[HwComposer] HwcDebug is causing buffer overwrites, crashes

RESOLVED FIXED in Firefox OS v1.4

Status

()

Core
Graphics: Layers
--
major
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: erahm, Assigned: Sushil)

Tracking

Trunk
2.0 S5 (4july)
ARM
Gonk (Firefox OS)
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking-b2g:1.4+, b2g-v1.4 fixed, b2g-v2.0 fixed, b2g-v2.1 fixed)

Details

(Whiteboard: [caf priority: p2][CR 689431][MemShrink][POVB])

Attachments

(1 attachment)

Created attachment 8450333 [details] [diff] [review]
hwcomposer_sprintf.patch

On my Flame, |HwcDebug::HwcDebug| performs a |strncpy| with an incorrect length which leads to a non-null terminated string. It then does a |sprintf| with this value leading to memory corruption.

DMD builds are crashing 100% of the time due to this, but it is certainly happening other builds as well. This affects 1.4+ at least.
Sushil can you take a look at this?
Flags: needinfo?(sushilchauhan)
Nominating for 1.4.  People are still testing/developing 1.4 on QC devices (e.g. Flame) so we need this there to have working tools.
blocking-b2g: --- → 1.4?
(Assignee)

Comment 3

3 years ago
Fix for this issue has landed in HAL. Can you please test with the CAF patch:

https://www.codeaurora.org/cgit/quic/la/platform/hardware/qcom/display/commit/?h=b2g_kk_3.5&id=f0366091389b3f0648a92e6a7173237937bc0393
(Assignee)

Comment 4

3 years ago
Eric, can you test with above CAF patch and let me know?
Assignee: nobody → sushilchauhan
Flags: needinfo?(sushilchauhan) → needinfo?(erahm)
(Assignee)

Updated

3 years ago
Duplicate of this bug: 1024452
(In reply to Sushil from comment #4)
> Eric, can you test with above CAF patch and let me know?

The patch does not apply to my local checkout, inspecting by hand does indicate that it contains approximately the same fix.
Flags: needinfo?(erahm)
(Assignee)

Comment 7

3 years ago
Thanks.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Hi Vincent,

Can you check if this patch has any impact on non-caf projects?

Thanks
Flags: needinfo?(vliu)
erahm gets a gold star for this one.
Whiteboard: [MemShrink] → [MemShrink][POVB]
Target Milestone: --- → 2.0 S5 (4july)

Comment 10

3 years ago
(In reply to Wayne Chang [:wchang] from comment #8)
> Hi Vincent,
> 
> Can you check if this patch has any impact on non-caf projects?
> 
> Thanks

Checked with two other non-caf jrojects and they didn't have HwcDebug::HwcDebug() code implementation.
Flags: needinfo?(vliu)
Taking per comments to improve testing
blocking-b2g: 1.4? → 1.4+

Updated

3 years ago
Whiteboard: [MemShrink][POVB] → [CR 689431][MemShrink][POVB]

Updated

3 years ago
Whiteboard: [CR 689431][MemShrink][POVB] → [caf priority: p2][CR 689431][MemShrink][POVB]

Updated

3 years ago
Blocks: 1011657
Hi Eric, I was wondering is this fixed for 1.4+?  Or do we need to push it to 2.0, 2.1?
Flags: needinfo?(erahm)
We're still waiting for the fix to land upstream. See bug 1019634 comment 18.
Flags: needinfo?(erahm)

Comment 14

3 years ago
2.0: https://github.com/mozilla-b2g/b2g-manifest/commit/d2babab58743c696f46d614e84fdb9f2a0dd75d7

Comment 15

3 years ago
1.4: https://github.com/mozilla-b2g/b2g-manifest/commit/ad87526f60b8411262813189d5d023c0c43a17eb
status-b2g-v1.4: --- → fixed
status-b2g-v2.0: --- → fixed
status-b2g-v2.1: --- → fixed

Updated

3 years ago
Duplicate of this bug: 1019634
You need to log in before you can comment on or make changes to this bug.