Fix ASAN issue : heap-use-after-free

[ASAN report]
==muse-server==10013==ERROR: AddressSanitizer: heap-use-after-free on address 0xb1baa100 at pc 0xb69cb399 bp 0xbed15dfc sp 0xbed15dec
WRITE of size 4 at 0xb1baa100 thread T0
0 0xb69cb396 in ms_ipc_create_msg_dispatch_worker /usr/src/debug/mused-0.3.110/server/src/muse_server_ipc.c:420
1 xb69d3914 in _ms_connection_handler /usr/src/debug/mused-0.3.110/server/src/muse_server_private.c:312 (discriminator 14)

0xb1baa100 is located 0 bytes inside of 4232-byte region [0xb1baa100,0xb1bab188)
freed by thread T393 (msg) here:
0 0xb6aebee2 in free asan_rtl (discriminator 2)
1 0xb69cac14 in _ms_ipc_module_cleanup /usr/src/debug/mused-0.3.110/server/src/muse_server_ipc.c:110
2 0xb69cac14 in _ms_ipc_dispatch_worker /usr/src/debug/mused-0.3.110/server/src/muse_server_ipc.c:312

Thread T393 (msg) created by T0 here:
0 0xb6aec2ee in calloc asan_rtl (discriminator 2)
1 0xb67fc068 in g_malloc0 /usr/src/debug/glib2-2.62.3/_build/../glib/gmem.c:129
2 0xb69d38a0 in _ms_connection_handler /usr/src/debug/mused-0.3.110/server/src/muse_server_private.c:307 (discriminator 9)

[Version] 0.3.118
[Profile] Common
[Issue Type] Bug fix

Change-Id: I988af4df53cc26f849c65a194bfc83ecbb87620d
Signed-off-by: Jeongmo Yang <jm80.yang@samsung.com>

diff --git a/packaging/mused.spec b/packaging/mused.spec
index 1b004dd..e4ee69e 100644 (file)
--- a/packaging/mused.spec
+++ b/packaging/mused.spec
@@ -1,6 +1,6 @@
 Name:       mused
 Summary:    A multimedia daemon
-Version:    0.3.117
+Version:    0.3.118
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0

diff --git a/server/src/muse_server_ipc.c b/server/src/muse_server_ipc.c
index 6d82a9c..ca1f783 100644 (file)
--- a/server/src/muse_server_ipc.c
+++ b/server/src/muse_server_ipc.c
@@ -257,8 +257,9 @@ static gpointer _ms_ipc_dispatch_worker(gpointer data)
        m = (muse_module_h)data;
 
        fd = m->ch[MUSE_CHANNEL_MSG].sock_fd;
+       m->ch[MUSE_CHANNEL_MSG].thread = g_thread_self();
 
-       LOGD("Enter %d modlue %p", fd, m);
+       LOGD("Enter %d module %p thread %p", fd, m, m->ch[MUSE_CHANNEL_MSG].thread);
 
        while (attempt_to_dispatch) {
                memset(m->recv_msg, 0x00, sizeof(m->recv_msg));
@@ -410,6 +411,7 @@ static gpointer _ms_ipc_data_worker(gpointer data)
 
 gboolean ms_ipc_create_msg_dispatch_worker(muse_module_h m)
 {
+       GThread *thread = NULL;
        GError *error = NULL;
        muse_server_h ms = ms_get_instance();
 
@@ -421,17 +423,16 @@ gboolean ms_ipc_create_msg_dispatch_worker(muse_module_h m)
 
        SECURE_LOGD("[PID %d module %p] module's msg channel fd : %d", m->pid, m, m->ch[MUSE_CHANNEL_MSG].sock_fd);
 
-       m->ch[MUSE_CHANNEL_MSG].thread = g_thread_try_new(MSG_THREAD_NAME, _ms_ipc_dispatch_worker, (gpointer)m, &error);
-
-       if (!m->ch[MUSE_CHANNEL_MSG].thread) {
-               LOGE("thread creation failed : %s", error->message);
+       thread = g_thread_try_new(MSG_THREAD_NAME, _ms_ipc_dispatch_worker, (gpointer)m, &error);
+       if (!thread) {
+               LOGE("[module %p] thread creation failed : %s", m, error->message);
                g_error_free(error);
                ms_log_process_info(ms->pid);
+               return FALSE;
        }
 
-       muse_return_val_if_fail(m->ch[MUSE_CHANNEL_MSG].thread, FALSE);
+       LOGD("Leave module %p, thread %p", m, thread);
 
-       LOGD("Leave");
        return TRUE;
 }