Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix EC Delegate use-after-free in IM #20141

Merged
merged 1 commit into from
Jun 30, 2022
Merged

Fix EC Delegate use-after-free in IM #20141

merged 1 commit into from
Jun 30, 2022

Conversation

mrjerryjohns
Copy link
Contributor

@mrjerryjohns mrjerryjohns commented Jun 29, 2022
edited
Loading

Problem

Our test team accidentally encountered a crash with a slightly older version of chip-tool when using it with a newer all-clusters-app. Crash occurred because chip-tool failed parsing the SubscribeResponse message due to a missing MinInterval field that since been deleted in the newer all-clusters-app.

Cause

If an error was encountered parsing the SubscribeResponse message, ReadClient::OnMessageReceived would just null-out the EC pointer but not the delegate pointer within the EC. This meant that when we got back to the exchange management layer after unwinding the stack, it attempted to call OnExchangeClosing on the delegate that had by then, been free'ed as part of cleaning up the ReadClient object.

Fix

If we encountered an error, let SuccessOrExit() naturally take us to executing Close which will automatically clean-up the delegate + EC pointers.

If it was successful, manually clear it up.

Testing

Reproduced the crash by injecting the failure manually, then validated the fix worked.

@mrjerryjohns
Fix EC Delegate use-after-free in IM
14be1c9 
If an error was encountered parsing the SubscribeResponse message,
ReadClient::OnMessageReceived would just null-out the EC pointer but not
the delegate pointer within the EC. This meant that when we got back to
the exchange management layer after unwinding the stack, it attempted to
call OnExchangeClosing on the delegate that had by then, been free'ed as
part of cleaning up the ReadClient object.
@boring-cyborg boring-cyborg bot added the app label Jun 29, 2022
bzbarsky-apple
bzbarsky-apple approved these changes Jun 29, 2022
View reviewed changes
src/app/ReadClient.cpp Show resolved Hide resolved
@github-actions
Copy link

github-actions bot commented Jun 29, 2022
edited
Loading

PR #20141: Size comparison from 9d2eeb0 to 14be1c9

Increases (8 builds for cc13x2_26x2, esp32, linux, nrfconnect)
platform target config section 9d2eeb0 14be1c9b change % change
cc13x2_26x2 pump-controller-app LP_CC2652R7 (read/write) 179288 179296 8 0.0
shell LP_CC2652R7 (read/write) 189112 189120 8 0.0
esp32 all-clusters-app c3devkit (read only) 1018484 1018486 2 0.0
.flash.text 1018484 1018486 2 0.0
linux chip-tool debug (read only) 10161405 10161437 32 0.0
.text 8252261 8252293 32 0.0
chip-tool-no-interactive-ipv6only arm64 (read only) 9893316 9893332 16 0.0
.text 7890196 7890212 16 0.0
tv-app debug (read only) 3097481 3097513 32 0.0
.text 2660818 2660850 32 0.0
tv-casting-app debug (read only) 5555385 5555417 32 0.0
.text 4935394 4935426 32 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 text 809772 809776 4 0.0
Decreases (4 builds for cc13x2_26x2, telink)
platform target config section 9d2eeb0 14be1c9b change % change
cc13x2_26x2 pump-controller-app LP_CC2652R7 (read only) 663047 663039 -8 -0.0
.text 578296 578288 -8 -0.0
shell LP_CC2652R7 (read only) 657614 657606 -8 -0.0
.text 572460 572452 -8 -0.0
telink light-switch-app tlsr9518adk80d (read/write) 796300 796292 -8 -0.0
text 564818 564814 -4 -0.0
lighting-app tlsr9518adk80d (read/write) 816160 816152 -8 -0.0
text 581170 581168 -2 -0.0
Full report (41 builds for cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, p6, telink)
platform target config section 9d2eeb0 14be1c9b change % change
cc13x2_26x2 all-clusters-app LP_CC2652R7 (read only) 665171 665171 0 0.0
(read/write) 186052 186052 0 0.0
.bss 74116 74116 0 0.0
.data 3356 3356 0 0.0
.rodata 88091 88091 0 0.0
.text 576764 576764 0 0.0
all-clusters-minimal-app LP_CC2652R7 (read only) 653947 653947 0 0.0
(read/write) 196572 196572 0 0.0
.bss 73412 73412 0 0.0
.data 3356 3356 0 0.0
.rodata 91571 91571 0 0.0
.text 562060 562060 0 0.0
lock-ftd LP_CC2652R7 (read only) 667743 667743 0 0.0
(read/write) 173624 173624 0 0.0
.bss 71148 71148 0 0.0
.data 3280 3280 0 0.0
.rodata 76191 76191 0 0.0
.text 591072 591072 0 0.0
lock-mtd LP_CC2652R7 (read only) 617159 617159 0 0.0
(read/write) 144264 144264 0 0.0
.bss 66868 66868 0 0.0
.data 3280 3280 0 0.0
.rodata 76071 76071 0 0.0
.text 540600 540600 0 0.0
pump-app LP_CC2652R7 (read only) 677207 677207 0 0.0
(read/write) 165008 165008 0 0.0
.bss 71228 71228 0 0.0
.data 3280 3280 0 0.0
.rodata 88423 88423 0 0.0
.text 588300 588300 0 0.0
pump-controller-app LP_CC2652R7 (read only) 663047 663039 -8 -0.0
(read/write) 179288 179296 8 0.0
.bss 71348 71348 0 0.0
.data 3276 3276 0 0.0
.rodata 84271 84271 0 0.0
.text 578296 578288 -8 -0.0
shell LP_CC2652R7 (read only) 657614 657606 -8 -0.0
(read/write) 189112 189120 8 0.0
.bss 76420 76420 0 0.0
.data 3360 3360 0 0.0
.rodata 84838 84838 0 0.0
.text 572460 572452 -8 -0.0
cyw30739 light cyw930739m2evb_01 (read/write) 578654 578654 0 0.0
.app_xip_area 457432 457432 0 0.0
.bss 64184 64184 0 0.0
.data 716 716 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
lock cyw930739m2evb_01 (read/write) 580222 580222 0 0.0
.app_xip_area 458808 458808 0 0.0
.bss 64376 64376 0 0.0
.data 720 720 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
ota-requestor-no-progress-logging cyw930739m2evb_01 (read/write) 581734 581734 0 0.0
.app_xip_area 461360 461360 0 0.0
.bss 63392 63392 0 0.0
.data 660 660 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
efr32 lighting-app BRD4161A (read/write) 1080060 1080060 0 0.0
.bss 132996 132996 0 0.0
.data 2048 2048 0 0.0
.text 944996 944996 0 0.0
BRD4161A+rpc (read/write) 1134356 1134356 0 0.0
.bss 149676 149676 0 0.0
.data 2260 2260 0 0.0
.text 982400 982400 0 0.0
BRD4161A+rs911x (read/write) 942524 942524 0 0.0
.bss 138712 138712 0 0.0
.data 2048 2048 0 0.0
.text 801744 801744 0 0.0
lock-app BRD4161A+wf200 (read/write) 1119568 1119568 0 0.0
.bss 139144 139144 0 0.0
.data 2060 2060 0 0.0
.text 978344 978344 0 0.0
window-app BRD4161A (read/write) 1065324 1065324 0 0.0
.bss 133076 133076 0 0.0
.data 2076 2076 0 0.0
.text 930148 930148 0 0.0
esp32 all-clusters-app c3devkit (read only) 1018484 1018486 2 0.0
(read/write) 1484882 1484882 0 0.0
.dram0.bss 70080 70080 0 0.0
.dram0.data 14592 14592 0 0.0
.flash.rodata 214784 214784 0 0.0
.flash.text 1018484 1018486 2 0.0
.iram0.text 62902 62902 0 0.0
m5stack (read only) 1072575 1072575 0 0.0
(read/write) 486984 486984 0 0.0
.dram0.bss 75600 75600 0 0.0
.dram0.data 34144 34144 0 0.0
.flash.rodata 245244 245244 0 0.0
.flash.text 1067191 1067191 0 0.0
.iram0.text 123267 123267 0 0.0
k32w light k32w061+release (read/write) 658040 658040 0 0.0
.bss 69516 69516 0 0.0
.data 1992 1992 0 0.0
.text 580732 580732 0 0.0
lock k32w061+release (read/write) 684508 684508 0 0.0
.bss 69980 69980 0 0.0
.data 2004 2004 0 0.0
.text 606724 606724 0 0.0
linux all-clusters-app debug (read only) 2954225 2954225 0 0.0
(read/write) 154744 154744 0 0.0
.bss 61536 61536 0 0.0
.data 2048 2048 0 0.0
.data.rel.ro 84952 84952 0 0.0
.dynamic 608 608 0 0.0
.got 4536 4536 0 0.0
.init 27 27 0 0.0
.init_array 1040 1040 0 0.0
.rodata 263133 263133 0 0.0
.text 2513954 2513954 0 0.0
all-clusters-minimal-app debug (read only) 2808321 2808321 0 0.0
(read/write) 146648 146648 0 0.0
.bss 60864 60864 0 0.0
.data 2048 2048 0 0.0
.data.rel.ro 77592 77592 0 0.0
.dynamic 608 608 0 0.0
.got 4488 4488 0 0.0
.init 27 27 0 0.0
.init_array 1040 1040 0 0.0
.rodata 264797 264797 0 0.0
.text 2368562 2368562 0 0.0
bridge-app debug+rpc (read only) 2311737 2311737 0 0.0
(read/write) 125472 125472 0 0.0
.bss 48928 48928 0 0.0
.data 3824 3824 0 0.0
.data.rel.ro 66968 66968 0 0.0
.dynamic 608 608 0 0.0
.got 4392 4392 0 0.0
.init 27 27 0 0.0
.init_array 728 728 0 0.0
.rodata 197696 197696 0 0.0
.text 1952354 1952354 0 0.0
chip-tool debug (read only) 10161405 10161437 32 0.0
(read/write) 607016 607016 0 0.0
.bss 24384 24384 0 0.0
.data 1088 1088 0 0.0
.data.rel.ro 575248 575248 0 0.0
.dynamic 624 624 0 0.0
.got 5016 5016 0 0.0
.init 27 27 0 0.0
.init_array 640 640 0 0.0
.rodata 509317 509317 0 0.0
.text 8252261 8252293 32 0.0
chip-tool-no-interactive-ipv6only arm64 (read only) 9893316 9893332 16 0.0
(read/write) 671793 671793 0 0.0
.bss 42609 42609 0 0.0
.data 1152 1152 0 0.0
.data.rel.ro 610816 610816 0 0.0
.dynamic 528 528 0 0.0
.got 13408 13408 0 0.0
.init 24 24 0 0.0
.init_array 192 192 0 0.0
.rodata 472548 472548 0 0.0
.text 7890196 7890212 16 0.0
lighting-app debug+rpc (read only) 2547641 2547641 0 0.0
(read/write) 129496 129496 0 0.0
.bss 49440 49440 0 0.0
.data 2096 2096 0 0.0
.data.rel.ro 72104 72104 0 0.0
.dynamic 608 608 0 0.0
.got 4392 4392 0 0.0
.init 27 27 0 0.0
.init_array 816 816 0 0.0
.rodata 213576 213576 0 0.0
.text 2164146 2164146 0 0.0
lock-app debug (read only) 2509489 2509489 0 0.0
(read/write) 124472 124472 0 0.0
.bss 47840 47840 0 0.0
.data 1712 1712 0 0.0
.data.rel.ro 69080 69080 0 0.0
.dynamic 608 608 0 0.0
.got 4424 4424 0 0.0
.init 27 27 0 0.0
.init_array 784 784 0 0.0
.rodata 228200 228200 0 0.0
.text 2116194 2116194 0 0.0
ota-provider-app debug (read only) 2318625 2318625 0 0.0
(read/write) 118312 118312 0 0.0
.bss 47488 47488 0 0.0
.data 1944 1944 0 0.0
.data.rel.ro 63080 63080 0 0.0
.dynamic 608 608 0 0.0
.got 4488 4488 0 0.0
.init 27 27 0 0.0
.init_array 672 672 0 0.0
.rodata 203288 203288 0 0.0
.text 1952610 1952610 0 0.0
ota-requestor-app debug (read only) 2435809 2435809 0 0.0
(read/write) 125216 125216 0 0.0
.bss 49856 49856 0 0.0
.data 2232 2232 0 0.0
.data.rel.ro 67272 67272 0 0.0
.dynamic 608 608 0 0.0
.got 4480 4480 0 0.0
.init 27 27 0 0.0
.init_array 728 728 0 0.0
.rodata 207328 207328 0 0.0
.text 2057378 2057378 0 0.0
shell debug (read only) 2543857 2543857 0 0.0
(read/write) 141032 141032 0 0.0
.bss 57448 57448 0 0.0
.data 1264 1264 0 0.0
.data.rel.ro 76672 76672 0 0.0
.dynamic 608 608 0 0.0
.got 4096 4096 0 0.0
.init 27 27 0 0.0
.init_array 920 920 0 0.0
.rodata 227218 227218 0 0.0
.text 2160322 2160322 0 0.0
thermostat-no-ble arm64 (read only) 2591604 2591604 0 0.0
(read/write) 158273 158273 0 0.0
.bss 65249 65249 0 0.0
.data 1704 1704 0 0.0
.data.rel.ro 83232 83232 0 0.0
.dynamic 528 528 0 0.0
.got 5072 5072 0 0.0
.init 24 24 0 0.0
.init_array 400 400 0 0.0
.rodata 165236 165236 0 0.0
.text 2186624 2186624 0 0.0
tv-app debug (read only) 3097481 3097513 32 0.0
(read/write) 255880 255880 0 0.0
.bss 165224 165224 0 0.0
.data 4848 4848 0 0.0
.data.rel.ro 79360 79360 0 0.0
.dynamic 608 608 0 0.0
.got 4848 4848 0 0.0
.init 27 27 0 0.0
.init_array 952 952 0 0.0
.rodata 248832 248832 0 0.0
.text 2660818 2660850 32 0.0
tv-casting-app debug (read only) 5555385 5555417 32 0.0
(read/write) 161680 161680 0 0.0
.bss 50248 50248 0 0.0
.data 2416 2416 0 0.0
.data.rel.ro 102792 102792 0 0.0
.dynamic 608 608 0 0.0
.got 4720 4720 0 0.0
.init 27 27 0 0.0
.init_array 864 864 0 0.0
.rodata 343113 343113 0 0.0
.text 4935394 4935426 32 0.0
mbed lock-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2447080 2447080 0 0.0
.bss 213940 213940 0 0.0
.data 5872 5872 0 0.0
.text 1409724 1409724 0 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 (read/write) 1172915 1172915 0 0.0
bss 142884 142884 0 0.0
rodata 141348 141348 0 0.0
text 809772 809776 4 0.0
all-clusters-minimal-app nrf52840dk_nrf52840 (read/write) 1153783 1153783 0 0.0
bss 142120 142120 0 0.0
rodata 133280 133280 0 0.0
text 799484 799484 0 0.0
p6 all-clusters-app default (read/write) 2562640 2562640 0 0.0
.bss 149120 149120 0 0.0
.data 2776 2776 0 0.0
.text 1520904 1520904 0 0.0
all-clusters-minimal-app default (read/write) 2508504 2508504 0 0.0
.bss 148400 148400 0 0.0
.data 2776 2776 0 0.0
.text 1466768 1466768 0 0.0
light-app default (read/write) 2439016 2439016 0 0.0
.bss 140456 140456 0 0.0
.data 2592 2592 0 0.0
.text 1397280 1397280 0 0.0
lock-app default (read/write) 2465312 2465312 0 0.0
.bss 140304 140304 0 0.0
.data 2600 2600 0 0.0
.text 1423576 1423576 0 0.0
telink light-switch-app tlsr9518adk80d (read/write) 796300 796292 -8 -0.0
bss 70560 70560 0 0.0
noinit 40416 40416 0 0.0
text 564818 564814 -4 -0.0
lighting-app tlsr9518adk80d (read/write) 816160 816152 -8 -0.0
bss 71404 71404 0 0.0
noinit 40416 40416 0 0.0
text 581170 581168 -2 -0.0

@tcarmelveilleux tcarmelveilleux merged commit cd03d33 into project-chip:master Jun 30, 2022
woody-apple pushed a commit to woody-apple/connectedhomeip that referenced this pull request Jun 30, 2022
@mrjerryjohns @woody-apple
Fix EC Delegate use-after-free in IM (project-chip#20141)
c3bd7d9 
If an error was encountered parsing the SubscribeResponse message,
ReadClient::OnMessageReceived would just null-out the EC pointer but not
the delegate pointer within the EC. This meant that when we got back to
the exchange management layer after unwinding the stack, it attempted to
call OnExchangeClosing on the delegate that had by then, been free'ed as
part of cleaning up the ReadClient object.
@mrjerryjohns mrjerryjohns mentioned this pull request Jul 1, 2022
Merged
@woody-apple woody-apple mentioned this pull request Jul 21, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anush-apple anush-apple Awaiting requested review from anush-apple

@arkq arkq Awaiting requested review from arkq

@Byungjoo-Lee Byungjoo-Lee Awaiting requested review from Byungjoo-Lee

@carol-apple carol-apple Awaiting requested review from carol-apple

@chrisdecenzo chrisdecenzo Awaiting requested review from chrisdecenzo

@chshu chshu Awaiting requested review from chshu

@chulspro chulspro Awaiting requested review from chulspro

@Damian-Nordic Damian-Nordic Awaiting requested review from Damian-Nordic

@dhrishi dhrishi Awaiting requested review from dhrishi

@electrocucaracha electrocucaracha Awaiting requested review from electrocucaracha

@erjiaqing erjiaqing Awaiting requested review from erjiaqing

@franck-apple franck-apple Awaiting requested review from franck-apple

@gjc13 gjc13 Awaiting requested review from gjc13

@harsha-rajendran harsha-rajendran Awaiting requested review from harsha-rajendran

@hawk248 hawk248 Awaiting requested review from hawk248

@isiu-apple isiu-apple Awaiting requested review from isiu-apple

@jelderton jelderton Awaiting requested review from jelderton

@jepenven-silabs jepenven-silabs Awaiting requested review from jepenven-silabs

@jmartinez-silabs jmartinez-silabs Awaiting requested review from jmartinez-silabs

@jtung-apple jtung-apple Awaiting requested review from jtung-apple

@kghost kghost Awaiting requested review from kghost

@bzbarsky-apple bzbarsky-apple Awaiting requested review from bzbarsky-apple

@kpschoedel kpschoedel Awaiting requested review from kpschoedel

@lazarkov lazarkov Awaiting requested review from lazarkov

@LuDuda LuDuda Awaiting requested review from LuDuda

@msandstedt msandstedt Awaiting requested review from msandstedt

@mspang mspang Awaiting requested review from mspang

@rgoliver rgoliver Awaiting requested review from rgoliver

@robszewczyk robszewczyk Awaiting requested review from robszewczyk

@saurabhst saurabhst Awaiting requested review from saurabhst

@selissia selissia Awaiting requested review from selissia

@tecimovic tecimovic Awaiting requested review from tecimovic

@tehampson tehampson Awaiting requested review from tehampson

@vijs vijs Awaiting requested review from vijs

@vivien-apple vivien-apple Awaiting requested review from vivien-apple

@wbschiller wbschiller Awaiting requested review from wbschiller

@woody-apple woody-apple Awaiting requested review from woody-apple

@xylophone21 xylophone21 Awaiting requested review from xylophone21

@yufengwangca yufengwangca Awaiting requested review from yufengwangca

@yunhanw-google yunhanw-google Awaiting requested review from yunhanw-google

@tcarmelveilleux tcarmelveilleux Awaiting requested review from tcarmelveilleux

Assignees
No one assigned
Labels
app review - approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mrjerryjohns @tcarmelveilleux @bzbarsky-apple