Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix use-after-free in CommissioningWindowOpener. #22767

Merged
merged 1 commit into from
Sep 21, 2022
Merged

Fix use-after-free in CommissioningWindowOpener. #22767

merged 1 commit into from
Sep 21, 2022

Conversation

bzbarsky-apple
Copy link
Contributor

Once we call back into our client, it can delete us, so we need to do any logging that uses mSetupPayload before we do that.

Issue Being Resolved

Change overview

Reorder calls so we don't use our members after deleting ourselves.

@bzbarsky-apple
Fix use-after-free in CommissioningWindowOpener.
1409eef 
Once we call back into our client, it can delete us, so we need to do
any logging that uses `mSetupPayload` before we do that.

Fixes project-chip#22765
@github-actions
Copy link

PR #22767: Size comparison from 847f450 to 1409eef

Increases (3 builds for cc13x2_26x2, psoc6, telink)
platform target config section 847f450 1409eef change % change
cc13x2_26x2 pump-controller-app LP_CC2652R7 (read/write) 177728 177736 8 0.0
psoc6 lock cy8ckit_062s2_43012 .debug_info 22397448 22397449 1 0.0
telink lighting-app tlsr9518adk80d text 592726 592728 2 0.0
Decreases (5 builds for bl602, cc13x2_26x2, psoc6)
platform target config section 847f450 1409eef change % change
bl602 lighting-app bl602 (read/write) 1383310 1383302 -8 -0.0
.text 1064954 1064952 -2 -0.0
bl602+rpc .text 1096302 1096298 -4 -0.0
cc13x2_26x2 pump-controller-app LP_CC2652R7 (read only) 671791 671783 -8 -0.0
.text 585248 585240 -8 -0.0
psoc6 all-clusters cy8ckit_062s2_43012 .debug_info 26817151 26817150 -1 -0.0
light cy8ckit_062s2_43012 .debug_info 22018111 22018110 -1 -0.0
Full report (25 builds for bl602, bl702, cc13x2_26x2, cyw30739, k32w, psoc6, qpg, telink)
platform target config section 847f450 1409eef change % change
bl602 lighting-app bl602 (read/write) 1383310 1383302 -8 -0.0
.bss 89537 89537 0 0.0
.data 9816 9816 0 0.0
.text 1064954 1064952 -2 -0.0
bl602+rpc (read/write) 1428506 1428506 0 0.0
.bss 96969 96969 0 0.0
.data 10200 10200 0 0.0
.text 1096302 1096298 -4 -0.0
bl702 lighting-app bl702 0 0 0 0.0
(read only) 3262 3262 0 0.0
(read/write) 1188179 1188179 0 0.0
.bleromro 6296 6296 0 0.0
.bleromrw 124 124 0 0.0
.boot2 688 688 0 0.0
.bss 67078 67078 0 0.0
.bss_psram 29696 29696 0 0.0
.comment 48 48 0 0.0
.data 4280 4280 0 0.0
.debug_abbrev 1506715 1506715 0 0.0
.debug_aranges 133088 133088 0 0.0
.debug_frame 486412 486412 0 0.0
.debug_info 37896040 37896040 0 0.0
.debug_line 5252141 5252141 0 0.0
.debug_loc 3362527 3362527 0 0.0
.debug_ranges 359760 359760 0 0.0
.debug_str 3455801 3455801 0 0.0
.hbn 509 509 0 0.0
.hbn_noinit 260 260 0 0.0
.init 342 342 0 0.0
.init_array 144 144 0 0.0
.psram 0 0 0 0.0
.riscv.attributes 47 47 0 0.0
.rodata 116488 116488 0 0.0
.rsvd 3188 3188 0 0.0
.shstrtab 293 293 0 0.0
.stack 2048 2048 0 0.0
.strtab 564895 564895 0 0.0
.symtab 171616 171616 0 0.0
.tcm_data 36 36 0 0.0
.tcmcode 3262 3262 0 0.0
.text 956820 956820 0 0.0
bl702+rpc 0 0 0 0.0
(read only) 3262 3262 0 0.0
(read/write) 1284107 1284107 0 0.0
.bleromro 6296 6296 0 0.0
.bleromrw 124 124 0 0.0
.boot2 688 688 0 0.0
.bss 75126 75126 0 0.0
.bss_psram 29936 29936 0 0.0
.comment 48 48 0 0.0
.data 4800 4800 0 0.0
.debug_abbrev 1644294 1644294 0 0.0
.debug_aranges 140592 140592 0 0.0
.debug_frame 511788 511788 0 0.0
.debug_info 41802659 41802659 0 0.0
.debug_line 5626680 5626680 0 0.0
.debug_loc 3555234 3555234 0 0.0
.debug_ranges 382216 382216 0 0.0
.debug_str 3851768 3851768 0 0.0
.hbn 509 509 0 0.0
.hbn_noinit 260 260 0 0.0
.init 342 342 0 0.0
.init_array 160 160 0 0.0
.psram 0 0 0 0.0
.riscv.attributes 47 47 0 0.0
.rodata 129896 129896 0 0.0
.rsvd 3188 3188 0 0.0
.shstrtab 293 293 0 0.0
.stack 2048 2048 0 0.0
.strtab 624068 624068 0 0.0
.symtab 189424 189424 0 0.0
.tcm_data 36 36 0 0.0
.tcmcode 3262 3262 0 0.0
.text 1030522 1030522 0 0.0
cc13x2_26x2 all-clusters-app LP_CC2652R7 (read only) 676595 676595 0 0.0
(read/write) 174940 174940 0 0.0
.bss 81228 81228 0 0.0
.data 3380 3380 0 0.0
.rodata 89603 89603 0 0.0
.text 586680 586680 0 0.0
all-clusters-minimal-app LP_CC2652R7 (read only) 640843 640843 0 0.0
(read/write) 157996 157996 0 0.0
.bss 80500 80500 0 0.0
.data 3380 3380 0 0.0
.rodata 78739 78739 0 0.0
.text 561784 561784 0 0.0
lock-ftd LP_CC2652R7 (read only) 678127 678127 0 0.0
(read/write) 170576 170576 0 0.0
.bss 78484 78484 0 0.0
.data 3304 3304 0 0.0
.rodata 77287 77287 0 0.0
.text 600360 600360 0 0.0
lock-mtd LP_CC2652R7 (read only) 661947 661947 0 0.0
(read/write) 182444 182444 0 0.0
.bss 74172 74172 0 0.0
.data 3304 3304 0 0.0
.rodata 103123 103123 0 0.0
.text 558344 558344 0 0.0
pump-app LP_CC2652R7 (read only) 687283 687283 0 0.0
(read/write) 162124 162124 0 0.0
.bss 78420 78420 0 0.0
.data 3296 3296 0 0.0
.rodata 90507 90507 0 0.0
.text 596292 596292 0 0.0
pump-controller-app LP_CC2652R7 (read only) 671791 671783 -8 -0.0
(read/write) 177728 177736 8 0.0
.bss 78532 78532 0 0.0
.data 3292 3292 0 0.0
.rodata 86063 86063 0 0.0
.text 585248 585240 -8 -0.0
shell LP_CC2652R7 (read only) 667622 667622 0 0.0
(read/write) 186224 186224 0 0.0
.bss 83540 83540 0 0.0
.data 3376 3376 0 0.0
.rodata 86318 86318 0 0.0
.text 580988 580988 0 0.0
cyw30739 light cyw930739m2evb_01 (read/write) 587338 587338 0 0.0
.app_xip_area 463996 463996 0 0.0
.bss 65776 65776 0 0.0
.data 744 744 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
lock cyw930739m2evb_01 (read/write) 594394 594394 0 0.0
.app_xip_area 465724 465724 0 0.0
.bss 71096 71096 0 0.0
.data 752 752 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
ota-requestor-no-progress-logging cyw930739m2evb_01 (read/write) 543338 543338 0 0.0
.app_xip_area 425020 425020 0 0.0
.bss 60784 60784 0 0.0
.data 716 716 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
k32w light k32w0+release (read/write) 649900 649900 0 0.0
.bss 70712 70712 0 0.0
.data 2068 2068 0 0.0
.text 574392 574392 0 0.0
lock k32w0+release (read/write) 706856 706856 0 0.0
.bss 71160 71160 0 0.0
.data 2076 2076 0 0.0
.text 630892 630892 0 0.0
psoc6 all-clusters cy8ckit_062s2_43012 0 0 0 0.0
(read only) 841968 841968 0 0.0
(read/write) 1743900 1743900 0 0.0
.ARM.attributes 46 46 0 0.0
.ARM.exidx 8 8 0 0.0
.bss 188712 188712 0 0.0
.comment 204 204 0 0.0
.copy.table 24 24 0 0.0
.cy_m0p_image 6216 6216 0 0.0
.cy_sharedmem 8 8 0 0.0
.data 2664 2664 0 0.0
.debug_abbrev 1229301 1229301 0 0.0
.debug_aranges 111800 111800 0 0.0
.debug_frame 373268 373268 0 0.0
.debug_info 26817151 26817150 -1 -0.0
.debug_line 3667914 3667914 0 0.0
.debug_loc 3580270 3580270 0 0.0
.debug_ranges 339928 339928 0 0.0
.debug_str 3439445 3439445 0 0.0
.heap 841968 841968 0 0.0
.noinit 148 148 0 0.0
.ramVectors 736 736 0 0.0
.shstrtab 288 288 0 0.0
.stab 156 156 0 0.0
.stabstr 335 335 0 0.0
.stack_dummy 4096 4096 0 0.0
.strtab 569356 569356 0 0.0
.symtab 421168 421168 0 0.0
.text 1544136 1544136 0 0.0
.zero.table 8 8 0 0.0
all-clusters-minimal cy8ckit_062s2_43012 0 0 0 0.0
(read only) 842704 842704 0 0.0
(read/write) 1686508 1686508 0 0.0
.ARM.attributes 46 46 0 0.0
.ARM.exidx 8 8 0 0.0
.bss 187976 187976 0 0.0
.comment 204 204 0 0.0
.copy.table 24 24 0 0.0
.cy_m0p_image 6216 6216 0 0.0
.cy_sharedmem 8 8 0 0.0
.data 2664 2664 0 0.0
.debug_abbrev 1221100 1221100 0 0.0
.debug_aranges 111272 111272 0 0.0
.debug_frame 376348 376348 0 0.0
.debug_info 26553931 26553931 0 0.0
.debug_line 3688630 3688630 0 0.0
.debug_loc 3567907 3567907 0 0.0
.debug_ranges 338544 338544 0 0.0
.debug_str 3428458 3428458 0 0.0
.heap 842704 842704 0 0.0
.noinit 148 148 0 0.0
.ramVectors 736 736 0 0.0
.shstrtab 288 288 0 0.0
.stab 156 156 0 0.0
.stabstr 335 335 0 0.0
.stack_dummy 4096 4096 0 0.0
.strtab 533445 533445 0 0.0
.symtab 407600 407600 0 0.0
.text 1487480 1487480 0 0.0
.zero.table 8 8 0 0.0
light cy8ckit_062s2_43012 0 0 0 0.0
(read only) 850896 850896 0 0.0
(read/write) 1605060 1605060 0 0.0
.ARM.attributes 46 46 0 0.0
.ARM.exidx 8 8 0 0.0
.bss 179992 179992 0 0.0
.comment 204 204 0 0.0
.copy.table 24 24 0 0.0
.cy_m0p_image 6216 6216 0 0.0
.cy_sharedmem 8 8 0 0.0
.data 2456 2456 0 0.0
.debug_abbrev 1055156 1055156 0 0.0
.debug_aranges 103480 103480 0 0.0
.debug_frame 346676 346676 0 0.0
.debug_info 22018111 22018110 -1 -0.0
.debug_line 3258550 3258550 0 0.0
.debug_loc 3266014 3266014 0 0.0
.debug_ranges 303872 303872 0 0.0
.debug_str 3233990 3233990 0 0.0
.heap 850896 850896 0 0.0
.noinit 148 148 0 0.0
.ramVectors 736 736 0 0.0
.shstrtab 288 288 0 0.0
.stab 156 156 0 0.0
.stabstr 335 335 0 0.0
.stack_dummy 4096 4096 0 0.0
.strtab 469822 469822 0 0.0
.symtab 376048 376048 0 0.0
.text 1414224 1414224 0 0.0
.zero.table 8 8 0 0.0
lock cy8ckit_062s2_43012 0 0 0 0.0
(read only) 845864 845864 0 0.0
(read/write) 1642684 1642684 0 0.0
.ARM.attributes 46 46 0 0.0
.ARM.exidx 8 8 0 0.0
.bss 185008 185008 0 0.0
.comment 204 204 0 0.0
.copy.table 24 24 0 0.0
.cy_m0p_image 6216 6216 0 0.0
.cy_sharedmem 8 8 0 0.0
.data 2472 2472 0 0.0
.debug_abbrev 1062575 1062575 0 0.0
.debug_aranges 104152 104152 0 0.0
.debug_frame 349500 349500 0 0.0
.debug_info 22397448 22397449 1 0.0
.debug_line 3267242 3267242 0 0.0
.debug_loc 3305842 3305842 0 0.0
.debug_ranges 307216 307216 0 0.0
.debug_str 3261445 3261445 0 0.0
.heap 845864 845864 0 0.0
.noinit 148 148 0 0.0
.ramVectors 736 736 0 0.0
.shstrtab 288 288 0 0.0
.stab 156 156 0 0.0
.stabstr 335 335 0 0.0
.stack_dummy 4096 4096 0 0.0
.strtab 476025 476025 0 0.0
.symtab 379232 379232 0 0.0
.text 1446816 1446816 0 0.0
.zero.table 8 8 0 0.0
qpg lighting-app qpg6105+debug (read/write) 1146320 1146320 0 0.0
.bss 110544 110544 0 0.0
.data 1028 1028 0 0.0
.text 593416 593416 0 0.0
lock-app qpg6105+debug (read/write) 1116220 1116220 0 0.0
.bss 106376 106376 0 0.0
.data 1032 1032 0 0.0
.text 563320 563320 0 0.0
telink light-switch-app tlsr9518adk80d (read/write) 814468 814468 0 0.0
bss 72172 72172 0 0.0
noinit 43488 43488 0 0.0
text 574566 574566 0 0.0
lighting-app tlsr9518adk80d (read/write) 836424 836424 0 0.0
bss 73028 73028 0 0.0
noinit 43488 43488 0 0.0
text 592726 592728 2 0.0
ota-requestor-app tlsr9518adk80d (read/write) 844524 844524 0 0.0
bss 73936 73936 0 0.0
noinit 43488 43488 0 0.0
text 598968 598968 0 0.0

@andy31415 andy31415 merged commit 9bb2f53 into project-chip:master Sep 21, 2022
@bzbarsky-apple bzbarsky-apple deleted the fix-uaf branch September 21, 2022 20:04
andy31415 pushed a commit to andy31415/connectedhomeip that referenced this pull request Sep 23, 2022
@bzbarsky-apple @andy31415
Fix use-after-free in CommissioningWindowOpener. (project-chip#22767)
5059157 
Once we call back into our client, it can delete us, so we need to do
any logging that uses `mSetupPayload` before we do that.

Fixes project-chip#22765
andy31415 added a commit that referenced this pull request Sep 23, 2022
@andy31415 @bzbarsky-apple
Fix use-after-free in CommissioningWindowOpener. (#22767) (#22849)
5f29159 
Once we call back into our client, it can delete us, so we need to do
any logging that uses `mSetupPayload` before we do that.

Fixes #22765

Co-authored-by: Boris Zbarsky <bzbarsky@apple.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andy31415 andy31415 andy31415 approved these changes

@anush-apple anush-apple Awaiting requested review from anush-apple

@arkq arkq Awaiting requested review from arkq

@Byungjoo-Lee Byungjoo-Lee Awaiting requested review from Byungjoo-Lee

@carol-apple carol-apple Awaiting requested review from carol-apple

@chrisdecenzo chrisdecenzo Awaiting requested review from chrisdecenzo

@chshu chshu Awaiting requested review from chshu

@chulspro chulspro Awaiting requested review from chulspro

@Damian-Nordic Damian-Nordic Awaiting requested review from Damian-Nordic

@dhrishi dhrishi Awaiting requested review from dhrishi

@electrocucaracha electrocucaracha Awaiting requested review from electrocucaracha

@erjiaqing erjiaqing Awaiting requested review from erjiaqing

@franck-apple franck-apple Awaiting requested review from franck-apple

@gjc13 gjc13 Awaiting requested review from gjc13

@harimau-qirex harimau-qirex Awaiting requested review from harimau-qirex

@harsha-rajendran harsha-rajendran Awaiting requested review from harsha-rajendran

@hawk248 hawk248 Awaiting requested review from hawk248

@isiu-apple isiu-apple Awaiting requested review from isiu-apple

@jelderton jelderton Awaiting requested review from jelderton

@jepenven-silabs jepenven-silabs Awaiting requested review from jepenven-silabs

@jmartinez-silabs jmartinez-silabs Awaiting requested review from jmartinez-silabs

@jtung-apple jtung-apple Awaiting requested review from jtung-apple

@kpschoedel kpschoedel Awaiting requested review from kpschoedel

@lazarkov lazarkov Awaiting requested review from lazarkov

@LuDuda LuDuda Awaiting requested review from LuDuda

@mlepage-google mlepage-google Awaiting requested review from mlepage-google

@msandstedt msandstedt Awaiting requested review from msandstedt

@robszewczyk robszewczyk Awaiting requested review from robszewczyk

@saurabhst saurabhst Awaiting requested review from saurabhst

@selissia selissia Awaiting requested review from selissia

@tcarmelveilleux tcarmelveilleux Awaiting requested review from tcarmelveilleux

@tecimovic tecimovic Awaiting requested review from tecimovic

@tehampson tehampson Awaiting requested review from tehampson

@vijs vijs Awaiting requested review from vijs

@vivien-apple vivien-apple Awaiting requested review from vivien-apple

@wbschiller wbschiller Awaiting requested review from wbschiller

@woody-apple woody-apple Awaiting requested review from woody-apple

@xylophone21 xylophone21 Awaiting requested review from xylophone21

@yufengwangca yufengwangca Awaiting requested review from yufengwangca

@yunhanw-google yunhanw-google Awaiting requested review from yunhanw-google

Assignees
No one assigned
Labels
controller fast track review - pending
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Use-after-free in CommissioningWindowOpener
2 participants
@bzbarsky-apple @andy31415