New issue
Advanced search Search tips

Issue 687933 link

Starred by 1 user
Status: Fixed
Owner:
jonr...@chromium.org
Closed: Feb 2017
Cc:
dcheng@chromium.org
sky@chromium.org
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug



Sign in to add a comment

uaf during teardown in PreferencesConnectionManager

Project Member Reported by sadrul@chromium.org, Feb 2 2017 
I am seeing a uaf during teardown. Stacks:


READ of size 8 at 0x60e000100dc0 thread T0 (chrome)
    #0 0x7f6ddf6265be in __normal_iterator ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_iterator.h:720:60
    #1 0x7f6ddf6265be in begin ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_vector.h:464:0
    #2 0x7f6ddf6265be in OnConnectionError ./out/cros/../../chrome/browser/prefs/preferences_connection_manager.cc:50:0
    #3 0x7f6ddf629c29 in Invoke<PreferencesConnectionManager *, const base::WeakPtr<mojo::StrongBinding<prefs::mojom::PreferencesManager> > &> ./out/cros/../../base/bind_internal.h:214:12
    #4 0x7f6ddf629c29 in MakeItSo<void (PreferencesConnectionManager::*const &)(base::WeakPtr<mojo::StrongBinding<prefs::mojom::PreferencesManager> >), PreferencesConnectionManager *, const base::WeakPtr<mojo::StrongBinding<prefs::mojom::PreferencesManager> > &> ./out/cros/../../base/bind_internal.h:285:0
    #5 0x7f6ddf629c29 in RunImpl<void (PreferencesConnectionManager::*const &)(base::WeakPtr<mojo::StrongBinding<prefs::mojom::PreferencesManager> >), const std::tuple<base::internal::UnretainedWrapper<PreferencesConnectionManager>, base::WeakPtr<mojo::StrongBinding<prefs::mojom::PreferencesManager> > > &, 0, 1> ./out/cros/../../base/bind_internal.h:361:0
    #6 0x7f6ddf629c29 in Run ./out/cros/../../base/bind_internal.h:339:0
    #7 0x7f6ddf62940e in Run ./out/cros/../../base/callback.h:85:12
    #8 0x7f6ddf62940e in OnConnectionError ./out/cros/../../mojo/public/cpp/bindings/strong_binding.h:101:0
    #9 0x7f6ddb01e820 in Run ./out/cros/../../base/callback.h:85:12
    #10 0x7f6ddb01e820 in NotifyError ./out/cros/../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:303:0
    #11 0x7f6ddb040b47 in ProcessNotifyErrorTask ./out/cros/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:854:13
    #12 0x7f6ddb0381b1 in ProcessTasks ./out/cros/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:768:15
    #13 0x7f6ddb0330f1 in OnPipeConnectionError ./out/cros/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:737:3
    #14 0x7f6ddb0091e5 in Run ./out/cros/../../base/callback.h:85:12
    #15 0x7f6ddb0091e5 in HandleError ./out/cros/../../mojo/public/cpp/bindings/lib/connector.cc:329:0
    #16 0x7f6ddb00b0e5 in OnHandleReadyInternal ./out/cros/../../mojo/public/cpp/bindings/lib/connector.cc:209:5
    #17 0x7f6ddafd04d7 in Run ./out/cros/../../base/callback.h:85:12
    #18 0x7f6ddafd04d7 in OnHandleReady ./out/cros/../../mojo/public/cpp/system/watcher.cc:87:0
    #19 0x7f6ddafd0930 in Invoke<const base::WeakPtr<mojo::Watcher> &, const unsigned int &> ./out/cros/../../base/bind_internal.h:214:12
    #20 0x7f6ddaa036a1 in Run ./out/cros/../../base/callback.h:68:12
    #21 0x7f6ddaa036a1 in RunTask ./out/cros/../../base/debug/task_annotator.cc:52:0
    #22 0x7f6ddaaacd3b in RunTask ./out/cros/../../base/message_loop/message_loop.cc:421:19
    #23 0x7f6ddaaaf426 in DeferOrRunPendingTask ./out/cros/../../base/message_loop/message_loop.cc:430:5
    #24 0x7f6ddaaaf426 in DoWork ./out/cros/../../base/message_loop/message_loop.cc:523:0
    #25 0x7f6ddaabbf60 in Run ./out/cros/../../base/message_loop/message_pump_libevent.cc:218:31
    #26 0x7f6ddaaac3fb in RunHandler ./out/cros/../../base/message_loop/message_loop.cc:386:10
    #27 0x7f6ddab6ee6f in Run ./out/cros/../../base/run_loop.cc:37:10
    #28 0x7f6ddf44dd8d in MainMessageLoopRun ./out/cros/../../chrome/browser/chrome_browser_main.cc:2000:12
    #29 0x7f6dd168afd6 in RunMainMessageLoopParts ./out/cros/../../content/browser/browser_main_loop.cc:1180:29
    #30 0x7f6dd1697e46 in Run ./out/cros/../../content/browser/browser_main_runner.cc:141:17
    #31 0x7f6dd167c364 in BrowserMain ./out/cros/../../content/browser/browser_main.cc:46:28
    #32 0x7f6dd355f7be in RunNamedProcessTypeMain ./out/cros/../../content/app/content_main_runner.cc:434:14
    #33 0x7f6dd35617b7 in Run ./out/cros/../../content/app/content_main_runner.cc:813:12
    #34 0x7f6dd355d5fa in ContentMain ./out/cros/../../content/app/content_main.cc:20:28
    #35 0x7f6ddcde3768 in ChromeMain ./out/cros/../../chrome/app/chrome_main.cc:112:12
    #36 0x7f6dba96ef44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0


0x60e000100dc0 is located 128 bytes inside of 160-byte region [0x60e000100d40,0x60e000100de0)
freed by thread T0 (chrome) here:
    #0 0x7f6ddcde106b in operator delete(void*) ??:?
    #1 0x7f6dd35dd9c7 in operator() ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63:2
    #2 0x7f6dd35dd9c7 in reset ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245:0
    #3 0x7f6dd35dd9c7 in ~unique_ptr ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:169:0
    #4 0x7f6dd35dd9c7 in ~ServiceContext ./out/cros/../../services/service_manager/public/cpp/lib/service_context.cc:47:0
    #5 0x7f6dd35ddafd in ?? ./out/cros/../../services/service_manager/public/cpp/lib/service_context.cc:47:35
    #6 0x7f6dd0a5b2d5 in operator() ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63:2
    #7 0x7f6dd0a5b2d5 in reset ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245:0
    #8 0x7f6dd0a5b2d5 in ~unique_ptr ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:169:0
    #9 0x7f6dd0a5b2d5 in ~pair ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_pair.h:87:0
    #10 0x7f6dd0a5b2d5 in ~_Rb_tree_node ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:130:0
    #11 0x7f6dd0a5b2d5 in destroy ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/ext/new_allocator.h:118:0
    #12 0x7f6dd0a5b2d5 in _M_destroy_node ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:419:0
    #13 0x7f6dd0a5b2d5 in _M_erase_aux ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:1490:0
    #14 0x7f6dd0a5b2d5 in erase ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:770:0
    #15 0x7f6dd0a5b2d5 in erase ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_map.h:619:0
    #16 0x7f6dd0a5b2d5 in OnInstanceLost ./out/cros/../../content/common/service_manager/embedded_service_runner.cc:104:0
    #17 0x7f6dd0a5b6b5 in Invoke<const scoped_refptr<content::EmbeddedServiceRunner::InstanceManager> &, const int &> ./out/cros/../../base/bind_internal.h:214:12
    #18 0x7f6dd0a5b6b5 in MakeItSo<void (content::EmbeddedServiceRunner::InstanceManager::*const &)(int), const scoped_refptr<content::EmbeddedServiceRunner::InstanceManager> &, const int &> ./out/cros/../../base/bind_internal.h:285:0
    #19 0x7f6dd0a5b6b5 in RunImpl<void (content::EmbeddedServiceRunner::InstanceManager::*const &)(int), const std::tuple<scoped_refptr<content::EmbeddedServiceRunner::InstanceManager>, int> &, 0, 1> ./out/cros/../../base/bind_internal.h:361:0
    #20 0x7f6dd0a5b6b5 in Run ./out/cros/../../base/bind_internal.h:339:0
    #21 0x7f6dd35ddd9a in Run ./out/cros/../../base/callback.h:85:12
    #22 0x7f6dd35ddd9a in QuitNow ./out/cros/../../services/service_manager/public/cpp/lib/service_context.cc:70:0
    #23 0x7f6ddb01e5dd in Run ./out/cros/../../base/callback.h:85:12
    #24 0x7f6ddb01e5dd in NotifyError ./out/cros/../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:297:0
    #25 0x7f6ddb040b0f in ProcessNotifyErrorTask ./out/cros/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:854:13
    #26 0x7f6ddb0381b1 in ProcessTasks ./out/cros/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:768:15
    #27 0x7f6ddb0330f1 in OnPipeConnectionError ./out/cros/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:737:3
    #28 0x7f6ddb0091e5 in Run ./out/cros/../../base/callback.h:85:12
    #29 0x7f6ddb0091e5 in HandleError ./out/cros/../../mojo/public/cpp/bindings/lib/connector.cc:329:0
    #30 0x7f6ddb00b0e5 in OnHandleReadyInternal ./out/cros/../../mojo/public/cpp/bindings/lib/connector.cc:209:5
    #31 0x7f6ddafd04d7 in Run ./out/cros/../../base/callback.h:85:12
    #32 0x7f6ddafd04d7 in OnHandleReady ./out/cros/../../mojo/public/cpp/system/watcher.cc:87:0
    #33 0x7f6ddafd0930 in Invoke<const base::WeakPtr<mojo::Watcher> &, const unsigned int &> ./out/cros/../../base/bind_internal.h:214:12
    #34 0x7f6ddaa036a1 in Run ./out/cros/../../base/callback.h:68:12
    #35 0x7f6ddaa036a1 in RunTask ./out/cros/../../base/debug/task_annotator.cc:52:0
    #36 0x7f6ddaaacd3b in RunTask ./out/cros/../../base/message_loop/message_loop.cc:421:19
    #37 0x7f6ddaaaf426 in DeferOrRunPendingTask ./out/cros/../../base/message_loop/message_loop.cc:430:5
    #38 0x7f6ddaaaf426 in DoWork ./out/cros/../../base/message_loop/message_loop.cc:523:0
    #39 0x7f6ddaabbf60 in Run ./out/cros/../../base/message_loop/message_pump_libevent.cc:218:31
    #40 0x7f6ddaaac3fb in RunHandler ./out/cros/../../base/message_loop/message_loop.cc:386:10
    #41 0x7f6ddab6ee6f in Run ./out/cros/../../base/run_loop.cc:37:10
    #42 0x7f6ddf44dd8d in MainMessageLoopRun ./out/cros/../../chrome/browser/chrome_browser_main.cc:2000:12
    #43 0x7f6dd168afd6 in RunMainMessageLoopParts ./out/cros/../../content/browser/browser_main_loop.cc:1180:29
    #44 0x7f6dd1697e46 in Run ./out/cros/../../content/browser/browser_main_runner.cc:141:17
    #45 0x7f6dd167c364 in BrowserMain ./out/cros/../../content/browser/browser_main.cc:46:28
    #46 0x7f6dd355f7be in RunNamedProcessTypeMain ./out/cros/../../content/app/content_main_runner.cc:434:14
    #47 0x7f6dd35617b7 in Run ./out/cros/../../content/app/content_main_runner.cc:813:12
    #48 0x7f6dd355d5fa in ContentMain ./out/cros/../../content/app/content_main.cc:20:28
    #49 0x7f6ddcde3768 in ChromeMain ./out/cros/../../chrome/app/chrome_main.cc:112:12
    #50 0x7f6dba96ef44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0


It looks like PreferencesConnectionManager is being destroyed before the strong-bindings it tracks. When the strong-binding object is later destroyed, it triggers the connection-error handler in PreferencesConnectionManager, leading to the use-after-free.

One fix could be to reset the connection error handlers in |manager_bindings_| from ~PreferencesConnectionManager. The better fix is probably to set the connection-error handler using a weak-ptr for PreferencesConnectionManager.

Comment 1 by jonr...@chromium.org, Feb 7 2017 

What steps were used to reproduce this.

I'm a bit concerned that PreferencesConnectionManager::OnProfileDestroyed is not being called during the shutdown.

Comment 2 by jonr...@chromium.org, Feb 8 2017

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Feb 22 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0932b390e4b08af8590e8553a7b2a1fc8ef9c99b

commit 0932b390e4b08af8590e8553a7b2a1fc8ef9c99b
Author: jonross <jonross@chromium.org>
Date: Wed Feb 22 14:49:54 2017

Fix PreferenceConnectionManagerTeardown

It is possible for the teardown order of chrome to not be as expected.

PreferenceConnectionManager was expecting to live until profile destruction,
at which point it would close mojo connections.

However it is possible for the connection manager to be deleted early, Leaving
connections open. They would eventually close during shutdown, and attempt to
notify the now dead connection manager.

This change updates PreferenceConnectionManager to use the new StrongBindingSet.
This set handles removing of StrongBindings from the collection when connection
errors occur. Thus replacing the manual handling written in the connection
manager which had error prone base::Unretained(this). The connections are all
deleted when the PreferenceConnectionManager is destroyed.

TEST=manual testing with asan builds
BUG= 687933 

Review-Url: https://codereview.chromium.org/2710733002
Cr-Commit-Position: refs/heads/master@{#452044}

[modify] https://crrev.com/0932b390e4b08af8590e8553a7b2a1fc8ef9c99b/chrome/browser/prefs/preferences_connection_manager.cc
[modify] https://crrev.com/0932b390e4b08af8590e8553a7b2a1fc8ef9c99b/chrome/browser/prefs/preferences_connection_manager.h

Comment 4 by jonr...@chromium.org, Feb 22 2017

Status: Fixed (was: Started)

Sign in to add a comment