connectedhomeip icon indicating copy to clipboard operation
connectedhomeip copied to clipboard

Published 20 hours ago verified publisher icon project-chip

Use after free of SessionHandle with SecureSession

Open kpschoedel opened this issue 3 years ago • 1 comments

Problem

(revised description in light of initial investigation)

Using a heap ObjectPool for SecureSessionTable::mEntries lets ASAN tracking catch use-after-free:

  1. SessionHandle uses a ReferenceCountedHandle, which calls Retain() and Release() on the Session — but SecureSession inherits the Session default implementations, which are empty, so there is in fact no reference counting.

  2. ~SecureSession() (called e.g. from ExpireInactiveSessions) does call NotifySessionReleased(), but SessionHandle does not register for notification, so its reference becomes stale.

Proposed Solution

Either actually reference counting or using notification to invalidate SessionHandles would solve the use-after-free, but have different implications for SecureSession lifetime.

Either way, SecureSessionTable::mEntries should be converted to a (build-configurable) ObjectPool so that ASAN can catch regressions.

kpschoedel avatar Jan 27 '22 20:01 kpschoedel

@kghost @mrjerryjohns is this still an issue?

bzbarsky-apple avatar Sep 10 '22 04:09 bzbarsky-apple

Issue Scrub: Assigning to @kpschoedel to confirm if this is still happening.

woody-apple avatar Nov 02 '22 17:11 woody-apple

This case can't be happening any more; the code is now using ObjectPool, so ASAN would catch any use-after-free.

kpschoedel avatar Nov 02 '22 20:11 kpschoedel