Closed Bug 1034146 Opened 10 years ago Closed 10 years ago

[HwComposer] HwcDebug is causing buffer overwrites, crashes

Categories

(Core :: Graphics: Layers, defect)

Product:
Core
Component:
Graphics: Layers
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
2.0 S5 (4july)
Project Flags:
blocking-b2g 1.4+
Tracking Flags:
Tracking Status
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed
b2g-v2.1 --- fixed

People

(Reporter: erahm, Assigned: sushilchauhan)

References

Details

(Whiteboard: [caf priority: p2][CR 689431][MemShrink][POVB])

Attachments

(1 file)

hwcomposer_sprintf.patch
(deleted), patch
Details | Diff | Splinter Review
Attached patch hwcomposer_sprintf.patch (deleted) — Splinter Review 
On my Flame, |HwcDebug::HwcDebug| performs a |strncpy| with an incorrect length which leads to a non-null terminated string. It then does a |sprintf| with this value leading to memory corruption.

DMD builds are crashing 100% of the time due to this, but it is certainly happening other builds as well. This affects 1.4+ at least.
Sushil can you take a look at this?
Flags: needinfo?(sushilchauhan)
Nominating for 1.4.  People are still testing/developing 1.4 on QC devices (e.g. Flame) so we need this there to have working tools.
blocking-b2g: --- → 1.4?
Fix for this issue has landed in HAL. Can you please test with the CAF patch:

https://www.codeaurora.org/cgit/quic/la/platform/hardware/qcom/display/commit/?h=b2g_kk_3.5&id=f0366091389b3f0648a92e6a7173237937bc0393
Eric, can you test with above CAF patch and let me know?
Assignee: nobody → sushilchauhan
Flags: needinfo?(sushilchauhan) → needinfo?(erahm)
(In reply to Sushil from comment #4)
> Eric, can you test with above CAF patch and let me know?

The patch does not apply to my local checkout, inspecting by hand does indicate that it contains approximately the same fix.
Flags: needinfo?(erahm)
Thanks.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Hi Vincent,

Can you check if this patch has any impact on non-caf projects?

Thanks
Flags: needinfo?(vliu)
erahm gets a gold star for this one.
Whiteboard: [MemShrink] → [MemShrink][POVB]
Target Milestone: --- → 2.0 S5 (4july)
(In reply to Wayne Chang [:wchang] from comment #8)
> Hi Vincent,
> 
> Can you check if this patch has any impact on non-caf projects?
> 
> Thanks

Checked with two other non-caf jrojects and they didn't have HwcDebug::HwcDebug() code implementation.
Flags: needinfo?(vliu)
Taking per comments to improve testing
blocking-b2g: 1.4? → 1.4+
Whiteboard: [MemShrink][POVB] → [CR 689431][MemShrink][POVB]
Whiteboard: [CR 689431][MemShrink][POVB] → [caf priority: p2][CR 689431][MemShrink][POVB]
Hi Eric, I was wondering is this fixed for 1.4+?  Or do we need to push it to 2.0, 2.1?
Flags: needinfo?(erahm)
We're still waiting for the fix to land upstream. See bug 1019634 comment 18.
Flags: needinfo?(erahm)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: