UAF in V4l2Dev in Android Automotive

dmitry_sidorenkov · ‎01-19-2024

Using NXP Android automotive 12.1 found an UAF in V4l2Dev
soc: imx8qm
linux 5.15.52
NXP's android automotive 12.1

#0 std::__1::__vector_base<unsigned int, std::__1::allocator<unsigned int> >::~__vector_base() in external/libcxx/include/vector:462:9
    -> std::__1::vector<unsigned int, std::__1::allocator<unsigned int> >::~vector() in external/libcxx/include/vector:556:5
    -> android::V4l2Dev::~V4l2Dev() in vendor/nxp/imx_android_mm/codec2/v4l2_dev/V4l2Dev.h:69:7
    -> android::IsiFilter::onRelease() in vendor/nxp/imx_android_mm/codec2/filter/isi/IsiFilter.cpp:163:9
    #1 android::IsiFilter::~IsiFilter() in vendor/nxp/imx_android_mm/codec2/filter/isi/IsiFilter.cpp:56:5
    #2 android::IsiFilter::~IsiFilter() in vendor/nxp/imx_android_mm/codec2/filter/isi/IsiFilter.cpp:54:24
    #3 std::__1::__function::__value_func<void (C2Component*)>::operator()(C2Component*&&) const in external/libcxx/include/functional:1799:16
    -> std::__1::function<void (C2Component*)>::operator()(C2Component*) const in external/libcxx/include/functional:2347:12
    -> android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0::operator()(C2Component*) in vendor/nxp/imx_android_mm/codec2/store/ImxC2Store.cpp:421:17
    -> decltype(std::__1::forward<android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0&>(fp)(std::__1::forward<C2Component*>(fp0))) std::__1::__invoke<android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0&, C2Component*>(android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0&, C2Component*&&) in external/libcxx/include/type_traits:4353:1
    -> void std::__1::__invoke_void_return_wrapper<void>::__call<android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0&, C2Component*>(android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0&, C2Component*&&) in external/libcxx/include/__functional_base:349:9
    -> std::__1::__function::__alloc_func<android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0, std::__1::allocator<android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0>, void (C2Component*)>::operator()(C2Component*&&) in external/libcxx/include/functional:1527:16
    -> std::__1::__function::__func<android::ImxC2Store::ComponentBox::createInterface(unsigned int, std::__1::shared_ptr<C2ComponentInterface>*, std::__1::function<void (C2ComponentInterface*)>)::$_1, std::__1::allocator<android::ImxC2Store::ComponentBox::createInterface(unsigned int, std::__1::shared_ptr<C2ComponentInterface>*, std::__1::function<void (C2ComponentInterface*)>)::$_1>, void (C2ComponentInterface*)>::operator()(C2ComponentInterface*&&) in external/libcxx/include/functional:1651:12
    #4 std::__1::__function::__value_func<void (C2Component*)>::operator()(C2Component*&&) const in external/libcxx/include/functional:1799:16
    -> std::__1::function<void (C2Component*)>::operator()(C2Component*) const in external/libcxx/include/functional:2347:12
    -> std::__1::__shared_ptr_pointer<android::IsiFilter*, std::__1::function<void (C2Component*)>, std::__1::allocator<android::IsiFilter> >::__on_zero_shared() in external/libcxx/include/memory:3640:5
    #5 std::__1::__shared_count::__release_shared() in external/libcxx/include/memory:3544:9
    -> std::__1::__shared_weak_count::__release_shared() in external/libcxx/include/memory:3586:27
    -> std::__1::shared_ptr<C2Component>::~shared_ptr() in external/libcxx/include/memory:4522:19
    -> android::FilterWrapper::Component::~Component() in frameworks/av/media/codec2/hidl/plugin/internal/FilterWrapper.h:52:12
    #6 std::__1::allocator<android::FilterWrapper::Component>::destroy(android::FilterWrapper::Component*) in external/libcxx/include/memory:1881:64
    -> void std::__1::allocator_traits<std::__1::allocator<android::FilterWrapper::Component> >::__destroy<android::FilterWrapper::Component>(std::__1::integral_constant<bool, true>, std::__1::allocator<android::FilterWrapper::Component>&, android::FilterWrapper::Component*) in external/libcxx/include/memory:1743:18
    -> void std::__1::allocator_traits<std::__1::allocator<android::FilterWrapper::Component> >::destroy<android::FilterWrapper::Component>(std::__1::allocator<android::FilterWrapper::Component>&, android::FilterWrapper::Component*) in external/libcxx/include/memory:1596:14
    -> std::__1::__vector_base<android::FilterWrapper::Component, std::__1::allocator<android::FilterWrapper::Component> >::__destruct_at_end(android::FilterWrapper::Component*) in external/libcxx/include/vector:427:9
    -> std::__1::__vector_base<android::FilterWrapper::Component, std::__1::allocator<android::FilterWrapper::Component> >::clear() in external/libcxx/include/vector:370:29
    -> std::__1::__vector_base<android::FilterWrapper::Component, std::__1::allocator<android::FilterWrapper::Component> >::~__vector_base() in external/libcxx/include/vector:464:9
    -> std::__1::vector<android::FilterWrapper::Component, std::__1::allocator<android::FilterWrapper::Component> >::~vector() in external/libcxx/include/vector:556:5
    -> android::(anonymous namespace)::WrappedEncoderInterface::~WrappedEncoderInterface() in frameworks/av/media/codec2/hidl/plugin/FilterWrapper.cpp:817:49
    #7 std::__1::__shared_count::__release_shared() in external/libcxx/include/memory:3544:9
    -> std::__1::__shared_weak_count::__release_shared() in external/libcxx/include/memory:3586:27
    -> std::__1::shared_ptr<C2ComponentInterface>::~shared_ptr() in external/libcxx/include/memory:4522:19
    -> android::hardware::media::c2::V1_0::utils::(anonymous namespace)::CompIntf::~CompIntf() in frameworks/av/media/codec2/hidl/1.0/utils/ComponentInterface.cpp:47:8
    -> android::hardware::media::c2::V1_0::utils::(anonymous namespace)::CompIntf::~CompIntf() in frameworks/av/media/codec2/hidl/1.0/utils/ComponentInterface.cpp:47:8
    #8 std::__1::default_delete<android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf>::operator()(android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf*) const in external/libcxx/include/memory:2339:5
    -> std::__1::unique_ptr<android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf, std::__1::default_delete<android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf> >::reset(android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf*) in external/libcxx/include/memory:2652:7
    -> std::__1::unique_ptr<android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf, std::__1::default_delete<android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf> >::~unique_ptr() in external/libcxx/include/memory:2606:19
    -> android::hardware::media::c2::V1_0::utils::CachedConfigurable::~CachedConfigurable() in frameworks/av/media/codec2/hidl/1.0/utils/include/codec2/hidl/1.0/Configurable.h:105:8
    -> android::hardware::media::c2::V1_0::utils::CachedConfigurable::~CachedConfigurable() in frameworks/av/media/codec2/hidl/1.0/utils/include/codec2/hidl/1.0/Configurable.h:105:8
    -> android::hardware::media::c2::V1_0::utils::CachedConfigurable::~CachedConfigurable() in frameworks/av/media/codec2/hidl/1.0/utils/include/codec2/hidl/1.0/Configurable.h:105:8
    -> virtual thunk to android::hardware::media::c2::V1_0::utils::CachedConfigurable::~CachedConfigurable() in frameworks/av/media/codec2/hidl/1.0/utils/include/codec2/hidl/1.0/Configurable.h:0:0
    #9 android::RefBase::decStrong(void const*) const in system/core/libutils/RefBase.cpp:475:13
    #10 android::sp<android::hidl::base::V1_0::IBase>::~sp() in system/core/libutils/include/utils/StrongPointer.h:305:16
    ->  android::hidl::base::V1_0::BnHwBase::~BnHwBase() in out/soong/.intermediates/system/libhidl/transport/base/1.0/android.hidl.base@1.0_genc++/gen/android/hidl/base/1.0/BaseAll.cpp:750:1
    #11 android::hardware::media::c2::V1_0::BnHwConfigurable::~BnHwConfigurable() in out/soong/.intermediates/hardware/interfaces/media/c2/1.0/android.hardware.media.c2@1.0_genc++/gen/android/hardware/media/c2/1.0/ConfigurableAll.cpp:839:1
    #12 android::hardware::media::c2::V1_0::BnHwConfigurable::~BnHwConfigurable() in out/soong/.intermediates/hardware/interfaces/media/c2/1.0/android.hardware.media.c2@1.0_genc++/gen/android/hardware/media/c2/1.0/ConfigurableAll.cpp:837:39
    ->  android::hardware::media::c2::V1_0::BnHwConfigurable::~BnHwConfigurable() in out/soong/.intermediates/hardware/interfaces/media/c2/1.0/android.hardware.media.c2@1.0_genc++/gen/android/hardware/media/c2/1.0/ConfigurableAll.cpp:837:39
    ->  virtual thunk to android::hardware::media::c2::V1_0::BnHwConfigurable::~BnHwConfigurable() in out/soong/.intermediates/hardware/interfaces/media/c2/1.0/android.hardware.media.c2@1.0_genc++/gen/android/hardware/media/c2/1.0/ConfigurableAll.cpp:0:0
    #13 android::RefBase::decStrong(void const*) const in system/core/libutils/RefBase.cpp:475:13
    #14 android::hardware::IPCThreadState::processPendingDerefs() in system/libhwbinder/IPCThreadState.cpp:510:22
    ->  android::hardware::IPCThreadState::joinThreadPool(bool) in system/libhwbinder/IPCThreadState.cpp:546:9
    #15 android::hardware::PoolThread::threadLoop() in system/libhwbinder/ProcessState.cpp:61:33
    #16 android::Thread::_threadLoop(void*) in system/core/libutils/Threads.cpp:759:32
    #17 thread_data_t::trampoline(thread_data_t const*) in system/core/libutils/Threads.cpp:99:16
    #18 __pthread_start(void*) in bionic/libc/bionic/pthread_create.cpp:364:18
    #19 __start_thread in bionic/libc/bionic/clone.cpp:53:16

#0 std::__1::__vector_base<unsigned int, std::__1::allocator<unsigned int> >::~__vector_base() in external/libcxx/include/vector:462:9 -> std::__1::vector<unsigned int, std::__1::allocator<unsigned int> >::~vector() in external/libcxx/include/vector:556:5 -> android::V4l2Dev::~V4l2Dev() in vendor/nxp/imx_android_mm/codec2/v4l2_dev/V4l2Dev.h:69:7 -> android::IsiFilter::onRelease() in vendor/nxp/imx_android_mm/codec2/filter/isi/IsiFilter.cpp:163:9 #1 android::IsiFilter::~IsiFilter() in vendor/nxp/imx_android_mm/codec2/filter/isi/IsiFilter.cpp:56:5 #2 android::IsiFilter::~IsiFilter() in vendor/nxp/imx_android_mm/codec2/filter/isi/IsiFilter.cpp:54:24 #3 std::__1::__function::__value_func<void (C2Component*)>::operator()(C2Component*&&) const in external/libcxx/include/functional:1799:16 -> std::__1::function<void (C2Component*)>::operator()(C2Component*) const in external/libcxx/include/functional:2347:12 -> android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0::operator()(C2Component*) in vendor/nxp/imx_android_mm/codec2/store/ImxC2Store.cpp:421:17 -> decltype(std::__1::forward<android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0&>(fp)(std::__1::forward<C2Component*>(fp0))) std::__1::__invoke<android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0&, C2Component*>(android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0&, C2Component*&&) in external/libcxx/include/type_traits:4353:1 -> void std::__1::__invoke_void_return_wrapper<void>::__call<android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0&, C2Component*>(android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0&, C2Component*&&) in external/libcxx/include/__functional_base:349:9 -> std::__1::__function::__alloc_func<android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0, std::__1::allocator<android::ImxC2Store::ComponentBox::createComponent(unsigned int, std::__1::shared_ptr<C2Component>*, std::__1::function<void (C2Component*)>)::$_0>, void (C2Component*)>::operator()(C2Component*&&) in external/libcxx/include/functional:1527:16 -> std::__1::__function::__func<android::ImxC2Store::ComponentBox::createInterface(unsigned int, std::__1::shared_ptr<C2ComponentInterface>*, std::__1::function<void (C2ComponentInterface*)>)::$_1, std::__1::allocator<android::ImxC2Store::ComponentBox::createInterface(unsigned int, std::__1::shared_ptr<C2ComponentInterface>*, std::__1::function<void (C2ComponentInterface*)>)::$_1>, void (C2ComponentInterface*)>::operator()(C2ComponentInterface*&&) in external/libcxx/include/functional:1651:12 #4 std::__1::__function::__value_func<void (C2Component*)>::operator()(C2Component*&&) const in external/libcxx/include/functional:1799:16 -> std::__1::function<void (C2Component*)>::operator()(C2Component*) const in external/libcxx/include/functional:2347:12 -> std::__1::__shared_ptr_pointer<android::IsiFilter*, std::__1::function<void (C2Component*)>, std::__1::allocator<android::IsiFilter> >::__on_zero_shared() in external/libcxx/include/memory:3640:5 #5 std::__1::__shared_count::__release_shared() in external/libcxx/include/memory:3544:9 -> std::__1::__shared_weak_count::__release_shared() in external/libcxx/include/memory:3586:27 -> std::__1::shared_ptr<C2Component>::~shared_ptr() in external/libcxx/include/memory:4522:19 -> android::FilterWrapper::Component::~Component() in frameworks/av/media/codec2/hidl/plugin/internal/FilterWrapper.h:52:12 #6 std::__1::allocator<android::FilterWrapper::Component>::destroy(android::FilterWrapper::Component*) in external/libcxx/include/memory:1881:64 -> void std::__1::allocator_traits<std::__1::allocator<android::FilterWrapper::Component> >::__destroy<android::FilterWrapper::Component>(std::__1::integral_constant<bool, true>, std::__1::allocator<android::FilterWrapper::Component>&, android::FilterWrapper::Component*) in external/libcxx/include/memory:1743:18 -> void std::__1::allocator_traits<std::__1::allocator<android::FilterWrapper::Component> >::destroy<android::FilterWrapper::Component>(std::__1::allocator<android::FilterWrapper::Component>&, android::FilterWrapper::Component*) in external/libcxx/include/memory:1596:14 -> std::__1::__vector_base<android::FilterWrapper::Component, std::__1::allocator<android::FilterWrapper::Component> >::__destruct_at_end(android::FilterWrapper::Component*) in external/libcxx/include/vector:427:9 -> std::__1::__vector_base<android::FilterWrapper::Component, std::__1::allocator<android::FilterWrapper::Component> >::clear() in external/libcxx/include/vector:370:29 -> std::__1::__vector_base<android::FilterWrapper::Component, std::__1::allocator<android::FilterWrapper::Component> >::~__vector_base() in external/libcxx/include/vector:464:9 -> std::__1::vector<android::FilterWrapper::Component, std::__1::allocator<android::FilterWrapper::Component> >::~vector() in external/libcxx/include/vector:556:5 -> android::(anonymous namespace)::WrappedEncoderInterface::~WrappedEncoderInterface() in frameworks/av/media/codec2/hidl/plugin/FilterWrapper.cpp:817:49 #7 std::__1::__shared_count::__release_shared() in external/libcxx/include/memory:3544:9 -> std::__1::__shared_weak_count::__release_shared() in external/libcxx/include/memory:3586:27 -> std::__1::shared_ptr<C2ComponentInterface>::~shared_ptr() in external/libcxx/include/memory:4522:19 -> android::hardware::media::c2::V1_0::utils::(anonymous namespace)::CompIntf::~CompIntf() in frameworks/av/media/codec2/hidl/1.0/utils/ComponentInterface.cpp:47:8 -> android::hardware::media::c2::V1_0::utils::(anonymous namespace)::CompIntf::~CompIntf() in frameworks/av/media/codec2/hidl/1.0/utils/ComponentInterface.cpp:47:8 #8 std::__1::default_delete<android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf>::operator()(android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf*) const in external/libcxx/include/memory:2339:5 -> std::__1::unique_ptr<android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf, std::__1::default_delete<android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf> >::reset(android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf*) in external/libcxx/include/memory:2652:7 -> std::__1::unique_ptr<android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf, std::__1::default_delete<android::hardware::media::c2::V1_0::utils::ConfigurableC2Intf> >::~unique_ptr() in external/libcxx/include/memory:2606:19 -> android::hardware::media::c2::V1_0::utils::CachedConfigurable::~CachedConfigurable() in frameworks/av/media/codec2/hidl/1.0/utils/include/codec2/hidl/1.0/Configurable.h:105:8 -> android::hardware::media::c2::V1_0::utils::CachedConfigurable::~CachedConfigurable() in frameworks/av/media/codec2/hidl/1.0/utils/include/codec2/hidl/1.0/Configurable.h:105:8 -> android::hardware::media::c2::V1_0::utils::CachedConfigurable::~CachedConfigurable() in frameworks/av/media/codec2/hidl/1.0/utils/include/codec2/hidl/1.0/Configurable.h:105:8 -> virtual thunk to android::hardware::media::c2::V1_0::utils::CachedConfigurable::~CachedConfigurable() in frameworks/av/media/codec2/hidl/1.0/utils/include/codec2/hidl/1.0/Configurable.h:0:0 #9 android::RefBase::decStrong(void const*) const in system/core/libutils/RefBase.cpp:475:13 #10 android::sp<android::hidl::base::V1_0::IBase>::~sp() in system/core/libutils/include/utils/StrongPointer.h:305:16 -> android::hidl::base::V1_0::BnHwBase::~BnHwBase() in out/soong/.intermediates/system/libhidl/transport/base/1.0/android.hidl.base@1.0_genc++/gen/android/hidl/base/1.0/BaseAll.cpp:750:1 #11 android::hardware::media::c2::V1_0::BnHwConfigurable::~BnHwConfigurable() in out/soong/.intermediates/hardware/interfaces/media/c2/1.0/android.hardware.media.c2@1.0_genc++/gen/android/hardware/media/c2/1.0/ConfigurableAll.cpp:839:1 #12 android::hardware::media::c2::V1_0::BnHwConfigurable::~BnHwConfigurable() in out/soong/.intermediates/hardware/interfaces/media/c2/1.0/android.hardware.media.c2@1.0_genc++/gen/android/hardware/media/c2/1.0/ConfigurableAll.cpp:837:39 -> android::hardware::media::c2::V1_0::BnHwConfigurable::~BnHwConfigurable() in out/soong/.intermediates/hardware/interfaces/media/c2/1.0/android.hardware.media.c2@1.0_genc++/gen/android/hardware/media/c2/1.0/ConfigurableAll.cpp:837:39 -> virtual thunk to android::hardware::media::c2::V1_0::BnHwConfigurable::~BnHwConfigurable() in out/soong/.intermediates/hardware/interfaces/media/c2/1.0/android.hardware.media.c2@1.0_genc++/gen/android/hardware/media/c2/1.0/ConfigurableAll.cpp:0:0 #13 android::RefBase::decStrong(void const*) const in system/core/libutils/RefBase.cpp:475:13 #14 android::hardware::IPCThreadState::processPendingDerefs() in system/libhwbinder/IPCThreadState.cpp:510:22 -> android::hardware::IPCThreadState::joinThreadPool(bool) in system/libhwbinder/IPCThreadState.cpp:546:9 #15 android::hardware::PoolThread::threadLoop() in system/libhwbinder/ProcessState.cpp:61:33 #16 android::Thread::_threadLoop(void*) in system/core/libutils/Threads.cpp:759:32 #17 thread_data_t::trampoline(thread_data_t const*) in system/core/libutils/Threads.cpp:99:16 #18 __pthread_start(void*) in bionic/libc/bionic/pthread_create.cpp:364:18 #19 __start_thread in bionic/libc/bionic/clone.cpp:53:16

Fix:

diff --git a/codec2/filter/isi/IsiFilter.cpp b/codec2/filter/isi/IsiFilter.cpp
index 909afab..a99a933 100644
--- a/codec2/filter/isi/IsiFilter.cpp
+++ b/codec2/filter/isi/IsiFilter.cpp
@@ -47,7 +47,9 @@ static const uint32_t destination_format_table[]={
 
 IsiFilter::IsiFilter(c2_node_id_t id, C2String name, const std::shared_ptr<C2ReflectorHelper>& helper, const std::shared_ptr<IsiFilterInterface> &intfImpl)
     : IMXC2ComponentBase(std::make_shared<IMXInterface<IsiFilterInterface>>(name, id, intfImpl)),
-    mIntfImpl(intfImpl)
+    mIntfImpl(intfImpl),
+    mFd(-1),
+    mDev(nullptr)
 {
     (void)helper;
 }
diff --git a/codec2/filter/isi/IsiFilter.h b/codec2/filter/isi/IsiFilter.h
index 4f72357..ea2edcc 100644
--- a/codec2/filter/isi/IsiFilter.h
+++ b/codec2/filter/isi/IsiFilter.h
@@ -21,6 +21,8 @@ namespace android {
 class IsiFilter : public IMXC2ComponentBase{
 public:
     explicit IsiFilter(c2_node_id_t id, C2String name, const std::shared_ptr<C2ReflectorHelper>& helper, const std::shared_ptr<IsiFilterInterface> &intfImpl);
+    IsiFilter(const IsiFilter&) = delete;
+    IsiFilter& operator=(const IsiFilter&) = delete;
 
     virtual ~IsiFilter();