From b2daa8327ce975fc0a60c072d0918e44c5de2e15 Mon Sep 17 00:00:00 2001 From: Thomas Guillem Date: Thu, 15 Sep 2022 11:55:51 +0200 Subject: [PATCH] medialibrary: fix heap-use-after-free m_deviceLister is listening to media source tree callbacks and need be cleaned (and callbacks removed) before m_devices, since callbacks read m_devices. ==1750167==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100002c640 at pc 0x7f8906109b0e bp 0x7f88ef176630 sp 0x7f88ef176628 READ of size 8 at 0x61100002c640 thread T22 #0 0x7f8906109b0d in std::__shared_ptr::get() const /usr/include/c++/12/bits/shared_ptr_base.h:1666 #1 0x7f8906109b0d in std::__shared_ptr_access::_M_get() const /usr/include/c++/12/bits/shared_ptr_base.h:1363 #2 0x7f8906109b0d in std::__shared_ptr_access::operator->() const /usr/include/c++/12/bits/shared_ptr_base.h:1357 #3 0x7f8906109b0d in operator() ../../modules/misc/medialibrary/fs/fs.cpp:195 #4 0x7f8906109cac in operator()<__gnu_cxx::__normal_iterator*, std::vector > > > /usr/include/c++/12/bits/predefined_ops.h:318 #5 0x7f8906109cac in __find_if<__gnu_cxx::__normal_iterator*, std::vector > >, __gnu_cxx::__ops::_Iter_pred&)> > > /usr/include/c++/12/bits/stl_algobase.h:2067 #6 0x7f8906109f54 in __find_if<__gnu_cxx::__normal_iterator*, std::vector > >, __gnu_cxx::__ops::_Iter_pred&)> > > /usr/include/c++/12/bits/stl_algobase.h:2112 #7 0x7f8906109f54 in find_if<__gnu_cxx::__normal_iterator*, std::vector > >, vlc::medialibrary::SDFileSystemFactory::deviceByUuid(const std::string&)::&)> > /usr/include/c++/12/bits/stl_algo.h:3877 #8 0x7f890610b532 in vlc::medialibrary::SDFileSystemFactory::deviceByUuid(std::__cxx11::basic_string, std::allocator > const&) ../../modules/misc/medialibrary/fs/fs.cpp:193 #9 0x7f890610c16e in vlc::medialibrary::SDFileSystemFactory::onDeviceMounted(std::__cxx11::basic_string, std::allocator > const&, std::__cxx11::basic_string, std::allocator > const&, bool) ../../modules/misc/medialibrary/fs/fs.cpp:146 #10 0x7f890610edd1 in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long) ../../modules/misc/medialibrary/fs/devicelister.cpp:131 #11 0x7f890610f06e in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long, void*) ../../modules/misc/medialibrary/fs/devicelister.cpp:105 #12 0x7f8908b01f44 in vlc_media_tree_Add ../../src/media_source/media_tree.c:303 #13 0x7f8908b00dc0 in services_discovery_item_added ../../src/media_source/media_source.c:81 #14 0x7f8907972be6 in services_discovery_AddItem ../../include/vlc_services_discovery.h:166 #15 0x7f8907972be6 in entry_item_append ../../modules/access/dsm/sd.c:73 #16 0x7f8907972daf in netbios_ns_discover_on_entry_added ../../modules/access/dsm/sd.c:117 #17 0x7f8907980930 in netbios_ns_discover_thread (/home/tom/work/out/lib/x86_64-linux-gnu/libdsm.so.3+0x5930) #18 0x7f89086a3d7f in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7d7f) #19 0x7f89085bdbae in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfabae) 0x61100002c640 is located 0 bytes inside of 256-byte region [0x61100002c640,0x61100002c740) freed by thread T0 here: #0 0x7f8908cba3c8 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:164 #1 0x7f890610c7d8 in std::__new_allocator >::deallocate(std::shared_ptr*, unsigned long) /usr/include/c++/12/bits/new_allocator.h:158 #2 0x7f890610c7d8 in std::allocator_traits > >::deallocate(std::allocator >&, std::shared_ptr*, unsigned long) /usr/include/c++/12/bits/alloc_traits.h:496 #3 0x7f890610c7d8 in std::_Vector_base, std::allocator > >::_M_deallocate(std::shared_ptr*, unsigned long) /usr/include/c++/12/bits/stl_vector.h:387 #4 0x7f890610c7d8 in std::_Vector_base, std::allocator > >::~_Vector_base() /usr/include/c++/12/bits/stl_vector.h:366 #5 0x7f890610cc47 in std::vector, std::allocator > >::~vector() /usr/include/c++/12/bits/stl_vector.h:733 #6 0x7f890610ccb4 in vlc::medialibrary::SDFileSystemFactory::~SDFileSystemFactory() ../../modules/misc/medialibrary/fs/fs.h:45 #7 0x7f89060dd7f0 (/home/tom/work/git/vlc/build-asan/modules/.libs/libmedialibrary_plugin.so+0xdd7f0) #8 0x7f8906192379 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/12/bits/shared_ptr_base.h:346 #9 0x7f8906192379 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/12/bits/shared_ptr_base.h:317 #10 0x7f8906192379 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/12/bits/shared_ptr_base.h:1071 #11 0x7f8906192379 in std::__shared_ptr::~__shared_ptr() /usr/include/c++/12/bits/shared_ptr_base.h:1524 #12 0x7f8906192379 in std::shared_ptr::~shared_ptr() /usr/include/c++/12/bits/shared_ptr.h:175 #13 0x7f8906192379 in void std::_Destroy >(std::shared_ptr*) /usr/include/c++/12/bits/stl_construct.h:151 #14 0x7f8906192379 in void std::_Destroy_aux::__destroy*>(std::shared_ptr*, std::shared_ptr*) /usr/include/c++/12/bits/stl_construct.h:163 #15 0x7f8906192379 in void std::_Destroy*>(std::shared_ptr*, std::shared_ptr*) /usr/include/c++/12/bits/stl_construct.h:196 #16 0x7f8906192379 in void std::_Destroy*, std::shared_ptr >(std::shared_ptr*, std::shared_ptr*, std::allocator >&) /usr/include/c++/12/bits/alloc_traits.h:850 #17 0x7f8906192379 in std::vector, std::allocator > >::~vector() /usr/include/c++/12/bits/stl_vector.h:730 #18 0x7f8906192379 in medialibrary::FsHolder::~FsHolder() ../src/filesystem/FsHolder.cpp:66 previously allocated by thread T22 here: #0 0x7f8908cb94c8 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95 #1 0x7f890610d4d8 in std::__new_allocator >::allocate(unsigned long, void const*) /usr/include/c++/12/bits/new_allocator.h:137 #2 0x7f890610d789 in std::allocator_traits > >::allocate(std::allocator >&, unsigned long) /usr/include/c++/12/bits/alloc_traits.h:464 #3 0x7f890610d789 in std::_Vector_base, std::allocator > >::_M_allocate(unsigned long) /usr/include/c++/12/bits/stl_vector.h:378 #4 0x7f890610d789 in void std::vector, std::allocator > >::_M_realloc_insert const&>(__gnu_cxx::__normal_iterator*, std::vector, std::allocator > > >, std::shared_ptr const&) /usr/include/c++/12/bits/vector.tcc:453 #5 0x7f890610dc02 in std::vector, std::allocator > >::push_back(std::shared_ptr const&) /usr/include/c++/12/bits/stl_vector.h:1287 #6 0x7f890610c3b3 in vlc::medialibrary::SDFileSystemFactory::onDeviceMounted(std::__cxx11::basic_string, std::allocator > const&, std::__cxx11::basic_string, std::allocator > const&, bool) ../../modules/misc/medialibrary/fs/fs.cpp:151 #7 0x7f890610edd1 in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long) ../../modules/misc/medialibrary/fs/devicelister.cpp:131 #8 0x7f890610f06e in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long, void*) ../../modules/misc/medialibrary/fs/devicelister.cpp:105 #9 0x7f8908b01f44 in vlc_media_tree_Add ../../src/media_source/media_tree.c:303 Thread T22 created by T0 here: #0 0x7f8908c49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207 #1 0x7f890798126c in netbios_ns_discover_start (/home/tom/work/out/lib/x86_64-linux-gnu/libdsm.so.3+0x626c) #2 0x7f8908b022b5 in generic_start ../../src/modules/modules.c:275 SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/12/bits/shared_ptr_base.h:1666 in std::__shared_ptr::get() const Shadow bytes around the buggy address: 0x0c227fffd870: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fffd880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fffd890: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa 0x0c227fffd8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fffd8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa =>0x0c227fffd8c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd 0x0c227fffd8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fffd8e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c227fffd8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fffd900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa 0x0c227fffd910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1750167==ABORTING --- modules/misc/medialibrary/fs/fs.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/misc/medialibrary/fs/fs.h b/modules/misc/medialibrary/fs/fs.h index 361caf3143aa..9ec9f00c0ca1 100644 --- a/modules/misc/medialibrary/fs/fs.h +++ b/modules/misc/medialibrary/fs/fs.h @@ -103,13 +103,13 @@ class SDFileSystemFactory : public IFileSystemFactory, private IDeviceListerCb { private: vlc_object_t *const m_parent; const std::string m_scheme; - std::shared_ptr m_deviceLister; IFileSystemFactoryCb *m_callbacks; bool m_isNetwork; mutable vlc::threads::mutex m_mutex; mutable vlc::threads::condition_variable m_cond; std::vector> m_devices; + std::shared_ptr m_deviceLister; }; } /* namespace medialibrary */