Fix use-after-free in AndroidDeviceControllerWrapper (project-chip#22280

) * Fix use-after-fre in AndroidDeviceControllerWrapper - Some JNI array refererences we used beyond their live scope in init of the `AndroidDeviceControllerWrapper`, causing either crashes or errors, in probabilistic situations (not easily reproducible, but seen in larger scale testing) Fixes: project-chip#22279 This PR: - Ensures a copy exists of the originally "passed by JNI reference" data, up to the point it is no longer used, for NOC, ICAC, RCAC and IPK. Testing done: - Integrations test pass - Testing done also in field trials by some participants * Restyled
isiu-apple · Sep 16, 2022 · 988fc77 · 988fc77
1 parent a8ff05c
commit 988fc77
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 4 deletions.
diff --git a/src/controller/java/AndroidDeviceControllerWrapper.cpp b/src/controller/java/AndroidDeviceControllerWrapper.cpp
@@ -20,6 +20,9 @@
 
 #include <algorithm>
 #include <memory>
+#include <vector>
+
+#include <string.h>
 
 #include <lib/support/CodeUtils.h>
 #include <lib/support/JniReferences.h>
@@ -224,9 +227,24 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew(
         JniByteArray jniIcac(env, intermediateCertificate);
         JniByteArray jniNoc(env, nodeOperationalCertificate);
 
-        setupParams.controllerRCAC = jniRcac.byteSpan();
-        setupParams.controllerICAC = jniIcac.byteSpan();
-        setupParams.controllerNOC  = jniNoc.byteSpan();
+        // Make copies of the cert that outlive the scope so that future factor init does not
+        // cause loss of scope from the JNI refs going away. Also, this keeps the certs
+        // handy for debugging commissioner init.
+        wrapper->mRcacCertificate = std::vector<uint8_t>(jniRcac.byteSpan().begin(), jniRcac.byteSpan().end());
+        if (!jniIcac.byteSpan().empty())
+        {
+            wrapper->mIcacCertificate = std::vector<uint8_t>(jniIcac.byteSpan().begin(), jniIcac.byteSpan().end());
+        }
+        else
+        {
+            wrapper->mIcacCertificate.clear();
+        }
+
+        wrapper->mNocCertificate = std::vector<uint8_t>(jniNoc.byteSpan().begin(), jniNoc.byteSpan().end());
+
+        setupParams.controllerRCAC = chip::ByteSpan(wrapper->mRcacCertificate.data(), wrapper->mRcacCertificate.size());
+        setupParams.controllerICAC = chip::ByteSpan(wrapper->mIcacCertificate.data(), wrapper->mIcacCertificate.size());
+        setupParams.controllerNOC  = chip::ByteSpan(wrapper->mNocCertificate.data(), wrapper->mNocCertificate.size());
     }
     else
     {
@@ -276,10 +294,12 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew(
     ChipLogByteSpan(Support, compressedFabricIdSpan);
 
     chip::ByteSpan ipkSpan;
+    std::vector<uint8_t> ipkBuffer;
     if (ipkEpochKey != nullptr)
     {
         JniByteArray jniIpk(env, ipkEpochKey);
-        ipkSpan = jniIpk.byteSpan();
+        ipkBuffer = std::vector<uint8_t>(jniIpk.byteSpan().begin(), jniIpk.byteSpan().end());
+        ipkSpan   = chip::ByteSpan(ipkBuffer.data(), ipkBuffer.size());
     }
     else
     {
@@ -288,6 +308,9 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew(
 
     *errInfoOnFailure = chip::Credentials::SetSingleIpkEpochKey(
         &wrapper->mGroupDataProvider, wrapper->Controller()->GetFabricIndex(), ipkSpan, compressedFabricIdSpan);
+
+    memset(ipkBuffer.data(), 0, ipkBuffer.size());
+
     if (*errInfoOnFailure != CHIP_NO_ERROR)
     {
         return nullptr;

diff --git a/src/controller/java/AndroidDeviceControllerWrapper.h b/src/controller/java/AndroidDeviceControllerWrapper.h
@@ -20,6 +20,7 @@
 #include <lib/support/JniReferences.h>
 
 #include <memory>
+#include <vector>
 
 #include <jni.h>
 
@@ -178,6 +179,10 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel
     jbyteArray operationalDatasetBytes = nullptr;
     jbyte * operationalDataset         = nullptr;
 
+    std::vector<uint8_t> mNocCertificate;
+    std::vector<uint8_t> mIcacCertificate;
+    std::vector<uint8_t> mRcacCertificate;
+
     chip::Controller::AutoCommissioner mAutoCommissioner;
 
     chip::Credentials::PartialDACVerifier mPartialDACVerifier;