From 885a88664fcc5157b3bf8e46ba0435a081ee2627 Mon Sep 17 00:00:00 2001 From: YoungHun Kim Date: Mon, 5 Dec 2022 11:56:20 +0900 Subject: [PATCH] Fix heap-use-after-free issue - After module's msg thread exit, the paired data thread could be accessed - Add to check if module is freed or not with module's memset variable Change-Id: I26f18ed896420915f1cdab2b3f03f15d137a1436 --- packaging/mused.spec | 2 +- server/src/muse_server_ipc.c | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/packaging/mused.spec b/packaging/mused.spec index 7e8e723..71d0315 100644 --- a/packaging/mused.spec +++ b/packaging/mused.spec @@ -1,6 +1,6 @@ Name: mused Summary: A multimedia daemon -Version: 0.3.158 +Version: 0.3.159 Release: 0 Group: System/Libraries License: Apache-2.0 diff --git a/server/src/muse_server_ipc.c b/server/src/muse_server_ipc.c index e8e8e71..c5f4fcc 100644 --- a/server/src/muse_server_ipc.c +++ b/server/src/muse_server_ipc.c @@ -107,7 +107,7 @@ static void _ms_ipc_module_cleanup(muse_module_h m) memset(m, 0, sizeof(muse_module_t)); - LOGI("[module %p] EXIT", m); + LOGI("[module %p] EXIT pid %d handle %zd created %d", m, m->pid, m->handle, m->is_created); g_free(m); } @@ -394,7 +394,9 @@ static gpointer _ms_ipc_data_worker(gpointer data) muse_return_val_if_fail(data, NULL); m = (muse_module_h)data; - SECURE_LOGW("module : %p", m); + SECURE_LOGW("module : %p pid %d handle %zd created %d", m, m->pid, m->handle, m->is_created); + + muse_return_val_if_fail(m->pid > 0 && m->handle && m->is_created, NULL); fd = m->ch[MUSE_CHANNEL_DATA].sock_fd; ch = &m->ch[MUSE_CHANNEL_DATA]; -- 2.7.4