From: Seung-Woo Kim <sw0312.kim@samsung.com>
Date: Wed, 7 Aug 2024 03:26:10 +0000 (+0900)
Subject: crash-manager: dbus: Fix ref count management for g_variant
X-Git-Tag: accepted/tizen/unified/20240813.181617^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Faccepted%2Ftizen_unified_dev;p=platform%2Fcore%2Fsystem%2Fcrash-worker.git

crash-manager: dbus: Fix ref count management for g_variant

Fix ref count management for g_variant used in the second
g_dbus_connection_emit_signal() like the first one.

This fixes below heap-use-after-free asan issue:

   ==crash-notify-send==1349==ERROR: AddressSanitizer: heap-use-after-free on address 0x007f8f808634 at pc 0x007f92e2b460 bp 0x007f8b5fe120 sp 0x007f8b5fe138
   WRITE of size 4 at 0x007f8f808634 thread T3 (gdbus)
       #0 0x7f92e2b45c in g_atomic_ref_count_dec /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/grefcount.c:270
       #1 0x7f92e9edc8 in g_variant_unref /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gvariant-core.c:1007
       #2 0x7f9340d0ac in g_dbus_message_finalize /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusmessage.c:532
       #3 0x7f9304a3cc in g_object_unref /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gobject/gobject.c:3941
       #4 0x7f93428a98 in message_to_write_data_free /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusprivate.c:954 (discriminator 1)
       #5 0x7f9342c988 in write_message_cb /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusprivate.c:1420
       #6 0x7f93341bd8 in g_task_return_now /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gtask.c:1371
       #7 0x7f93341c90 in complete_in_idle_cb /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gtask.c:1385
       #8 0x7f92df3b60 in g_main_dispatch /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gmain.c:3476
       #9 0x7f92dfb300 in g_main_context_dispatch_unlocked /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gmain.c:4284
       #10 0x7f92dfb300 in g_main_context_iterate_unlocked /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gmain.c:4349
       #11 0x7f92dfc130 in g_main_loop_run /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gmain.c:4551
       #12 0x7f93428328 in gdbus_shared_thread_func /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusprivate.c:288
       #13 0x7f92e5e5f8 in g_thread_proxy /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gthread.c:831
       #14 0x7f92b448f4 in start_thread /usr/src/debug/glibc-2.30-2.10.aarch64/nptl/pthread_create.c:479
       #15 0x7f92c65468 in thread_start /usr/src/debug/glibc-2.30-2.10.aarch64/misc/../sysdeps/unix/sysv/linux/aarch64/clone.S:78

   0x007f8f808634 is located 52 bytes inside of 64-byte region [0x007f8f808600,0x007f8f808640)
   freed by thread T0 here:
       #0 0x7f93801a68 in free /usr/src/debug/gcc-9.2.0-1.36.aarch64/obj/aarch64-tizen-linux-gnu/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cpp:128 (discriminator 2)
       #1 0x555e772e24 in send_signals /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus_notify.c:279
       #2 0x555e772e24 in main /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus_notify.c:379
       #3 0x7f92bbbff0 in __libc_start_main /usr/src/debug/glibc-2.30-2.10.aarch64/csu/../csu/libc-start.c:308
       #4 0x555e773588 in _start /home/abuild/rpmbuild/BUILD/glibc-2.30/csu/../sysdeps/aarch64/start.S:92

   previously allocated by thread T0 here:
       #0 0x7f93801cd8 in __interceptor_malloc /usr/src/debug/gcc-9.2.0-1.36.aarch64/obj/aarch64-tizen-linux-gnu/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cpp:149 (discriminator 2)
       #1 0x7f92e0b23c in g_malloc /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gmem.c:130
       #2 0x7f92e9e6f8 in g_variant_alloc /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gvariant-core.c:594
       #3 0x7f92e9e6f8 in g_variant_new_from_children /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gvariant-core.c:631
       #4 0x7f92e96d88 in g_variant_builder_end /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gvariant.c:3831
       #5 0x555e773ad8 in build_message_data /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus_notify.c:223
       #6 0x555e77312c in send_signals /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus_notify.c:272
       #7 0x555e77312c in main /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus_notify.c:379
       #8 0x7f92bbbff0 in __libc_start_main /usr/src/debug/glibc-2.30-2.10.aarch64/csu/../csu/libc-start.c:308
       #9 0x555e773588 in _start /home/abuild/rpmbuild/BUILD/glibc-2.30/csu/../sysdeps/aarch64/start.S:92

   Thread T3 (gdbus) created by T0 here:
       #0 0x7f937857a0 in pthread_create /usr/src/debug/gcc-9.2.0-1.36.aarch64/obj/aarch64-tizen-linux-gnu/libsanitizer/asan/../../../../libsanitizer/asan/asan_interceptors.cpp:216
       #1 0x7f92ec5298 in g_system_thread_new /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gthread-posix.c:1298
       #2 0x7f92e5ed6c in g_thread_new /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../glib/gthread.c:888
       #3 0x7f93429f00 in _g_dbus_shared_thread_ref /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusprivate.c:313
       #4 0x7f93429f00 in _g_dbus_worker_new /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusprivate.c:1758
       #5 0x7f93409ca8 in initable_init /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusconnection.c:3494
       #6 0x7f9340cd6c in g_bus_get_sync /usr/src/debug/glib2-2.78.4-0.aarch64/_build/../gio/gdbusconnection.c:8467
       #7 0x555e7740f8 in bus_get /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus-util.h:19
       #8 0x555e772d1c in main /usr/src/debug/crash-worker-9.0.1-1.aarch64/src/crash-manager/dbus_notify.c:376
       #9 0x7f92bbbff0 in __libc_start_main /usr/src/debug/glibc-2.30-2.10.aarch64/csu/../csu/libc-start.c:308
       #10 0x555e773588 in _start /home/abuild/rpmbuild/BUILD/glibc-2.30/csu/../sysdeps/aarch64/start.S:92

   SUMMARY: AddressSanitizer: heap-use-after-free (/lib64/libglib-2.0.so.0+0x12f45c) in g_atomic_ref_count_dec

Change-Id: Ie53ad0200dcb0c52d41ccecbe178ddc47476e80f
Suggested-by: Minyoung Song <minyoung.song@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
---

diff --git a/src/crash-manager/dbus_notify.c b/src/crash-manager/dbus_notify.c
index eec8a0a7..8a728a71 100644
--- a/src/crash-manager/dbus_notify.c
+++ b/src/crash-manager/dbus_notify.c
@@ -271,12 +271,13 @@ static bool send_signals(GDBusConnection *conn, const struct NotifyParams *notif
 			 ? build_legacy_message_data(notify_params)
 			 : build_message_data(notify_params, SIG_NORMAL);
 
-	if (data)
+	if (data) {
+		(void)g_variant_ref_sink(data);
 		send_one_signal(conn, PROCESS_CRASHED, data);
-	else
+		g_variant_unref(data);
+	} else
 		_W("Error while preparing data for " PROCESS_CRASHED " signal");
 
-	g_variant_unref(data);
 
 	GError *error = NULL;
 	g_dbus_connection_flush_sync(conn, NULL, &error);