Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-01 11:36:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix use-after-free crash in VtsHalNeuralnetworksTargetTest.

Browse Source 
Prior to this CL, the AHardwareBuffer in TestBlobAHWB is released in the
destructor, but later used (unlock) during the destruction of the
mMapping member. This CL fixed this issue by managing the lifetime of
AHardwareBuffer with SharedMemory.

Bug: 197199690
Test: VtsHalNeuralnetworksTargetTest
Change-Id: I00748aaaa1a3a3d9b3b62bedb77a655ddb6e210f
This commit is contained in:
Xusong Wang
2021-08-23 11:36:19 -07:00
parent 7f23524b2c
commit d2ecde5c54
2 changed files with 7 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
neuralnetworks/aidl/vts/functional/Utils.cpp
View File

@@ -153,26 +153,19 @@ void TestBlobAHWB::initialize(uint32_t size) {
.stride = size,
};
ASSERT_EQ(AHardwareBuffer_allocate(&desc, &mAhwb), 0);
ASSERT_NE(mAhwb, nullptr);
AHardwareBuffer* ahwb = nullptr;
ASSERT_EQ(AHardwareBuffer_allocate(&desc, &ahwb), 0);
ASSERT_NE(ahwb, nullptr);
const auto sharedMemory =
nn::createSharedMemoryFromAHWB(mAhwb, /*takeOwnership=*/false).value();
mMapping = nn::map(sharedMemory).value();
mMemory = nn::createSharedMemoryFromAHWB(ahwb, /*takeOwnership=*/true).value();
mMapping = nn::map(mMemory).value();
mPtr = static_cast<uint8_t*>(std::get<void*>(mMapping.pointer));
CHECK_NE(mPtr, nullptr);
mAidlMemory = utils::convert(sharedMemory).value();
mAidlMemory = utils::convert(mMemory).value();
mIsValid = true;
}
TestBlobAHWB::~TestBlobAHWB() {
if (mAhwb) {
AHardwareBuffer_unlock(mAhwb, nullptr);
AHardwareBuffer_release(mAhwb);
}
}
std::string gtestCompliantName(std::string name) {
// gtest test names must only contain alphanumeric characters
std::replace_if(

3
neuralnetworks/aidl/vts/functional/Utils.h
View File

@@ -102,11 +102,10 @@ class TestBlobAHWB : public TestMemoryBase {
// The constructor calls initialize, which constructs the memory resources. This is a
// workaround that gtest macros cannot be used directly in a constructor.
TestBlobAHWB(uint32_t size) { initialize(size); }
~TestBlobAHWB();
private:
void initialize(uint32_t size);
AHardwareBuffer* mAhwb = nullptr;
nn::SharedMemory mMemory;
nn::Mapping mMapping;
};