You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Observe the ASAN output in tv-casting-app indicating a heap-use-after-free issue. tv-casting-app UAF.txt
Summary
A heap-use-after-free (UAF) issue occurs in the tv-casting-app when the delete-fabric command is executed. After removing a fabric, the system attempts to access a freed ReadClient object.
Analysis and Description
The issue arises from a lifecycle mismatch between fabric cleanup and the ReadClient object references. The sequence of events leading to the issue is as follows:
Fabric Removal (FabricTable.cpp):
The Delete() method of FabricTable is called, which iterates through its delegates and invokes OnFabricRemoved():
Despite being destroyed, the ReadClient remains in the mpActiveReadClientList. Subsequent iterations in OnFabricRemoved() access the dangling pointer. Specifically, the readClient->GetNextClient() call accesses the mpNext pointer of the destroyed ReadClient object, leading to a UAF:
ReadClient * GetNextClient() { return mpNext; }
This happens because GetNextClient() does not verify the validity of the mpNext pointer, which now points to a deallocated memory region.
Just looking at this issue, application would take care of the delete for readClient inside ReadClient::OnDone, in the destructor of readClient, we will take care of the object removal in mpActiveReadClientList via mpImEngine->RemoveReadClient(this); this issue should be fine?
maybe tv-casting-app does not delete readClient object in ReadClient::onDone?
ReadClient::~ReadClient()
{
...
if (mpImEngine)
{
mpImEngine->RemoveReadClient(this);
}
}
}
one improvement in readClient we can do is to reset mPeer in readClient::Close so that the below GetFabricIndex would get the wrong value.
if (readClient->GetFabricIndex() == fabricIndex)
{
readClient->Close(CHIP_ERROR_IM_FABRIC_DELETED, false);
}
Reproduction steps
Build the
tv-casting-app
with AddressSanitizer (ASAN) enabled.Open Terminal 1 and start the
tv-casting-app
:Open Terminal 2 and start the
tv-app
:In the
tv-casting-app
shell, send a cast request:tv-casting-app > cast request 0
In the
tv-app
shell, respond with:tv-app > controller ux ok
In the
tv-casting-app
, print the list of fabrics and delete a specific fabric:Observe the ASAN output in
tv-casting-app
indicating a heap-use-after-free issue.tv-casting-app UAF.txt
Summary
A heap-use-after-free (UAF) issue occurs in the
tv-casting-app
when thedelete-fabric
command is executed. After removing a fabric, the system attempts to access a freedReadClient
object.Analysis and Description
The issue arises from a lifecycle mismatch between fabric cleanup and the
ReadClient
object references. The sequence of events leading to the issue is as follows:Fabric Removal (FabricTable.cpp):
The
Delete()
method ofFabricTable
is called, which iterates through its delegates and invokesOnFabricRemoved()
:ReadClient Cleanup (InteractionModelEngine.cpp):
The
OnFabricRemoved()
method loops through activeReadClient
objects and callsClose()
:ReadClient Deallocation (ReadClient.cpp):
The
Close()
method triggers the callbackmpCallback.OnDone(this)
, marking theReadClient
for destruction:Use of Freed Memory:
Despite being destroyed, the
ReadClient
remains in thempActiveReadClientList
. Subsequent iterations inOnFabricRemoved()
access the dangling pointer. Specifically, thereadClient->GetNextClient()
call accesses thempNext
pointer of the destroyedReadClient
object, leading to a UAF:This happens because
GetNextClient()
does not verify the validity of thempNext
pointer, which now points to a deallocated memory region.Bug prevalence
always
GitHub hash of the SDK that was being used
04e6a68
Platform
core
Platform Version(s)
all versions
Anything else?
No response
The text was updated successfully, but these errors were encountered: