Skip to content

Commit 0f43e16

Browse files
qc-tbhardwaTrishansh Bhardwaj
andauthored
[QNN-EP] Fix use-after-free of logger object (#27804)
### Description Update logger object in QnnBackendManager::SetupBackend. ### Motivation and Context While generating weight sharing context binary, Inference Session is created once for each graph. Inference session creates logger object and passes it to QnnBackendManager. QnnBackendManager stores this pointer in logger_ pointer and holds it long after Inference Session destroys Logger. On next Inference Session, another Logger object is created but QnnBackendManager do not use this as backend_setup_completed_ is already set, using this causes UAF. Co-authored-by: Trishansh Bhardwaj <quic_tbhardwa@quicinc.com>
1 parent f22e3a9 commit 0f43e16

2 files changed

Lines changed: 5 additions & 5 deletions

File tree

onnxruntime/core/providers/qnn/builder/qnn_backend_manager.cc

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -468,9 +468,7 @@ void QnnLogging(const char* format,
468468
}
469469
}
470470

471-
Status QnnBackendManager::InitializeQnnLog(const logging::Logger& logger) {
472-
logger_ = &logger;
473-
471+
Status QnnBackendManager::InitializeQnnLog() {
474472
// Set Qnn log level align with Ort log level
475473
auto ort_log_level = logger_->GetSeverity();
476474
QnnLog_Level_t qnn_log_level = MapOrtSeverityToQNNLogLevel(ort_log_level);
@@ -1564,6 +1562,8 @@ Status QnnBackendManager::SetupBackend(const logging::Logger& logger,
15641562
std::unordered_map<std::string, std::unique_ptr<std::vector<std::string>>>& context_bin_map,
15651563
bool enable_htp_extended_udma_mode) {
15661564
std::lock_guard<std::recursive_mutex> lock(logger_recursive_mutex_);
1565+
if (logger_ != &logger)
1566+
logger_ = &logger;
15671567
if (backend_setup_completed_) {
15681568
LOGS(logger, VERBOSE) << "Backend setup already!";
15691569

@@ -1630,7 +1630,7 @@ Status QnnBackendManager::SetupBackend(const logging::Logger& logger,
16301630
}
16311631

16321632
if (status.IsOK()) {
1633-
status = InitializeQnnLog(logger);
1633+
status = InitializeQnnLog();
16341634
}
16351635
if (status.IsOK()) {
16361636
LOGS(logger, VERBOSE) << "SetLogger succeed.";

onnxruntime/core/providers/qnn/builder/qnn_backend_manager.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -321,7 +321,7 @@ class QnnBackendManager : public std::enable_shared_from_this<QnnBackendManager>
321321

322322
// Sets the ORT logger and creates a corresponding QNN logger with the same log level.
323323
// NOTE: caller must lock the `logger_recursive_mutex_` before calling this function.
324-
Status InitializeQnnLog(const logging::Logger& logger);
324+
Status InitializeQnnLog();
325325

326326
// Terminate logging in the backend
327327
// NOTE: This function locks the internal `logger_recursive_mutex_`.

0 commit comments

Comments
 (0)