[Android-tools-devel] Bug#1040409: aapt: unaligned memory access
Mattia Rizzolo
mattia at debian.org
Wed Jul 5 17:03:38 BST 2023
Package: aapt
Version: 1:10.0.0+r36-10
Severity: important
This has been noticed on Ubuntu, on a armhf container running on arm64.
root at optimum-quagga:~/diffoscope# gdb --args aapt2 dump resources /tmp/tmpntfkh146/out.apk
GNU gdb (Ubuntu 13.2-1ubuntu1) 13.2
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "arm-linux-gnueabihf".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from aapt2...
Reading symbols from /usr/lib/debug/.build-id/08/4ab3c604520da0c8ff77de341641ed94213b9d.debug...
(gdb) r
Starting program: /usr/bin/aapt2 dump resources /tmp/tmpntfkh146/out.apk
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
Program received signal SIGBUS, Bus error.
android::ResTable_config::copyFromDeviceNoSwap (this=0xfffee6b0, o=...) at ./libs/androidfw/ResourceTypes.cpp:1838
1838 ./libs/androidfw/ResourceTypes.cpp: No such file or directory.
(gdb) bt
#0 android::ResTable_config::copyFromDeviceNoSwap (this=0xfffee6b0, o=...) at ./libs/androidfw/ResourceTypes.cpp:1838
#1 android::ResTable_config::copyFromDtoH (this=0xfffee6b0, o=...) at ./libs/androidfw/ResourceTypes.cpp:1911
#2 0x004b4a28 in aapt::BinaryResourceParser::ParseType (this=this at entry=0xfffeed58, package=package at entry=0x5bc8a8, chunk=0xf7fcf709) at ./tools/aapt2/format/binary/BinaryResourceParser.cpp:352
#3 0x004b3928 in aapt::BinaryResourceParser::ParsePackage (this=this at entry=0xfffeed58, chunk=<optimized out>) at ./tools/aapt2/format/binary/BinaryResourceParser.cpp:241
#4 0x004b2ff4 in aapt::BinaryResourceParser::ParseTable (this=this at entry=0xfffeed58, chunk=<optimized out>) at ./tools/aapt2/format/binary/BinaryResourceParser.cpp:156
#5 0x004b2914 in aapt::BinaryResourceParser::Parse (this=0xfffeed58) at ./tools/aapt2/format/binary/BinaryResourceParser.cpp:109
#6 0x00511054 in aapt::LoadedApk::LoadBinaryApkFromFileCollection (source=..., collection=std::unique_ptr<aapt::io::IFileCollection> = {...}, diag=diag at entry=0xfffef338) at ./tools/aapt2/LoadedApk.cpp:168
#7 0x00510844 in aapt::LoadedApk::LoadApkFromPath (path=..., diag=0xfffef338) at ./tools/aapt2/LoadedApk.cpp:87
#8 0x00428b18 in aapt::DumpApkCommand::Action (this=0x5ba290, args=...) at tools/aapt2/cmd/Dump.h:72
#9 0x00413440 in aapt::Command::Execute (this=0x5ba290, args=..., out_error=<optimized out>) at ./tools/aapt2/cmd/Command.cpp:250
#10 0x00413548 in aapt::Command::Execute (this=0x5b7eb8, args=..., out_error=<optimized out>) at ./tools/aapt2/cmd/Command.cpp:200
#11 0x00413548 in aapt::Command::Execute (this=0x5b5a40, args=..., out_error=<optimized out>) at ./tools/aapt2/cmd/Command.cpp:200
#12 0x00552dd0 in MainImpl (argc=<optimized out>, argv=<optimized out>) at ./tools/aapt2/Main.cpp:177
#13 0xf7a5b7da in __libc_start_call_main (main=main at entry=0x552e44 <main(int, char**)>, argc=argc at entry=4, argv=0xfffef534, argv at entry=0xf7b4d000) at ../sysdeps/nptl/libc_start_call_main.h:58
#14 0xf7a5b87e in __libc_start_main_impl (main=0x552e44 <main(int, char**)>, argc=4, argv=0xf7b4d000, init=<optimized out>, fini=0x0, rtld_fini=0xf7fd5539 <_dl_fini>, stack_end=0xfffef534) at libc-start.c:360
#15 0x00411ab0 in _start ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) disassemble
Dump of assembler code for function _ZN7android15ResTable_config12copyFromDtoHERKS0_:
0xf7eb95c4 <+0>: push {r4, r5, r6, r7, r8, lr}
0xf7eb95c8 <+4>: ldr r5, [r1]
0xf7eb95cc <+8>: mov r8, r0
0xf7eb95d0 <+12>: cmp r5, #64 @ 0x40
0xf7eb95d4 <+16>: bcc 0xf7eb95f4 <_ZN7android15ResTable_config12copyFromDtoHERKS0_+48>
=> 0xf7eb95d8 <+20>: ldm r1!, {r2, r3, r4, r5, r6}
0xf7eb95dc <+24>: stmia r0!, {r2, r3, r4, r5, r6}
0xf7eb95e0 <+28>: ldm r1!, {r2, r3, r4, r5, r6}
0xf7eb95e4 <+32>: stmia r0!, {r2, r3, r4, r5, r6}
0xf7eb95e8 <+36>: ldm r1, {r2, r3, r4, r5, r6, r7}
0xf7eb95ec <+40>: stm r0, {r2, r3, r4, r5, r6, r7}
0xf7eb95f0 <+44>: b 0xf7eb960c <_ZN7android15ResTable_config12copyFromDtoHERKS0_+72>
0xf7eb95f4 <+48>: mov r2, r5
0xf7eb95f8 <+52>: bl 0xf7e990dc <memcpy at plt>
0xf7eb95fc <+56>: add r0, r8, r5
0xf7eb9600 <+60>: rsb r2, r5, #64 @ 0x40
0xf7eb9604 <+64>: mov r1, #0
0xf7eb9608 <+68>: bl 0xf7e98c8c <memset at plt>
0xf7eb960c <+72>: mov r0, #64 @ 0x40
0xf7eb9610 <+76>: str r0, [r8]
0xf7eb9614 <+80>: pop {r4, r5, r6, r7, r8, pc}
End of assembler dump.
(gdb)
More: https://bugs.launchpad.net/ubuntu/+source/diffoscope/+bug/2026151
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/android-tools-devel/attachments/20230705/be5c7f54/attachment.sig>
More information about the Android-tools-devel
mailing list