Crash due to undefined behavior in libnetguard.so

[ShellCode33]

Hi! First and foremost, thanks a lot for your amazing app.

I use the latest F-Droid version of TrackerControl 2024.01.03-fdroid on GrapheneOS with a Pixel phone which supports memory tagging (MTE).

Describe the bug

As soon as I start TrackerControl with MTE enabled, the app crashes (the kernel sends a SEGV signal to the app).

Here's the stacktrace:

type: crash
osVersion: google/shiba/shiba:14/AP2A.240905.003/2024092900:user/release-keys
uid: 10187 (u:r:untrusted_app:s0:c187,c256,c512,c768)
cmdline: net.kollnig.missioncontrol.fdroid
processUptime: 4s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr 300cd3a1dd95070
threadName: Thread-7
MTE: enabled

backtrace:
    /data/app/~~pHwUjYdRNOm6EEiFguMLVQ==/net.kollnig.missioncontrol.fdroid-gcDYMW9uEkljtuopzUD64A==/lib/arm64/libnetguard.so (handle_events+692, pc b3d8)
    /data/app/~~pHwUjYdRNOm6EEiFguMLVQ==/net.kollnig.missioncontrol.fdroid-gcDYMW9uEkljtuopzUD64A==/oat/arm64/base.odex (art_jni_trampoline+112, pc 142c5d0)
    /data/app/~~pHwUjYdRNOm6EEiFguMLVQ==/net.kollnig.missioncontrol.fdroid-gcDYMW9uEkljtuopzUD64A==/oat/arm64/base.odex (eu.faircode.netguard.ServiceSinkhole$1.run+336, pc 1410890)
    /system/framework/arm64/boot.oat (java.lang.Thread.run+64, pc 1461f0)
    /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612, pc 3a9174)
    /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+148, pc 3454c4)
    /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallback(void*)+1724, pc 4a4e5c)
    /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallbackWithUffdGc(void*)+12, pc 4a478c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204, pc 7969c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68, pc 6a064)

The crash happens in the handle_events function in libnetguard.so.

I'm sorry for not being able to provide a more detailed stack trace, it would require me to rebuild TrackerControl with debug symbols, which I don't have the time for right now.

I don't know if it is the reason for this crash but it seems to me there's a clear use-after-free bug here:

tracker-control-android/app/src/main/jni/netguard/session.c

Lines 278 to 281 in acba328

	// Cleanup
	ng_free(args, __FILE__, __LINE__);
	log_android(ANDROID_LOG_WARN, "Stopped events tun=%d", args->tun);

To Reproduce

• Install TrackerControl on a phone with MTE enabled
• Use TrackerControl, it will crash as soon as it is being used

I don't know if the Android emulator supports MTE, but even if it does not, you should probably be able to catch this bug using the address sanitizer from the NDK

@thestinger might have some hints on how to debug this properly when you don't have a MTE capable phone available.

[kasnder]

That's not good at all. Should be fixed in the next release.