From 1ee0290eed24868826ad99678cc58eee425ecba8 Mon Sep 17 00:00:00 2001 From: Guo Li Date: Wed, 13 Jul 2022 15:57:31 +0800 Subject: Fix use-after-free issue for dexfile When we open a dex file, class linker will save dex file address in dex_caches_. Then when GC occurs, the dex file will be freed in art::DexFile_closeDexFile, but dex file address is still in dex_caches_. When some tries to iterate over dex_caches_, HWASAN complains. Therefore remove the dexfile in dex_caches_ when we delete the dex file. Ignore-AOSP-First: Security fix Bug: 222166527 Bug: 238962046 Test: manually Change-Id: I5bb09a906737db986ead9813695918e06ab590c4 (cherry picked from commit 97283036ec6344eba65f28a3c37b2541f674d4a7) Merged-In: I5bb09a906737db986ead9813695918e06ab590c4 --- runtime/native/dalvik_system_DexFile.cc | 1 + 1 file changed, 1 insertion(+) (limited to 'runtime/native/dalvik_system_DexFile.cc') diff --git a/runtime/native/dalvik_system_DexFile.cc b/runtime/native/dalvik_system_DexFile.cc index d714206241..ecb901044a 100644 --- a/runtime/native/dalvik_system_DexFile.cc +++ b/runtime/native/dalvik_system_DexFile.cc @@ -377,6 +377,7 @@ static jboolean DexFile_closeDexFile(JNIEnv* env, jclass, jobject cookie) { if (!class_linker->IsDexFileRegistered(soa.Self(), *dex_file)) { // Clear the element in the array so that we can call close again. long_dex_files->Set(i, 0); + class_linker->RemoveDexFromCaches(*dex_file); delete dex_file; } else { all_deleted = false; -- cgit v1.2.3-59-g8ed1b