review.tizen.org Git - platform/core/appfw/widget-service.git/commit

Fix use after free

When the table existence check step is failed, the function closes the db.
And then, the _recover_db() function closes the db with the same handle.
In this time, the double free occurs. This patch fixes it.

+--------------------------------------------------------------------------+
| ERROR: AddressSanitizer: heap-use-after-free on address 0x47c033e8 at    |
|        pc 0x412dd2d5 bp 0x40812174 sp 0x40812164                         |
| READ of size 4 at 0x47c033e8 thread T0                                   |
| #0 0x412dd2d2 in sqlite3SafetyCheckSickOrOk /usr/src/debug/              |
|    sqlite-3.33.0-2.34.arm/sqlite3.c:32567                                |
| #1 0x412dd2d2 in sqlite3Close /usr/src/debug/sqlite-3.33.0-2.34.arm/     |
|    sqlite3.c:162204                                                      |
| #2 0x40db45ea in _recover_db /usr/src/debug/                             |
|    libwidget_service-1.2.63-1.arm/src/widget_service.c:319               |
| #3 0x40db4c06 in _check_db_integrity /usr/src/debug/                     |
|    libwidget_service-1.2.63-1.arm/src/widget_service.c:435               |
| #4 0x40dba2ec in widget_service_check_db_integrity /usr/src/debug/       |
|    libwidget_service-1.2.63-1.arm/src/widget_service.c:447               |
| #5 0x400009d8 in main /usr/src/debug/libwidget_service-1.2.63-1.arm/tool/|
|    widget_recovery.c:45                                                  |
| #6 0x40e24c88 in __libc_start_main /usr/src/debug/glibc-2.30-2.9.arm/csu/|
|    libc-start.c:308                                                      |
+--------------------------------------------------------------------------+
| 0x47c033e8 is located 104 bytes inside of 520-byte region                |
| [0x47c03380,0x47c03588)                                                  |
| freed by thread T0 here:                                                 |
| #0 0x408f4092 in __interceptor_free (/lib/libasan.so.6+0xa1092)          |
| #1 0x41192bbc in sqlite3StatusDown /usr/src/debug/sqlite-3.33.0-2.34.arm/|
|    sqlite3.c:21425                                                       |
| #2 0x41192bbc in sqlite3_free /usr/src/debug/sqlite-3.33.0-2.34.arm/     |
|    sqlite3.c:27703                                                       |
| #3 0x41192bbc in sqlite3_free /usr/src/debug/sqlite-3.33.0-2.34.arm/     |
|    sqlite3.c:27697                                                       |
| #4 0x412dd1ae in sqlite3Close /usr/src/debug/sqlite-3.33.0-2.34.arm/     |
|    sqlite3.c:162244                                                      |
| #5 0x40db4d04 in _check_table_exist /usr/src/debug/                      |
|    libwidget_service-1.2.63-1.arm/src/widget_service.c:397               |
| #6 0x40db4d04 in _check_db_integrity /usr/src/debug/                     |
|    libwidget_service-1.2.63-1.arm/src/widget_service.c:433               |
| #7 0x40dba2ec in widget_service_check_db_integrity /usr/src/debug/       |
|    libwidget_service-1.2.63-1.arm/src/widget_service.c:447               |
| #8 0x400009d8 in main /usr/src/debug/libwidget_service-1.2.63-1.arm/tool/|
|    widget_recovery.c:45                                                  |
| #9 0x40e24c88 in __libc_start_main /usr/src/debug/glibc-2.30-2.9.arm/csu/|
|    libc-start.c:308                                                      |
+--------------------------------------------------------------------------+

Change-Id: Ic0bfb7fd4738ac0caa4d7c88e860b0eb2362f535
Signed-off-by: SukhyungKang <shine.kang@samsung.com>

author	Hwankyu Jhun <h.jhun@samsung.com>
	Thu, 9 Dec 2021 10:42:08 +0000 (19:42 +0900)
committer	Hwankyu Jhun <h.jhun@samsung.com>
	Thu, 9 Dec 2021 10:56:27 +0000 (19:56 +0900)
commit	2c70e9ce286a23fe858fa998c52fb96d35559dd6
tree	94ca2b7df679af67471dd5506bf5c4f6918dfb28	tree \| snapshot
parent	bc2828efc2079f81608fa53130143772a457d03f	commit \| diff