Crash caused by memory corruption bug (with GrapheneOS Exploit protection enabled / hardened_malloc)
Closed this issue · 3 comments
notune commented
By default, the exploit protection is enabled on GrapheneOS (hardened_malloc). This leads to a crash of the app, probably caused by some memory corruption bug. To reproduce, open the App in GrapheneOS and scan a cimbar code. After it begins to decode, the app will crash (at ~20% with my testing).
Version: 0.5.14 (f-droid)
Android: 14 (GrapheneOS)
Log:
1707323170.661 6826 7006 I CameraFileCopyCPP: processImage computation time = 0.004063 seconds
--------- beginning of crash
1707323170.714 6826 7017 F libc : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xb400c75cad23eff8 in tid 7017 (Thread-1), pid 6826 (.camerafilecopy)
--------- switch to main
1707323170.767 6826 7006 I CameraFileCopyCPP: processImage computation time = 0.005902 seconds
1707323170.814 7036 7036 E cutils-trace: Error opening trace file: No such file or directory (2)
1707323170.818 6826 7006 I CameraFileCopyCPP: processImage computation time = 0.003171 seconds
1707323170.826 7037 7037 E DEBUG : failed to readlink /proc/7017/fd/118: No such file or directory
1707323170.886 7037 7037 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstoneProto
1707323170.888 7037 7037 I crash_dump64: performing dump of process 6826 (target tid = 7017)
1707323170.901 6826 7006 I CameraFileCopyCPP: processImage computation time = 0.003644 seconds
1707323170.944 6826 7006 I CameraFileCopyCPP: processImage computation time = 0.006658 seconds
1707323170.974 6826 7006 I CameraFileCopyCPP: processImage computation time = 0.008066 seconds
1707323170.995 7037 7037 E cutils-trace: Error opening trace file: No such file or directory (2)
1707323171.024 6826 7006 I CameraFileCopyCPP: processImage computation time = 0.005572 seconds
1707323171.056 6826 7006 I CameraFileCopyCPP: processImage computation time = 0.004223 seconds
1707323171.090 6826 7006 I CameraFileCopyCPP: processImage computation time = 0.004280 seconds
1707323171.114 6826 7006 I CameraFileCopyCPP: processImage computation time = 0.003491 seconds
1707323171.166 6826 7006 I CameraFileCopyCPP: processImage computation time = 0.006155 seconds
--------- switch to crash
1707323171.173 7037 7037 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
1707323171.173 7037 7037 F DEBUG : Build fingerprint: 'google/raven/raven:14/UQ1A.240205.002/2024020500:user/release-keys'
1707323171.173 7037 7037 F DEBUG : Revision: 'MP1.0'
1707323171.173 7037 7037 F DEBUG : ABI: 'arm64'
1707323171.173 7037 7037 F DEBUG : Timestamp: 2024-02-07 17:26:10.927027772+0100
1707323171.173 7037 7037 F DEBUG : Process uptime: 14s
1707323171.173 7037 7037 F DEBUG : Cmdline: org.cimbar.camerafilecopy
1707323171.173 7037 7037 F DEBUG : pid: 6826, tid: 7017, name: Thread-1 >>> org.cimbar.camerafilecopy <<<
1707323171.173 7037 7037 F DEBUG : uid: 10333
1707323171.173 7037 7037 F DEBUG : tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
1707323171.173 7037 7037 F DEBUG : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xb400c75cad23eff8
1707323171.173 7037 7037 F DEBUG : x0 0000c42ff1036dc8 x1 00000000ffffffff x2 0000c42ff103693c x3 0000000000000001
1707323171.173 7037 7037 F DEBUG : x4 0000000000000004 x5 0000000000000010 x6 0000000000000024 x7 0000000000000000
1707323171.173 7037 7037 F DEBUG : x8 0000000000000063 x9 b400c75cad23f000 x10 00000000000003b9 x11 fffffffffffffff8
1707323171.173 7037 7037 F DEBUG : x12 b400c584e3740376 x13 0000000000000001 x14 0000000000000001 x15 000000000000000c
1707323171.173 7037 7037 F DEBUG : x16 0000c4300b1d82e0 x17 0000c4300b134844 x18 0000c42fee5ea000 x19 0000c42ff1036dc8
1707323171.173 7037 7037 F DEBUG : x20 0000000000000001 x21 0000000000000004 x22 0000c42ff1036d58 x23 b400c75cacef1ca8
1707323171.173 7037 7037 F DEBUG : x24 000000000000301c x25 b400c75cacef1ca9 x26 0000c42ff1036d60 x27 0000c42ff11dd040
1707323171.173 7037 7037 F DEBUG : x28 0000000000002fb5 x29 0000c42ff10368a0
1707323171.173 7037 7037 F DEBUG : lr 0000c4300b13300c sp 0000c42ff1036830 pc 0000c4300b1348ac pst 0000000080001000
1707323171.173 7037 7037 F DEBUG : 9 total frames
1707323171.173 7037 7037 F DEBUG : backtrace:
1707323171.173 7037 7037 F DEBUG : #00 pc 00000000000f38ac /data/app/~~42bEUkZXkXYiG0O2XNiSPQ==/org.cimbar.camerafilecopy-hWUKdVY8rp5Gjokq6qNAIQ==/lib/arm64/libcfc-cpp.so (AdjacentCellFinder::bottom(int) const+104) (BuildId: 75aa0c835b5b43e906f4567e4a95e83e4fba37b1)
1707323171.173 7037 7037 F DEBUG : #01 pc 00000000000f2008 /data/app/~~42bEUkZXkXYiG0O2XNiSPQ==/org.cimbar.camerafilecopy-hWUKdVY8rp5Gjokq6qNAIQ==/lib/arm64/libcfc-cpp.so (FloodDecodePositions::update(unsigned int, CellDrift const&, unsigned int, unsigned char)+1360) (BuildId: 75aa0c835b5b43e906f4567e4a95e83e4fba37b1)
1707323171.173 7037 7037 F DEBUG : #02 pc 00000000000b0444 /data/app/~~42bEUkZXkXYiG0O2XNiSPQ==/org.cimbar.camerafilecopy-hWUKdVY8rp5Gjokq6qNAIQ==/lib/arm64/libcfc-cpp.so (CimbReader::read(PositionData&)+276) (BuildId: 75aa0c835b5b43e906f4567e4a95e83e4fba37b1)
1707323171.173 7037 7037 F DEBUG : #03 pc 0000000000083dac /data/app/~~42bEUkZXkXYiG0O2XNiSPQ==/org.cimbar.camerafilecopy-hWUKdVY8rp5Gjokq6qNAIQ==/lib/arm64/libcfc-cpp.so (unsigned int Decoder::do_decode<aligned_stream<concurrent_fountain_decoder_sink<cimbar::zstd_decompressor<std::__ndk1::basic_ofstream<char, std::__ndk1::char_traits<char> > > > > >(CimbReader&, aligned_stream<concurrent_fountain_decoder_sink<cimbar::zstd_decompressor<std::__ndk1::basic_ofstream<char, std::__ndk1::char_traits<char> > > > >&)+1064) (BuildId: 75aa0c835b5b43e906f4567e4a95e83e4fba37b1)
1707323171.173 7037 7037 F DEBUG : #04 pc 0000000000083338 /data/app/~~42bEUkZXkXYiG0O2XNiSPQ==/org.cimbar.camerafilecopy-hWUKdVY8rp5Gjokq6qNAIQ==/lib/arm64/libcfc-cpp.so (std::__ndk1::__function::__func<MultiThreadedDecoder::add(cv::Mat)::'lambda'(), std::__ndk1::allocator<MultiThreadedDecoder::add(cv::Mat)::'lambda'()>, void ()>::operator()()+736) (BuildId: 75aa0c835b5b43e906f4567e4a95e83e4fba37b1)
1707323171.173 7037 7037 F DEBUG : #05 pc 00000000000ac240 /data/app/~~42bEUkZXkXYiG0O2XNiSPQ==/org.cimbar.camerafilecopy-hWUKdVY8rp5Gjokq6qNAIQ==/lib/arm64/libcfc-cpp.so (turbo::thread_pool::run()+1616) (BuildId: 75aa0c835b5b43e906f4567e4a95e83e4fba37b1)
1707323171.173 7037 7037 F DEBUG : #06 pc 00000000000ac5c8 /data/app/~~42bEUkZXkXYiG0O2XNiSPQ==/org.cimbar.camerafilecopy-hWUKdVY8rp5Gjokq6qNAIQ==/lib/arm64/libcfc-cpp.so (BuildId: 75aa0c835b5b43e906f4567e4a95e83e4fba37b1)
1707323171.173 7037 7037 F DEBUG : #07 pc 00000000000cfa2c /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204) (BuildId: 8bc16426785f69835644a00e95964c1d)
1707323171.173 7037 7037 F DEBUG : #08 pc 0000000000064770 /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 8bc16426785f69835644a00e95964c1d)
--------- switch to main
1707323171.204 6826 7006 I CameraFileCopyCPP: processImage computation time = 0.004162 seconds
--------- switch to events
1707323171.229 6826 6826 I wm_on_top_resumed_lost_called: [Token=245731568,Component Name=org.cimbar.camerafilecopy.MainActivity,Reason=topStateChangedWhenResumed]
--------- switch to main
1707323171.238 6826 6826 I CameraFileCopyCPP: Shutdown cfc-cpp
sz3 commented
The stack trace is very helpful!
Looks like a logic error in AdjacentCellFinder (critical path...), I'll find it...
notune commented
fixed it 3 secs ago, give me a minute and I will create a PR
notune commented
Fixed with https://github.com/sz3/cfc/releases/tag/v0.5.15 🎉