Skip to content

modules: alsa-midi: delay listener registration

Barnabás Pőcze requested to merge pobrn/media-session:delay_listener_registration into master

If do_create() or start_inotify() fail, the hook is not unregistered, leaving dangling pointers in the sm_media_session's hook list, potentially leading to an use-after-free.

For example:

[E][02903.857072] ms.mod.alsa-midi | [     alsa-midi.c:  150 start_inotify()] inotify_add_watch() '/dev/snd' failed: No such file or directory
[I][02903.857128] ms.core      | [ media-session.c: 2593 main()] enabling media session module: alsa-monitor
[I][02903.857217] pw.conf      | [          conf.c:  327 conf_load()] 0x606000003860: loading config '.../alsa-monitor.conf'
=================================================================
==587==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000001678 at pc 0x5600239233bd bp 0x7ffd88c9c860 sp 0x7ffd88c9c850
WRITE of size 8 at 0x607000001678 thread T0
    #0 0x5600239233bc in spa_list_insert_list ../spa/include/spa/utils/list.h:69
    #1 0x5600239233bc in spa_hook_list_isolate ../spa/include/spa/utils/hook.h:397
    #2 0x5600239233bc in sm_media_session_add_listener ../subprojects/media-session/src/media-session.c:1544
    #3 0x5600238353ab in sm_alsa_monitor_start ../subprojects/media-session/src/alsa-monitor.c:1227
    #4 0x560023936770 in main ../subprojects/media-session/src/media-session.c:2594
    #5 0x7f990f1c8b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #6 0x560023804cbd in _start (/mnt/pipewire/build/subprojects/media-session/src/pipewire-media-session+0x391cbd)

0x607000001678 is located 8 bytes inside of 80-byte region [0x607000001670,0x6070000016c0)
freed by thread T0 here:
    #0 0x7f9910c8cf19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x560023810ded in sm_alsa_midi_start ../subprojects/media-session/src/alsa-midi.c:217
    #2 0x560023936770 in main ../subprojects/media-session/src/media-session.c:2594
    #3 0x7f990f1c8b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

previously allocated by thread T0 here:
    #0 0x7f9910c8d459 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x560023810ad8 in sm_alsa_midi_start ../subprojects/media-session/src/alsa-midi.c:185
    #2 0x560023936770 in main ../subprojects/media-session/src/media-session.c:2594
    #3 0x7f990f1c8b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: heap-use-after-free ../spa/include/spa/utils/list.h:69 in spa_list_insert_list

Merge request reports