Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minimal Mdns ResolverDelegateProxy use-after-free #13227

Closed
msandstedt opened this issue Dec 22, 2021 · 6 comments
Closed

Minimal Mdns ResolverDelegateProxy use-after-free #13227

msandstedt opened this issue Dec 22, 2021 · 6 comments
Labels
bug Something isn't working crash V1.0

Comments

@msandstedt
Copy link
Contributor

Problem

Discovery_ImplPlatform.cpp decrements the reference counter for the ResolverDelegateProxy by calling Release, which eventually causes it to be freed. However, this doesn't necessarily un-register the freed delegate from e.g. Resolver_ImplMinimalMdns.cpp. The result is that if more records are discovered than expected, code like Resolver_ImplMinimalMdns.cpp can execute methods on the freed ResolverDelegateProxy.

Proposed Solution

Something like this might work:

diff --git a/src/lib/dnssd/ResolverProxy.h b/src/lib/dnssd/ResolverProxy.h
index 5d3683387..3484366a9 100644
--- a/src/lib/dnssd/ResolverProxy.h
+++ b/src/lib/dnssd/ResolverProxy.h
@@ -28,6 +28,12 @@ class ResolverDelegateProxy : public ReferenceCounted<ResolverDelegateProxy>, pu
 public:
     void SetDelegate(ResolverDelegate * delegate) { mDelegate = delegate; }
 
+    void Release()
+    {
+        chip::Dnssd::Resolver::Instance().SetResolverDelegate(nullptr);
+        ReferenceCounted<ResolverDelegateProxy>::Release();
+    }
+
     /// ResolverDelegate interface
     void OnNodeIdResolved(const ResolvedNodeData & nodeData) override
     {
@msandstedt
Copy link
Contributor Author

CC @vivien-apple

msandstedt added a commit to msandstedt/connectedhomeip that referenced this issue Dec 22, 2021
@msandstedt
Workaround for project-chip#13227, ResolverDelegateProxy use-after-free
2d7db6a 
Set the resolver instance singleton to nullptr when releasing the
ResolverDelegateProxy.
msandstedt added a commit to msandstedt/connectedhomeip that referenced this issue Dec 22, 2021
@msandstedt
Workaround for project-chip#13227, ResolverDelegateProxy use-after-free
35b821c 
Set the resolver instance singleton to nullptr when releasing the
ResolverDelegateProxy.
msandstedt added a commit to msandstedt/connectedhomeip that referenced this issue Dec 22, 2021
@msandstedt
Workaround for project-chip#13227, ResolverDelegateProxy use-after-free
d78e085 
Set the resolver instance singleton to nullptr when releasing the
ResolverDelegateProxy.
@msandstedt
Copy link
Contributor Author

msandstedt commented Dec 22, 2021
edited
Loading

The suggested fix does fix my problem. However, now things like TestCommissionManager are failing. For now, I am calling this in my code after Shutdown:

chip::Dnssd::Resolver::Instance().SetResolverDelegate(nullptr);

msandstedt added a commit to msandstedt/connectedhomeip that referenced this issue Dec 28, 2021
@msandstedt
different workaround for project-chip#13227
f8ad5e9
@msandstedt msandstedt mentioned this issue Dec 29, 2021
Closed
msandstedt added a commit to msandstedt/connectedhomeip that referenced this issue Dec 30, 2021
@msandstedt
project-chip#13227 debug
1b98d6f
msandstedt added a commit to msandstedt/connectedhomeip that referenced this issue Dec 30, 2021
@msandstedt
Revert "project-chip#13227 debug"
11cce71 
This reverts commit 1b98d6f.
msandstedt added a commit to msandstedt/connectedhomeip that referenced this issue Dec 30, 2021
@msandstedt
Fix ResolverProxy use-after-free in HandleNodeBrowse
50f22a2 
HandleNodeBrowse decrements the ResolverProxy reference count, which
will cause the object to be destructed if the counter reaches 0, and
then increments the counter and uses the object, which can be a
use-after-free. his commit fixes the problem by ordering Release to
occur after Retain.

Fixes project-chip#13227
msandstedt added a commit to msandstedt/connectedhomeip that referenced this issue Dec 30, 2021
@msandstedt
revert project-chip#13227 workarounds
2d15c83
msandstedt added a commit to msandstedt/connectedhomeip that referenced this issue Dec 30, 2021
@msandstedt
project-chip#13227 debug
0639595
msandstedt added a commit to msandstedt/connectedhomeip that referenced this issue Dec 30, 2021
@msandstedt
Revert "project-chip#13227 debug"
860c184 
This reverts commit 1b98d6f.
msandstedt added a commit to msandstedt/connectedhomeip that referenced this issue Dec 30, 2021
@msandstedt
Fix ResolverProxy use-after-free in HandleNodeBrowse
48f54b5 
HandleNodeBrowse decrements the ResolverProxy reference count, which
will cause the object to be destructed if the counter reaches 0, and
then increments the counter and uses the object, which can be a
use-after-free. his commit fixes the problem by ordering Release to
occur after Retain.

Fixes project-chip#13227
msandstedt added a commit to msandstedt/connectedhomeip that referenced this issue Dec 30, 2021
@msandstedt
revert project-chip#13227 workarounds
621b2d2
@msandstedt msandstedt mentioned this issue Dec 30, 2021
Closed
@msandstedt msandstedt changed the title ResolverDelegateProxy use-after-free Minimal Mdns ResolverDelegateProxy use-after-free Dec 30, 2021
@andy31415 andy31415 removed their assignment Feb 7, 2022
@bzbarsky-apple
Copy link
Contributor

Shouldn't ~ResolverDelegateProxy be handling the un-registration?

Removing "deferral candidate" label, since this is a use-after-free bug, hence likely exploitable.

@andy31415
Copy link
Contributor

@msandstedt Trying to understand if this is still an issue and to understand it in general: this mentiones MinimalMdns but also Discovery_ImplPlatform.cpp ... those two should be mutually exclusive.

Is this still an issue? I am unsure how to reproduce. MinMDNS code was updated quite a bit with the usage of address resolver since last year.

@andy31415
Copy link
Contributor

MinMDNS does not currently use ResolverProxy at all.

@andy31415
Copy link
Contributor

andy31415 commented Sep 29, 2022
edited
Loading

Closing: based on discussion with @msandstedt since MinMDNS is not using resolver proxy (anymore - it used to when this bug was reported), this should be fine now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working crash V1.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tcarmelveilleux @andy31415 @msandstedt @woody-apple @bzbarsky-apple