From 1248672f7ffaae8849b8c96393635d4c5b6cc23c Mon Sep 17 00:00:00 2001 From: Tennessee Carmel-Veilleux Date: Tue, 30 Aug 2022 22:13:37 -0400 Subject: [PATCH] Fix use-after-free in AndroidDeviceControllerWrapper (#22280) * Fix use-after-fre in AndroidDeviceControllerWrapper - Some JNI array refererences we used beyond their live scope in init of the `AndroidDeviceControllerWrapper`, causing either crashes or errors, in probabilistic situations (not easily reproducible, but seen in larger scale testing) Fixes: #22279 This PR: - Ensures a copy exists of the originally "passed by JNI reference" data, up to the point it is no longer used, for NOC, ICAC, RCAC and IPK. Testing done: - Integrations test pass - Testing done also in field trials by some participants * Restyled --- .../java/AndroidDeviceControllerWrapper.cpp | 31 ++++++++++++++++--- .../java/AndroidDeviceControllerWrapper.h | 5 +++ 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/src/controller/java/AndroidDeviceControllerWrapper.cpp b/src/controller/java/AndroidDeviceControllerWrapper.cpp index 2be556d5a2bfd9..dc223d989859df 100644 --- a/src/controller/java/AndroidDeviceControllerWrapper.cpp +++ b/src/controller/java/AndroidDeviceControllerWrapper.cpp @@ -20,6 +20,9 @@ #include #include +#include + +#include #include #include @@ -224,9 +227,24 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew( JniByteArray jniIcac(env, intermediateCertificate); JniByteArray jniNoc(env, nodeOperationalCertificate); - setupParams.controllerRCAC = jniRcac.byteSpan(); - setupParams.controllerICAC = jniIcac.byteSpan(); - setupParams.controllerNOC = jniNoc.byteSpan(); + // Make copies of the cert that outlive the scope so that future factor init does not + // cause loss of scope from the JNI refs going away. Also, this keeps the certs + // handy for debugging commissioner init. + wrapper->mRcacCertificate = std::vector(jniRcac.byteSpan().begin(), jniRcac.byteSpan().end()); + if (!jniIcac.byteSpan().empty()) + { + wrapper->mIcacCertificate = std::vector(jniIcac.byteSpan().begin(), jniIcac.byteSpan().end()); + } + else + { + wrapper->mIcacCertificate.clear(); + } + + wrapper->mNocCertificate = std::vector(jniNoc.byteSpan().begin(), jniNoc.byteSpan().end()); + + setupParams.controllerRCAC = chip::ByteSpan(wrapper->mRcacCertificate.data(), wrapper->mRcacCertificate.size()); + setupParams.controllerICAC = chip::ByteSpan(wrapper->mIcacCertificate.data(), wrapper->mIcacCertificate.size()); + setupParams.controllerNOC = chip::ByteSpan(wrapper->mNocCertificate.data(), wrapper->mNocCertificate.size()); } else { @@ -276,10 +294,12 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew( ChipLogByteSpan(Support, compressedFabricIdSpan); chip::ByteSpan ipkSpan; + std::vector ipkBuffer; if (ipkEpochKey != nullptr) { JniByteArray jniIpk(env, ipkEpochKey); - ipkSpan = jniIpk.byteSpan(); + ipkBuffer = std::vector(jniIpk.byteSpan().begin(), jniIpk.byteSpan().end()); + ipkSpan = chip::ByteSpan(ipkBuffer.data(), ipkBuffer.size()); } else { @@ -288,6 +308,9 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew( *errInfoOnFailure = chip::Credentials::SetSingleIpkEpochKey( &wrapper->mGroupDataProvider, wrapper->Controller()->GetFabricIndex(), ipkSpan, compressedFabricIdSpan); + + memset(ipkBuffer.data(), 0, ipkBuffer.size()); + if (*errInfoOnFailure != CHIP_NO_ERROR) { return nullptr; diff --git a/src/controller/java/AndroidDeviceControllerWrapper.h b/src/controller/java/AndroidDeviceControllerWrapper.h index 8c0697b024170a..c1421863bbf29d 100644 --- a/src/controller/java/AndroidDeviceControllerWrapper.h +++ b/src/controller/java/AndroidDeviceControllerWrapper.h @@ -20,6 +20,7 @@ #include #include +#include #include @@ -178,6 +179,10 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel jbyteArray operationalDatasetBytes = nullptr; jbyte * operationalDataset = nullptr; + std::vector mNocCertificate; + std::vector mIcacCertificate; + std::vector mRcacCertificate; + chip::Controller::AutoCommissioner mAutoCommissioner; chip::Credentials::PartialDACVerifier mPartialDACVerifier;