Because I'm collecting MTE-related issues on Android, a good friend of mine reached out to me about an interesting one happening in Signal, caught by GrapheneOS' hardened_malloc MTE usage on his partner's phone:
type: crash
osVersion: google/husky/husky:14/AP2A.240605.024/2024062000:user/release-keys
uid: 10186 (u:r:untrusted_app_32:s0:c186,c256,c512,c768)
cmdline: org.thoughtcrime.securesms
processUptime: 3327s
signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr a00c60bde0582c8
threadName: crime.securesms
MTE: enabled
backtrace:
/system/lib64/libhwui.so (SkOpEdgeBuilder::preFetch()+560, pc 33d860)
/system/lib64/libhwui.so (OpDebug(SkPath const&, SkPath const&, SkPathOp, SkPath*)+544, pc 33b8c0)
/system/lib64/libhwui.so (android::SkPathGlue::op(_JNIEnv*, _jclass*, long, long, int, long)+28, pc 5086bc)
/system/framework/arm64/boot-framework.oat (art_jni_trampoline+120, pc 1e45c8)
/system/framework/arm64/boot-framework.oat (android.graphics.Path.op+88, pc 2a24e8)
/system/framework/arm64/boot-framework.oat (android.graphics.Path.op+64, pc 2a2470)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (com.google.android.material.shape.ShapeAppearancePathProvider.pathOverlapsCorner+268, pc 3b9977c)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (com.google.android.material.shape.ShapeAppearancePathProvider.appendEdgePath+912, pc 3b98f10)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (com.google.android.material.shape.ShapeAppearancePathProvider.calculatePath+384, pc 3b99f10)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (com.google.android.material.shape.ShapeAppearancePathProvider.calculatePath+64, pc 3b99d70)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (com.google.android.material.shape.MaterialShapeDrawable.calculateStrokePath+528, pc 4053900)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (com.google.android.material.shape.MaterialShapeDrawable.draw+328, pc 4055a48)
/system/framework/arm64/boot-framework.oat (android.graphics.drawable.LayerDrawable.draw+124, pc 3bba0c)
/system/framework/arm64/boot-framework.oat (android.graphics.drawable.RippleDrawable.drawContent+140, pc 44567c)
/system/framework/arm64/boot-framework.oat (android.graphics.drawable.RippleDrawable.drawPatterned+308, pc 445804)
/system/framework/arm64/boot-framework.oat (android.graphics.drawable.RippleDrawable.draw+380, pc 447e3c)
/system/framework/arm64/boot-framework.oat (android.view.View.getDrawableRenderNode+628, pc 6adfa4)
/system/framework/arm64/boot-framework.oat (android.view.View.drawBackground+136, pc 6ad508)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+100, pc 6b6bd4)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+1012, pc 6d1604)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.drawChild+60, pc 738bec)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+792, pc 6d1528)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (androidx.coordinatorlayout.widget.CoordinatorLayout.drawChild+744, pc 232f2e8)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+792, pc 6d1528)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.drawChild+60, pc 738bec)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (androidx.constraintlayout.widget.ConstraintLayout.dispatchDraw+264, pc 1bd00c8)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+184, pc 6b6c28)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+1012, pc 6d1604)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (androidx.fragment.app.FragmentContainerView.drawChild+284, pc 1caa86c)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (androidx.fragment.app.FragmentContainerView.dispatchDraw+348, pc 1caa71c)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+792, pc 6d1528)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (androidx.fragment.app.FragmentContainerView.drawChild+284, pc 1caa86c)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (androidx.fragment.app.FragmentContainerView.dispatchDraw+348, pc 1caa71c)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+792, pc 6d1528)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.drawChild+60, pc 738bec)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (androidx.constraintlayout.widget.ConstraintLayout.dispatchDraw+264, pc 1bd00c8)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+792, pc 6d1528)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (androidx.fragment.app.FragmentContainerView.drawChild+284, pc 1caa86c)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/data/app/~~wIAV5VK94uQz0cpuWYSITQ==/org.thoughtcrime.securesms-No1zhX-f9AXdIHF3vGBbig==/oat/arm64/base.odex (androidx.fragment.app.FragmentContainerView.dispatchDraw+348, pc 1caa71c)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+792, pc 6d1528)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.drawChild+60, pc 738bec)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+792, pc 6d1528)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.drawChild+60, pc 738bec)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+792, pc 6d1528)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.drawChild+60, pc 738bec)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+792, pc 6d1528)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.drawChild+60, pc 738bec)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+792, pc 6d1528)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.drawChild+60, pc 738bec)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+792, pc 6d1528)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+1180, pc 6b7b1c)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.drawChild+60, pc 738bec)
/system/framework/arm64/boot-framework.oat (android.view.ViewGroup.dispatchDraw+1560, pc 735fa8)
/system/framework/arm64/boot-framework.oat (android.view.View.draw+184, pc 6b6c28)
/system/framework/arm64/boot-framework.oat (com.android.internal.policy.DecorView.draw+44, pc 7fef8c)
/system/framework/arm64/boot-framework.oat (android.view.View.updateDisplayListIfDirty+1012, pc 6d1604)
/system/framework/arm64/boot-framework.oat (android.view.ThreadedRenderer.updateViewTreeDisplayList+84, pc 6a4f14)
/system/framework/arm64/boot-framework.oat (android.view.ThreadedRenderer.updateRootDisplayList+152, pc 6a4ab8)
/system/framework/arm64/boot-framework.oat (android.view.ThreadedRenderer.draw+104, pc 6a5158)
/system/framework/arm64/boot-framework.oat (android.view.ViewRootImpl.draw+2868, pc 6ddc94)
/system/framework/arm64/boot-framework.oat (android.view.ViewRootImpl.performDraw+468, pc 6e2c54)
/system/framework/arm64/boot-framework.oat (android.view.ViewRootImpl.performTraversals+13264, pc 6e6af0)
/system/framework/arm64/boot-framework.oat (android.view.ViewRootImpl.doTraversal+192, pc 6ebba0)
/system/framework/arm64/boot-framework.oat (android.view.ViewRootImplTraversalRunnable.run+52, pc 6375a4)FrameDisplayEventReceiver.run+72, pc 687498)
/system/framework/arm64/boot-framework.oat (android.os.Handler.dispatchMessage+68, pc 4f3904)
/system/framework/arm64/boot-framework.oat (android.os.Looper.loopOnce+980, pc 4f6934)
/system/framework/arm64/boot-framework.oat (android.os.Looper.loop+244, pc 4f64e4)
/system/framework/arm64/boot-framework.oat (android.app.ActivityThread.main+1560, pc 2de2e8)
/apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+640, pc 3a9440)
/apex/com.android.art/lib64/libart.so (_jobject* art::InvokeMethod<(art::PointerSize)8>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+856, pc 3633e8)
/apex/com.android.art/lib64/libart.so (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*) (.__uniq.165753521025965369065708152063621506277)+36, pc 363074)
/system/framework/arm64/boot.oat (art_jni_trampoline+116, pc 9a114)
/system/framework/arm64/boot-framework.oat (com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+116, pc 7b6384)
/apex/com.android.art/lib64/libart.so (nterp_helper+7636, pc 6d2814)
/system/framework/framework.jar (com.android.internal.os.ExecInit.main+88, pc c5ad0)
/apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+640, pc 3a9440)
/apex/com.android.art/lib64/libart.so (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+896, pc 68fb10)
/system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+108, pc e5b0c)
/system/lib64/libandroid_runtime.so (android::AndroidRuntime::callMain(android::String8 const&, _jclass*, android::Vectorandroid::String8 const&)+340, pc ee074)
/system/bin/app_process64 (android::AppRuntime::onStarted()+72, pc 29f8)
/system/framework/arm64/boot-framework.oat (art_jni_trampoline+104, pc 1db198)
/apex/com.android.art/lib64/libart.so (nterp_helper+152, pc 6d0ad8)
/system/framework/framework.jar (com.android.internal.os.RuntimeInit.main+48, pc d44dc)
/apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+640, pc 3a9440)
/apex/com.android.art/lib64/libart.so (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+896, pc 68fb10)
/system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+108, pc e5b0c)
/system/lib64/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vectorandroid::String8 const&, bool)+844, pc f1b4c)
/system/bin/app_process64 (main+1232, pc 25b0)
/apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+120, pc 5f0a8)
The root cause seems to be libskia doing some weird things when an avatar image is being cut off during a call. Unfortunately, my friend didn't share with me a more detailed log, and I'm too lazy to investigate this further, but since it's avatar-related, thus attacker-controlled input, odds are that it might be exploitable.
The issue never made its way to production, and only happened during 7.10.0-beta: it was introduced in 11557e4815e5acc429db79945b94c9e5465eed77 the 24th of June 2024, reported to Signal's security team likely reported the 26th of June 2024, fixed in 37815a3f39661b4331c4ed26fbd640618e4b7147 the very same day. It's interesting to notice that the fix is a couple of lines of safe-looking pure Java code, and not some C++, making it hard to spot.
Anyway, it's always nice to see this kind of memory-corruption issues being caught "in the wild".