Issue 79: Detect use-after-free in sa_invoke. Synchronize processorHandleList traversal in SecProcessor_Release#82
Merged
riwoh merged 2 commits intordkcentral:mainfrom Apr 14, 2026
Conversation
Validate that processorHandle is still in the global processorHandleList before accessing its fields. This prevents undefined behavior when sa_invoke is called with a dangling pointer to a freed handle. Signed-off-by: jhewit200 <joseph_hewitt@cable.comcast.com>
…elease SecProcessor_Release traversed processorHandleList without holding the global mutex, then only locked it for the unlink. This created a data race with concurrent sa_invoke, SecProcessor_GetInstance_Directories, or other SecProcessor_Release calls that also access the list. Move the mutex lock to cover both the search and unlink operations, matching the synchronization in sa_invoke.
There was a problem hiding this comment.
Pull request overview
This PR addresses Issue 79 by adding runtime detection for use-after-free processor handles in sa_invoke, synchronizing access to the global processor handle list during SecProcessor_Release, and adding a regression unit test to exercise the use-after-free scenario.
Changes:
- Add a new unit test
testProcessorUseAfterFreeand register it in the processor test suite. - Register newly created
Sec_ProcessorHandleinstances in the global handle list earlier duringSecProcessor_GetInstance_Directoriesinitialization. - Synchronize
processorHandleListtraversal inSecProcessor_Releaseand add list-membership validation tosa_invokebefore locking the processor handle mutex.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| test/main/cpp/sec_api_utest_main.cpp | Registers the new processor use-after-free regression test in the test runner. |
| test/main/cpp/processor.h | Exposes the new testProcessorUseAfterFree test declaration. |
| test/main/cpp/processor.cpp | Implements the new regression test that calls an API with a freed processor handle. |
| src/sec_adapter_processor.c | Adds handle-list synchronization, earlier handle registration, and use-after-free detection in sa_invoke. |
Comments suppressed due to low confidence (1)
src/sec_adapter_processor.c:385
SecProcessor_ReleaseunlinksprocessorHandlefromprocessorHandleListbefore releasing SVP/opaque buffers.release_svp_buffercallssa_invoke(..., SA_SVP_BUFFER_RELEASE, ...), andsa_invokenow rejects any handle not present in the global list, so SVP buffer releases will never reachsa_svp_buffer_releaseduring processor teardown (risking leaks / incomplete cleanup). Consider keeping the handle inprocessorHandleListuntil after all cleanup that usessa_invokeis complete (opaque buffers, etc.), or provide a teardown-safe path for SVP buffer release that bypasses the list-membership check.
pthread_mutex_lock(&mutex);
Sec_ProcessorHandle* tempHandle = processorHandleList;
Sec_ProcessorHandle* parentHandle = NULL;
while (tempHandle != NULL && tempHandle != processorHandle) {
parentHandle = tempHandle;
tempHandle = tempHandle->nextHandle;
}
if (tempHandle != processorHandle) {
pthread_mutex_unlock(&mutex);
SEC_LOG_ERROR("Attempting to free a handle that has already been freed");
return SEC_RESULT_INVALID_HANDLE;
}
if (parentHandle == NULL)
processorHandleList = tempHandle->nextHandle;
else
parentHandle->nextHandle = tempHandle->nextHandle;
pthread_mutex_unlock(&mutex);
while (processorHandle->opaque_buffer_handle != NULL)
release_svp_buffer(processorHandle, processorHandle->opaque_buffer_handle->opaqueBufferHandle);
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
mhabrat
approved these changes
Apr 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue 79: Detect use-after-free in sa_invoke. Synchronize processorHandleList traversal in SecProcessor_Release