Geek Answers Handbook

Heap Corruption - SEGV_MAPERR on Android. Source

I'm trying to create a small library for AES encryption for a stream, I started my work on the basis of the Facebook Conceal project ( https://github.com/facebook/conceal ) just changing some things and improving the wrapper around the native to support ciphers with addition.

It works, and it can decrypt files without problems, but I get random heap memory corruption when I work with large threads, and after a lot of debugging time, I could not find the error.

Here is my code:
https://gist.github.com/frisco82/9782725

I tried to find memory allocation or free problems, but there is almost no malloc or free, and the jni call should be safe, the same goes for opensl (I compiled my own, but the hidden ones also failed)

CheckJni doesn’t warn about anything, and although handling the context is a bit out of the box, it doesn't seem to be broken (indeed, Android encryption seems to use something similar).

In addition, if someone can point me to the native AES multiprocessor (several update requests), I will switch to it and forget it.

The error changes from time to time, but it usually looks like it:

03-26 10:33:02.065: A/dalvikvm(2475): @@@ ABORTING: DALVIK: HEAP MEMORY CORRUPTION IN mspace_malloc addr=0x0 03-26 10:33:02.065: A/libc(2475): Fatal signal 11 (SIGSEGV) at 0xdeadbaad (code=1), thread 2494 (AsyncTask #1) 03-26 10:33:02.205: I/DEBUG(933): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 03-26 10:33:02.205: I/DEBUG(933): Build fingerprint: 'generic_x86/google_sdk_x86/generic_x86:4.4.2/KK/999428:eng/test-keys' 03-26 10:33:02.205: I/DEBUG(933): Revision: '0' 03-26 10:33:02.205: I/DEBUG(933): pid: 2475, tid: 2494, name: AsyncTask #1 >>> com.proton <<< 03-26 10:33:02.205: I/DEBUG(933): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaad

Full stack trace:
http://pastebin.com/f6mDuQEj

0
source share
2 answers

In the end, I was able to get around this problem, EVP_CipherUpdate (or jni ReleaseByteArrayElements ) sometimes overflows the output buffer, causing heap corruption, there was nothing in my code, and there were no problems with the caller as replacing EVP_CipherUpdate with a memcpy call with the same parameters, as expected, and there was no heap damage.

So, the solution added extra length to the output buffer sent to nativeUpdate, and the error went away.

I made a full working version of the library for other users: https://github.com/frisco82/conceal

+1
source

It works, and it can decrypt files without problems, but I get random heap memory corruption when I work with large threads.

From the above line, it seems to me that your program explicitly overwrites memory that was implicitly or explicitly allocated by your code. I tried to understand your code, but it was not clear to me. But I tried to look from the memory corruption script and found that your program has malloc / free call, which can lead to memory overflow.

 EVP_CIPHER_CTX *ctx = (EVP_CIPHER_CTX*) malloc(sizeof(EVP_CIPHER_CTX)); EVP_CIPHER_CTX_init(ctx); EVP_CIPHER_CTX *ctx = (EVP_CIPHER_CTX*) malloc(sizeof(EVP_CIPHER_CTX)); EVP_CIPHER_CTX_init(ctx);

I tried to check the layout of the EVP_CIPHER_CTX structure, but it was not available in your code. But I saw that these pointers are used in different contexts of your program. Now you should check that in this scenario your buffer can be overwritten as several places where you used different keyLength , and depending on this, your program performs different functions. I think you can look at these codes and see if overflow is possible !!! ....

How your application will work on an Android-based system, where we will not be able to run any dynamic tool (Valgrind / WinDBG / Pageheap ..), so, I think, you need to look at your code, put some log in an important place and look where you are texting.

The reliability of the above information will be useful for you to understand your problem.

+1
source

More articles:


All Articles