_start_main /usr/src/debug/glibc-2.30-2.10.aarch64/csu/../csu/libc-start.c:308
#10 0x555e773588 in _start /home/abuild/rpmbuild/BUILD/glibc-2.30/csu/../sysdeps/aarch64/start.S:92
SUMMARY: AddressSanitizer: heap-use-after-free (/lib64/libglib-2.0.so.0+0x12f45c) in g_atomic_ref_count_dec
Change-Id: Ie53ad0200dcb0c52d41ccecbe178ddc47476e80f
Suggested-by: Minyoung Song <minyoung.song@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
? build_legacy_message_data(notify_params)
: build_message_data(notify_params, SIG_NORMAL);
- if (data)
+ if (data) {
+ (void)g_variant_ref_sink(data);
send_one_signal(conn, PROCESS_CRASHED, data);
- else
+ g_variant_unref(data);
+ } else
_W("Error while preparing data for " PROCESS_CRASHED " signal");
- g_variant_unref(data);
GError *error = NULL;
g_dbus_connection_flush_sync(conn, NULL, &error);
projects / platform / core / system / crash-worker.git / commitdiff