From: Jeongmo Yang Date: Tue, 9 Jun 2020 05:16:22 +0000 (+0900) Subject: Fix ASAN issue : heap-use-after-free X-Git-Tag: submit/tizen/20200609.063705^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F05%2F235705%2F3;p=platform%2Fcore%2Fmultimedia%2Fmmsvc-core.git Fix ASAN issue : heap-use-after-free [ASAN report] ==muse-server==10013==ERROR: AddressSanitizer: heap-use-after-free on address 0xb1baa100 at pc 0xb69cb399 bp 0xbed15dfc sp 0xbed15dec WRITE of size 4 at 0xb1baa100 thread T0 0 0xb69cb396 in ms_ipc_create_msg_dispatch_worker /usr/src/debug/mused-0.3.110/server/src/muse_server_ipc.c:420 1 xb69d3914 in _ms_connection_handler /usr/src/debug/mused-0.3.110/server/src/muse_server_private.c:312 (discriminator 14) 0xb1baa100 is located 0 bytes inside of 4232-byte region [0xb1baa100,0xb1bab188) freed by thread T393 (msg) here: 0 0xb6aebee2 in free asan_rtl (discriminator 2) 1 0xb69cac14 in _ms_ipc_module_cleanup /usr/src/debug/mused-0.3.110/server/src/muse_server_ipc.c:110 2 0xb69cac14 in _ms_ipc_dispatch_worker /usr/src/debug/mused-0.3.110/server/src/muse_server_ipc.c:312 Thread T393 (msg) created by T0 here: 0 0xb6aec2ee in calloc asan_rtl (discriminator 2) 1 0xb67fc068 in g_malloc0 /usr/src/debug/glib2-2.62.3/_build/../glib/gmem.c:129 2 0xb69d38a0 in _ms_connection_handler /usr/src/debug/mused-0.3.110/server/src/muse_server_private.c:307 (discriminator 9) [Version] 0.3.118 [Profile] Common [Issue Type] Bug fix Change-Id: I988af4df53cc26f849c65a194bfc83ecbb87620d Signed-off-by: Jeongmo Yang --- diff --git a/packaging/mused.spec b/packaging/mused.spec index 1b004dd7..e4ee69eb 100644 --- a/packaging/mused.spec +++ b/packaging/mused.spec @@ -1,6 +1,6 @@ Name: mused Summary: A multimedia daemon -Version: 0.3.117 +Version: 0.3.118 Release: 0 Group: System/Libraries License: Apache-2.0 diff --git a/server/src/muse_server_ipc.c b/server/src/muse_server_ipc.c index 6d82a9c2..ca1f7839 100644 --- a/server/src/muse_server_ipc.c +++ b/server/src/muse_server_ipc.c @@ -257,8 +257,9 @@ static gpointer _ms_ipc_dispatch_worker(gpointer data) m = (muse_module_h)data; fd = m->ch[MUSE_CHANNEL_MSG].sock_fd; + m->ch[MUSE_CHANNEL_MSG].thread = g_thread_self(); - LOGD("Enter %d modlue %p", fd, m); + LOGD("Enter %d module %p thread %p", fd, m, m->ch[MUSE_CHANNEL_MSG].thread); while (attempt_to_dispatch) { memset(m->recv_msg, 0x00, sizeof(m->recv_msg)); @@ -410,6 +411,7 @@ static gpointer _ms_ipc_data_worker(gpointer data) gboolean ms_ipc_create_msg_dispatch_worker(muse_module_h m) { + GThread *thread = NULL; GError *error = NULL; muse_server_h ms = ms_get_instance(); @@ -421,17 +423,16 @@ gboolean ms_ipc_create_msg_dispatch_worker(muse_module_h m) SECURE_LOGD("[PID %d module %p] module's msg channel fd : %d", m->pid, m, m->ch[MUSE_CHANNEL_MSG].sock_fd); - m->ch[MUSE_CHANNEL_MSG].thread = g_thread_try_new(MSG_THREAD_NAME, _ms_ipc_dispatch_worker, (gpointer)m, &error); - - if (!m->ch[MUSE_CHANNEL_MSG].thread) { - LOGE("thread creation failed : %s", error->message); + thread = g_thread_try_new(MSG_THREAD_NAME, _ms_ipc_dispatch_worker, (gpointer)m, &error); + if (!thread) { + LOGE("[module %p] thread creation failed : %s", m, error->message); g_error_free(error); ms_log_process_info(ms->pid); + return FALSE; } - muse_return_val_if_fail(m->ch[MUSE_CHANNEL_MSG].thread, FALSE); + LOGD("Leave module %p, thread %p", m, thread); - LOGD("Leave"); return TRUE; }