Fix use-after-free issue for dexfile When we open a dex file, class linker will save dex file address in dex_caches_. Then when GC occurs, the dex file will be freed in art::DexFile_closeDexFile, but dex file address is still in dex_caches_. When some tries to iterate over dex_caches_, HWASAN complains. Therefore remove the dexfile in dex_caches_ when we delete the dex file. Ignore-AOSP-First: Security fix Bug: 222166527 Bug: 238962046 Test: manually Change-Id: I5bb09a906737db986ead9813695918e06ab590c4 (cherry picked from commit 97283036ec6344eba65f28a3c37b2541f674d4a7) Merged-In: I5bb09a906737db986ead9813695918e06ab590c4

commit: 1ee0290eed24868826ad99678cc58eee425ecba8 [log] [tgz]
author: Guo Li <guo.li@mediatek.com> Wed Jul 13 15:57:31 2022 +0800
committer: David Srbecky <dsrbecky@google.com> Fri Sep 09 17:45:19 2022 +0000
tree: 3f958f18747f8f68bf71e4a59888e7a63b9efb01
parent: b8bdc8ac24bb44012d700383737da9726031ee48 [diff] [blame]
diff --git a/runtime/class_linker.cc b/runtime/class_linker.cc
index c8dbc75..f6f98e6 100644
--- a/runtime/class_linker.cc
+++ b/runtime/class_linker.cc

@@ -10298,6 +10298,15 @@
   UNREACHABLE();
 }
 
+void ClassLinker::RemoveDexFromCaches(const DexFile& dex_file) {
+  ReaderMutexLock mu(Thread::Current(), *Locks::dex_lock_);
+
+  auto it = dex_caches_.find(&dex_file);
+  if (it != dex_caches_.end()) {
+      dex_caches_.erase(it);
+  }
+}
+
 // Instantiate ClassLinker::AllocClass.
 template ObjPtr<mirror::Class> ClassLinker::AllocClass</* kMovable= */ true>(
     Thread* self,
commit	1ee0290eed24868826ad99678cc58eee425ecba8	[log] [tgz]
author	Guo Li <guo.li@mediatek.com>	Wed Jul 13 15:57:31 2022 +0800
committer	David Srbecky <dsrbecky@google.com>	Fri Sep 09 17:45:19 2022 +0000
tree	3f958f18747f8f68bf71e4a59888e7a63b9efb01
parent	b8bdc8ac24bb44012d700383737da9726031ee48 [diff] [blame]