Write after free issue

[burriedu2]

I have an app that has this as a dependency and when it is running on GrapheneOS, which includes a hardened malloc that does not allow write after free I am getting the error below. It is not rooted and I suspect the write after free is happening and possibly causing more subtle issues on regular android builds.

type: crash
flags: dev options enabled
package: xxxxxxxxxxxxxxxxxxxx.android:613, targetSdk 34
osVersion: google/cheetah/cheetah:15/BP1A.250305.019/2025032500:user/release-keys
uid: 10286 (u:r:untrusted_app:s0:c30,c257,c512,c768)
cmdline: xxxxxxxxxxxxxxxxxxxx.android
processUptime: 181s
abortMessage: hardened_malloc: fatal allocator error: detected write after free
signal: 6 (SIGABRT), code -1 (SI_QUEUE)
threadName: NR_AppStateMon-
backtrace:
    /apex/com.android.runtime/lib64/bionic/libc.so (abort+156, pc 6402c)
    /apex/com.android.runtime/lib64/bionic/libc.so (fatal_error+44, pc 4da54)
    /apex/com.android.runtime/lib64/bionic/libc.so (allocate+1712, pc 4adc0)
    /apex/com.android.runtime/lib64/bionic/libc.so (malloc+44, pc 465ec)
    /system/lib64/libc++.so (operator new(unsigned long)+28, pc f4b40)
    /system/lib64/libc++.so (operator new[](unsigned long, std::nothrow_t const&)+12, pc 7ecb8)
    /apex/com.android.i18n/lib64/libicu_jni.so (MatcherState::updateInput(_JNIEnv*, _jstring*)+164, pc a154)
    /apex/com.android.i18n/lib64/libicu_jni.so (MatcherNative_setInputImpl(_JNIEnv*, _jclass*, long, _jstring*, int, int)+40, pc 13808)
    /system/framework/arm64/boot-core-icu4j.oat (art_jni_trampoline+132, pc ed274)
    /system/framework/arm64/boot-core-icu4j.oat (com.android.icu.util.regex.MatcherNative.setInput+52, pc ecb04)
    /system/framework/arm64/boot.oat (java.util.regex.Matcher.reset+300, pc 23194c)
    /system/framework/arm64/boot.oat (java.util.Scanner.makeSpace+468, pc 1e3ac4)
    /system/framework/arm64/boot.oat (java.util.Scanner.readInput+68, pc 1e3b54)
    /system/framework/arm64/boot.oat (java.util.Scanner.next+108, pc 1e408c)
    /data/app/~~XoxqxZSucMsU7Pk1RZFcBQ==/xxxxxxxxxxxxxxxxxxxx.android-VohNLu8LlaBIzAYblRaigg==/oat/arm64/base.odex (com.scottyab.rootbeer.RootBeer.propsReader+552, pc 446c548)
    /data/app/~~XoxqxZSucMsU7Pk1RZFcBQ==/xxxxxxxxxxxxxxxxxxxx.android-VohNLu8LlaBIzAYblRaigg==/oat/arm64/base.odex (com.scottyab.rootbeer.RootBeer.checkForDangerousProps+424, pc 446cbf8)
    /data/app/~~XoxqxZSucMsU7Pk1RZFcBQ==/xxxxxxxxxxxxxxxxxxxx.android-VohNLu8LlaBIzAYblRaigg==/oat/arm64/base.odex (com.scottyab.rootbeer.RootBeer.isRooted+124, pc 446e1cc)
    /data/app/~~XoxqxZSucMsU7Pk1RZFcBQ==/xxxxxxxxxxxxxxxxxxxx.android-VohNLu8LlaBIzAYblRaigg==/oat/arm64/base.odex (com.newrelic.agent.android.ndk.NativeReporting.start+672, pc 4dd6660)
    /data/app/~~XoxqxZSucMsU7Pk1RZFcBQ==/xxxxxxxxxxxxxxxxxxxx.android-VohNLu8LlaBIzAYblRaigg==/oat/arm64/base.odex (com.newrelic.agent.android.AndroidAgentImpl.start+504, pc 4918ca8)
    /data/app/~~XoxqxZSucMsU7Pk1RZFcBQ==/xxxxxxxxxxxxxxxxxxxx.android-VohNLu8LlaBIzAYblRaigg==/oat/arm64/base.odex (com.newrelic.agent.android.AndroidAgentImpl.applicationForegrounded+220, pc 491570c)
    /data/app/~~XoxqxZSucMsU7Pk1RZFcBQ==/xxxxxxxxxxxxxxxxxxxx.android-VohNLu8LlaBIzAYblRaigg==/oat/arm64/base.odex (com.newrelic.agent.android.background.ApplicationStateMonitor.notifyApplicationInForeground+408, pc 43f0288)
    /data/app/~~XoxqxZSucMsU7Pk1RZFcBQ==/xxxxxxxxxxxxxxxxxxxx.android-VohNLu8LlaBIzAYblRaigg==/oat/arm64/base.odex (com.newrelic.agent.android.background.ApplicationStateMonitor.lambda$activityStarted$1$com-newrelic-agent-android-background-ApplicationStateMonitor+136, pc 43f0558)
    /data/app/~~XoxqxZSucMsU7Pk1RZFcBQ==/xxxxxxxxxxxxxxxxxxxx.android-VohNLu8LlaBIzAYblRaigg==/oat/arm64/base.odex ([DEDUPED]+48, pc 10c7eb0)
    /system/framework/arm64/boot.oat (java.util.concurrent.ThreadPoolExecutor.runWorker+720, pc 211030)
    /system/framework/arm64/boot.oat (java.util.concurrent.ThreadPoolExecutor$Worker.run+56, pc 214b08)
    /system/framework/arm64/boot.oat (java.lang.Thread.run+64, pc a5580)
    /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612, pc 379994)
    /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+136, pc 3a1d98)
    /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallback(void*)+1004, pc 54286c)
    /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallbackWithUffdGc(void*)+8, pc 542468)
    /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+180, pc 75854)
    /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64, pc 66fb0)

[stealthcopter]

This doesn't seem to have anything to do with rootbeer o_O

[burriedu2]

I am pretty sure it is coming from this package. Specifically:

rootbeer/rootbeerlib/src/main/java/com/scottyab/rootbeer/RootBeer.java

Line 214 in eff976a

String propVal = new Scanner(inputstream).useDelimiter("\\A").next();

I have a separate trace that also flags this line:

rootbeer/rootbeerlib/src/main/java/com/scottyab/rootbeer/RootBeer.java

Line 226 in eff976a

String propVal = new Scanner(inputstream).useDelimiter("\\A").next();

I don't understand the inner working of android enough to know why that causes a write after free, but it looks like something is going on with that stream that is being parsed. My speculation is that stream's lifecycle is handled by the OS and is freed while the regex operations are still happening on it.

I do know that the error goes away when I remove this library, so please have another look. Write after free issues can be pretty serious and this one was causing our google play crash rate to sit at about 2% until it was removed.