Skip to content

Fix USB transport io_service lifetime UAF and handshake stability#89

Merged
matt2005 merged 2 commits intodevelopfrom
fix/usb-transport-io-service-lifetime
Mar 17, 2026
Merged

Fix USB transport io_service lifetime UAF and handshake stability#89
matt2005 merged 2 commits intodevelopfrom
fix/usb-transport-io-service-lifetime

Conversation

@matt2005
Copy link

@matt2005 matt2005 commented Mar 16, 2026

Summary

This PR fixes the heap-corruption/abort path triggered during Android Auto channel setup by addressing the underlying transport lifetime race and related stability issues.

Key fixes

  • Keep io_service alive via shared ownership in transport classes:
    • Transport now stores std::shared_ptr<boost::asio::io_service>
    • USBTransport and TCPTransport constructors updated to use shared ownership
    • Prevents late receive-retry callbacks from dereferencing a destroyed io_service
  • Improve USB receive recovery behavior:
    • Bounded retries for transient LIBUSB_ERROR_NO_DEVICE and interrupted reads
    • Explicit rollback of uncommitted DataSink fill slots before retry re-arm
  • Harden OpenSSL wrapper lifecycle:
    • One-time process-global init with std::call_once
    • Remove per-instance teardown of global OpenSSL state
  • Fix AOAP descriptor lifetime issues:
    • Store stable copies of descriptor/interface/endpoint values instead of keeping pointers to ephemeral descriptor memory
  • Build-system compatibility:
    • Conditional protobuf include path handling when SKIP_BUILD_PROTOBUF=ON (system protobuf)
  • Documentation:
    • Add troubleshooting entry for USB receive retry corruption

Validation

  • Built aasdk debug and ASAN variants successfully
  • Reproduced crash under ASAN and captured fault in USBTransport::scheduleReceiveRetry
  • After fix, ASAN run no longer reports the prior SEGV/UAF path in transport retry scheduling
  • crankshaft-core rebuilt cleanly against updated headers and linked successfully

Notes

This targets develop as requested.

matt2005 added 2 commits March 16, 2026 23:45
@matt2005
Fix USB transport lifetime corruption and handshake stability
e3123ef 
- Keep io_service alive via shared ownership in Transport/TCPTransport/USBTransport to prevent late callback UAF during retry timers
- Add bounded retry and rollback handling for USB receive interruptions/no-device transients
- Make SSL global init one-time and avoid per-instance teardown
- Fix AOAP descriptor lifetime by storing stable endpoint/interface values
- Support SKIP_BUILD_PROTOBUF include path selection for system protobuf
- Document USB receive retry corruption troubleshooting
@matt2005
Installer: enforce aasdk group ownership for cert/key
4524432 
- Create aasdk system group in postinst when missing
- Set key permissions to root:aasdk with 640 mode
- Align direct CMake install key permissions with group-read model
@matt2005 matt2005 merged commit 0d9a09d into develop Mar 17, 2026
3 checks passed
@matt2005 matt2005 deleted the fix/usb-transport-io-service-lifetime branch March 17, 2026 09:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matt2005