[BUG] Heap-Use-After-Free in CASESession during TCP Connection Termination

[BoB13-Matter]

Reproduction steps

0. Build the chip-tool with AddressSanitizer (ASAN) enabled.

1. Open Terminal 1 and start the chip-all-clusters-app:

   $ ./chip-all-clusters-app

2. Open Terminal 2 and run the following commands in chip-tool:

   $ ./chip-tool interactive start
   $ pairing onnetwork-long 1 20202021 3840
   $ basicinformation read vendor-name 1 0 --allow-large-payload 1

3. After the TCP session is established, terminate chip-all-clusters-app in Terminal 1 with Ctrl+C.

4. Observe that chip-tool receives a FIN packet, triggering heap-use-after-free behavior.
   ASAN Log.txt

Summary

A heap-use-after-free (UAF) issue occurs when a CASESession object is deallocated but its callback remains referenced by the ActiveTCPConnectionState object. This issue introduces undefined behavior, potentially leading to security vulnerabilities under specific conditions.

Analysis and Description

The issue arises due to a mismatch in the lifecycle management of the CASESession and ActiveTCPConnectionState objects. The following sequence highlights the root cause:

1. Creation and Callback Setup:

   During CASESession::EstablishSession, the AppTCPConnectionCallbackCtxt structure is initialized, and its connClosedCb member is set to CASESession::HandleConnectionClosed:

   CHIP_ERROR CASESession::Init(SessionManager & sessionManager, Credentials::CertificateValidityPolicy * policy,
                                SessionEstablishmentDelegate * delegate, const ScopedNodeId & sessionEvictionHint)
   {
   	// ...
   	mTCPConnCbCtxt.connClosedCb = HandleConnectionClosed;

2. ActiveTCPConnectionState References CASESession:

   The ActiveTCPConnectionState object is initialized during TCPBase::StartConnect, and it retains a reference to the AppTCPConnectionCallbackCtxt structure via its mAppState member:

   activeConnection->mAppState = appState;

3. CASESession Deallocation:

   After the CASE session is successfully established, the CASESession object is deallocated. However, ActiveTCPConnectionState still holds a dangling reference to the AppTCPConnectionCallbackCtxt structure.

4. TCP Connection Termination:

   When the TCP connection is terminated, the ActiveTCPConnectionState invokes the connClosedCb callback stored in its mAppState. Since the callback references the already-freed CASESession object, a heap-use-after-free occurs:

   if (appTCPConnCbCtxt->connClosedCb != nullptr) {
       appTCPConnCbCtxt->connClosedCb(conn, conErr);
   }

This UAF condition results from the ActiveTCPConnectionState lifecycle extending beyond the CASESession lifecycle, causing undefined behavior. If the memory previously occupied by the CASESession is overwritten with controlled data, this could lead to arbitrary code execution.

Proposed Solution

• Refactor Callback Handling:
  • Decouple the lifecycle of CASESession from ActiveTCPConnectionState using proxy objects or weak references.

By resolving this issue, the framework can eliminate the risk of undefined behavior and proactively mitigate potential security vulnerabilities, ensuring the robustness of the system.

If further information is needed, please do not hesitate to reach out.

Bug prevalence

always

GitHub hash of the SDK that was being used

ffbc362

Platform

core

Platform Version(s)

all versions with TCP support

Anything else?

No response