UAF caught by MTE

[divergentdave]

⚠️ Issues not using this template will be systematically closed.

Describe the bug
I have been using the StreetMeasure app on a Pixel 8 with synchronous MTE enabled, and it crashes occasionally. Tombstone files point to libfilament-jni.so.

To Reproduce
Steps to reproduce the behavior:

1. Enable synchronous MTE as described at the above link
2. Use the StreetMeasure app normally, multiple times

Expected behavior
The app should not crash.

Screenshots
N/A

Logs

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/shiba/shiba:14/AP1A.240505.004/11583682:user/release-keys'
Revision: 'MP1.0'
ABI: 'arm64'
Timestamp: 2024-05-16 20:09:29.899799997-0500
Process uptime: 980s
Cmdline: de.westnordost.streetmeasure
pid: 30399, tid: 30492, name: FEngine::loop  >>> de.westnordost.streetmeasure <<<
uid: 10323
tagged_addr_ctrl: 000000000007fff3 (PR_TAGGED_ADDR_ENABLE, PR_MTE_TCF_SYNC, mask 0xfffe)
pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
signal 11 (SIGSEGV), code 9 (SEGV_MTESERR), fault addr 0x0b0000748d44d520
    x0  0000007609d12484  x1  0000007205bf6260  x2  ffffffffffffffe0  x3  0000007205bf6480
    x4  0000007205bf64e0  x5  0000000000000004  x6  0000000000000001  x7  0000055cae23b465
    x8  0000000000000001  x9  0000000000005751  x10 0000000000000030  x11 0000007609c8f7b4
    x12 0000000000000020  x13 0000000000000001  x14 000000000000001c  x15 0d0000740d4192b0
    x16 0000007609d08030  x17 0000007609c93bc0  x18 0000007205274000  x19 0b0000748d44d520
    x20 0f000074ad411260  x21 0000000000000002  x22 000000720ebf1420  x23 080000747d4bd0c0
    x24 080000747d4bd100  x25 0000007205bf68b0  x26 0000007205bf6bf0  x27 00000000000fc000
    x28 00000000000fe000  x29 0000007205bf6850
    lr  0000007213aa2fcc  sp  0000007205bf6630  pc  0000007213aa2fcc  pst 0000000080001000

1 total frames
backtrace:
      #00 pc 0000000000059fcc  /data/app/~~hxGyQyzhxXyug4wHYsOk5A==/de.westnordost.streetmeasure-od-BZ9o56HjiPrycb8X0Fg==/split_config.arm64_v8a.apk!libfilament-jni.so (offset 0x3b000) (BuildId: cf20dfcb911ca5298112d102a06ab9db5b739905)

Note: multiple potential causes for this crash were detected, listing them in decreasing order of likelihood.

Cause: [MTE]: Use After Free, 0 bytes into a 32-byte allocation at 0x748d44d520

deallocated by thread 30492:
      #00 pc 00000000000511c8  /apex/com.android.runtime/lib64/bionic/libc.so (scudo::Allocator<scudo::AndroidNormalConfig, &(scudo_malloc_postinit)>::quarantineOrDeallocateChunk(scudo::Options const&, void*, scudo::Chunk::UnpackedHeader*, unsigned long)+920) (BuildId: 33ad5959e2b38fc822cda3c642e16c94)
      #01 pc 000000000004ba54  /apex/com.android.runtime/lib64/bionic/libc.so (scudo::Allocator<scudo::AndroidNormalConfig, &(scudo_malloc_postinit)>::deallocate(void*, scudo::Chunk::Origin, unsigned long, unsigned long)+212) (BuildId: 33ad5959e2b38fc822cda3c642e16c94)
      #02 pc 0000000000059fc8  /data/app/~~hxGyQyzhxXyug4wHYsOk5A==/de.westnordost.streetmeasure-od-BZ9o56HjiPrycb8X0Fg==/split_config.arm64_v8a.apk!libfilament-jni.so (offset 0x3b000) (BuildId: cf20dfcb911ca5298112d102a06ab9db5b739905)
      #03 pc 00000000000607b0  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 33ad5959e2b38fc822cda3c642e16c94)

Cause: [MTE]: Buffer Underflow, 192 bytes left of a 19-byte allocation at 0x748d44d5e0

Cause: [MTE]: Buffer Underflow, 288 bytes left of a 26-byte allocation at 0x748d44d640

Memory tags around the fault address (0xb0000748d44d520), one tag per 16 bytes:
      0x748d44cd00: 0  9  9  0  9  9  0  8  8  0  2  2  0  1  1  0
      0x748d44ce00: a  a  0  b  b  0  2  2  0  c  c  0  b  b  0  3
      0x748d44cf00: 3  0  1  1  0  7  7  0  e  e  0  2  2  0  c  c
      0x748d44d000: 0  5  5  0  1  1  0  a  a  0  5  5  0  2  2  0
      0x748d44d100: c  c  0  a  a  0  d  d  0  b  b  0  3  3  0  2
      0x748d44d200: 2  0  a  a  0  4  4  0  b  b  0  f  f  0  9  9
      0x748d44d300: 0  1  1  0  a  a  0  3  3  0  b  b  0  3  3  0
      0x748d44d400: 8  8  0  6  6  0  f  f  0  3  3  0  c  c  0  6
    =>0x748d44d500: 6  0 [4] 4  0  2  2  0  7  7  0  6  6  0  b  b
      0x748d44d600: 0  2  2  0  b  b  0  1  1  0  5  5  0  6  6  0
      0x748d44d700: 1  1  0  e  e  0  a  a  0  4  4  0  4  4  0  5
      0x748d44d800: 5  0  7  7  0  4  4  0  d  d  0  c  c  0  d  d
      0x748d44d900: 0  5  5  0  7  7  0  d  d  0  d  d  0  7  7  0
      0x748d44da00: f  f  0  1  1  0  e  e  0  6  6  0  3  3  0  1
      0x748d44db00: 1  0  5  5  0  2  2  0  1  1  0  a  a  0  b  b
      0x748d44dc00: 0  d  d  0  1  1  0  f  f  0  9  9  0  1  1  0

Learn more about MTE reports: https://source.android.com/docs/security/test/memory-safety/mte-reports

Is it possible to symbolize these addresses from a release build? I notice the deallocation and the UAF access happen four bytes apart in the same method.

Desktop (please complete the following information):
N/A

Smartphone (please complete the following information):

• Device: Pixel 8
• OS: Android 14

Additional context
streetcomplete/StreetMeasure#1 (comment)

[westnordost]

The libfilament version used in this crash report is com.google.ar.sceneform:filament-android:1.17.1

[romainguy]

Filament 1.17 is over two years old.