heap-use-after-free in PulseLayer::getCaptureDeviceList
Affects: latest ring daemon master
PulseLayer::getCaptureDeviceList seems to be affected by a race condition and resulting heap-use-after-free (media/audio/pulseaudio/pulselayer.cpp:242).
Logs with ASan crash report:
fe38c3ef98edd87ace33efb3183230194f8fba88
[1536090351.878| 6964|ringaccount.cpp :2591 ] Can't set certificate status for existing contacts 3c2a2fae84be1713e6d68d39360faa7441220c00
[1536090351.882| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.903| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.912| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.922| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.931| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.942| 6964|namedirectory.cpp :66 ] Can't parse URI:
[1536090351.942| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.945| 6964|namedirectory.cpp :66 ] Can't parse URI:
[1536090351.950| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.961| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.968| 6964|manager.cpp :2414 ] Audio manager chosen already in use. No changes made.
[1536090351.968| 6964|configurationmanager.cpp:621 ] Get audio plugin default
[1536090351.970| 6964|pulselayer.cpp :153 ] Waiting....
[1536090351.970| 7013|pulselayer.cpp :153 ] Waiting....
[1536090351.970| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.970| 7013|pulselayer.cpp :153 ] Waiting....
[1536090351.971| 7013|pulselayer.cpp :157 ] Connection to PulseAudio server established
[1536090351.971| 7013|pulselayer.cpp :186 ] Updating PulseAudio sink list
[1536090351.971| 7013|pulselayer.cpp :202 ] Updating PulseAudio source list
[1536090351.971| 7013|pulselayer.cpp :218 ] Updating PulseAudio server infos
[1536090351.971| 6964|manager.cpp :2164 ] No audio layer created, possibly built without audio support
=================================================================
==6964==ERROR: AddressSanitizer: heap-use-after-free on address 0x61800001f188 at pc 0x0000008cd866 bp 0x7fff07e3e190 sp 0x7fff07e3e180
READ of size 8 at 0x61800001f188 thread T0
[1536090351.972| 7013|pulselayer.cpp :635 ] PulseAudio server info:
Server name: pulseaudio
Server version: 8.0
Default Sink alsa_output.pci-0000_00_1b.0.analog-stereo
Default Source alsa_input.usb-046d_HD_Pro_Webcam_C920_8A8B667F-02.analog-stereo
Default Sample Specification: s16le 2ch 44100Hz
Default Channel Map: front-left,front-right
[1536090352.012| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.020| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.029| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.039| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
#0 0x8cd865 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_length(unsigned long) /usr/include/c++/5/bits/basic_string.h:131
#1 0x8cd865 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_set_length(unsigned long) /usr/include/c++/5/bits/basic_string.h:164
#2 0x8cd865 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) /usr/include/c++/5/bits/basic_string.tcc:236
#3 0x8cd865 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct_aux<char*>(char*, char*, std::__false_type) /usr/include/c++/5/bits/basic_string.h:195
#4 0x8cd865 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*) /usr/include/c++/5/bits/basic_string.h:214
#5 0x8cd865 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/basic_string.h:400
#6 0x8cd865 in void __gnu_cxx::new_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::construct<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/ext/new_allocator.h:120
#7 0x8cd865 in void std::allocator_traits<std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::construct<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>(std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/alloc_traits.h:530
#8 0x8cd865 in void std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::emplace_back<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/vector.tcc:96
#9 0x8cd865 in ring::PulseLayer::getCaptureDeviceList[abi:cxx11]() const /home/hlefeuvre/Development/ring-daemon/src/media/audio/pulseaudio/pulselayer.cpp:242
[1536090352.048| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.057| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.067| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.076| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.086| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.094| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.102| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
#10 0x6fd2ea in ring::Manager::getAudioInputDeviceList[abi:cxx11]() /home/hlefeuvre/Development/ring-daemon/src/manager.cpp:2223
[1536090352.114| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
#11 0x50acb7 in DRing::getAudioInputDeviceList[abi:cxx11]() /home/hlefeuvre/Development/ring-daemon/src/client/configurationmanager.cpp:578
#12 0x4bf03f in DBusConfigurationManager::getAudioInputDeviceList[abi:cxx11]() /home/hlefeuvre/Development/ring-daemon/bin/dbus/dbusconfigurationmanager.cpp:265
#13 0x4bf03f in cx::ring::Ring::ConfigurationManager_adaptor::_getAudioInputDeviceList_stub(DBus::CallMessage const&) /home/hlefeuvre/Development/ring-daemon/bin/dbus/dbusconfigurationmanager.adaptor.h:1993
#14 0x4b0cb4 in DBus::Callback<cx::ring::Ring::ConfigurationManager_adaptor, DBus::Message, DBus::CallMessage const&>::call(DBus::CallMessage const&) const /home/hlefeuvre/Development/ring-daemon/contrib/x86_64-linux-gnu/include/dbus-c++-1/dbus-c++/util.h:283
#15 0x4e39ee in DBus::Slot<DBus::Message, DBus::CallMessage const&>::call(DBus::CallMessage const&) const (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4e39ee)
#16 0x4e280f in DBus::InterfaceAdaptor::dispatch_method(DBus::CallMessage const&) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4e280f)
#17 0x4ecf1a in DBus::ObjectAdaptor::handle_message(DBus::Message const&) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4ecf1a)
#18 0x4ec491 in DBus::ObjectAdaptor::Private::message_function_stub(DBusConnection*, DBusMessage*, void*) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4ec491)
#19 0x7fb37e9cc812 (/lib/x86_64-linux-gnu/libdbus-1.so.3+0x21812)
#20 0x7fb37e9bdd93 in dbus_connection_dispatch (/lib/x86_64-linux-gnu/libdbus-1.so.3+0x12d93)
#21 0x4d97b1 in DBus::Connection::Private::do_dispatch() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4d97b1)
#22 0x4dd080 in DBus::Dispatcher::dispatch_pending(std::__cxx11::list<DBus::Connection::Private*, std::allocator<DBus::Connection::Private*> >&) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4dd080)
#23 0x4dce7e in DBus::Dispatcher::dispatch_pending() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4dce7e)
#24 0x4e0c0d in DBus::BusDispatcher::do_iteration() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4e0c0d)
#25 0x4e08bb in DBus::BusDispatcher::enter() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4e08bb)
#26 0x4590a2 in DBusClient::event_loop() /home/hlefeuvre/Development/ring-daemon/bin/dbus/dbusclient.cpp:250
#27 0x45131f in main /home/hlefeuvre/Development/ring-daemon/bin/main.cpp:236
#28 0x7fb37a84482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#29 0x457f18 in _start (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x457f18)
0x61800001f188 is located 264 bytes inside of 896-byte region [0x61800001f080,0x61800001f400)
freed by thread T34 (threaded-ml) here:
#0 0x7fb37ec90b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x8d5953 in __gnu_cxx::new_allocator<ring::PaDeviceInfos>::deallocate(ring::PaDeviceInfos*, unsigned long) /usr/include/c++/5/ext/new_allocator.h:110
#2 0x8d5953 in std::allocator_traits<std::allocator<ring::PaDeviceInfos> >::deallocate(std::allocator<ring::PaDeviceInfos>&, ring::PaDeviceInfos*, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:517
#3 0x8d5953 in std::_Vector_base<ring::PaDeviceInfos, std::allocator<ring::PaDeviceInfos> >::_M_deallocate(ring::PaDeviceInfos*, unsigned long) /usr/include/c++/5/bits/stl_vector.h:178
#4 0x8d5953 in void std::vector<ring::PaDeviceInfos, std::allocator<ring::PaDeviceInfos> >::_M_emplace_back_aux<ring::PaDeviceInfos>(ring::PaDeviceInfos&&) /usr/include/c++/5/bits/vector.tcc:438
previously allocated by thread T34 (threaded-ml) here:
#0 0x7fb37ec90532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x8d4e1b in __gnu_cxx::new_allocator<ring::PaDeviceInfos>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
#2 0x8d4e1b in std::allocator_traits<std::allocator<ring::PaDeviceInfos> >::allocate(std::allocator<ring::PaDeviceInfos>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
#3 0x8d4e1b in std::_Vector_base<ring::PaDeviceInfos, std::allocator<ring::PaDeviceInfos> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
#4 0x8d4e1b in void std::vector<ring::PaDeviceInfos, std::allocator<ring::PaDeviceInfos> >::_M_emplace_back_aux<ring::PaDeviceInfos>(ring::PaDeviceInfos&&) /usr/include/c++/5/bits/vector.tcc:412
#5 0x15aed8f (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x15aed8f)
Thread T34 (threaded-ml) created by T0 here:
#0 0x7fb37ec2d253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7fb37a1e984c in pa_thread_new (/usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-8.0.so+0x4f84c)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/5/bits/basic_string.h:131 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_length(unsigned long)
Shadow bytes around the buggy address:
0x0c307fffbde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fffbdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fffbe00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fffbe10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fffbe20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c307fffbe30: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fffbe40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fffbe50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fffbe60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fffbe70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fffbe80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==6964==ABORTING