New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 688055 link

Starred by 1 user
Status: Fixed
Owner:
krasin@chromium.org
Last visit > 30 days ago
Closed: Feb 2017
Cc:
kcc@chromium.org
sigbjo...@opera.com
p...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

CFI: invalid cast in HeapCompact.cpp

Project Member Reported by krasin@chromium.org, Feb 2 2017 
Chrome Version: tip
OS: Linux x86-64

What steps will reproduce the problem?
(1) Build browser_tests with Control Flow Integrity (CFI) enabled:
$ GYP_DEFINES='buildtype=Official' gclient sync
$ gn gen out/cfi-diag '--args=is_debug=false is_cfi=true use_cfi_diag=true use_cfi_cast=true symbol_level=1 dcheck_always_on=true' --check
$ ninja -C out/cfi-diag browser_tests

See more details at https://www.chromium.org/developers/testing/control-flow-integrity

(2) Run WebstoreInlineInstallerTest.ReinstallDisabledExtension test case:
$ ./out/cfi-diag-tot/browser_tests --gtest_filter=WebstoreInlineInstallerTest.ReinstallDisabledExtension

Observe the following error report:

../../third_party/WebKit/Source/platform/heap/HeapCompact.cpp:86:26: runtime error: control flow integrity check for type 'blink::BasePage' failed during cast to unrelated type (vtable address 0xdd0fecaefbeadde)
0xdd0fecaefbeadde: note: invalid vtable
<memory cannot be printed>

Most likely, a non-initialized memory region is being cast.

This breaks 'CFI Linux Full' and 'CFI Linux ToT' bots:
https://build.chromium.org/p/chromium.fyi/builders/CFI%20Linux%20Full/builds/1325
https://build.chromium.org/p/chromium.fyi/builders/CFI%20Linux%20ToT/builds/5677

Comment 1 by krasin@chromium.org, Feb 2 2017

Cc: sigbjo...@opera.com
Proposed fix: https://codereview.chromium.org/2673683002/
Project Member

Comment 2 by bugdroid1@chromium.org, Feb 3 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4116d5e5f6fd92ae9f75cc2bfe158068232c6dbe

commit 4116d5e5f6fd92ae9f75cc2bfe158068232c6dbe
Author: krasin <krasin@chromium.org>
Date: Fri Feb 03 04:06:38 2017

HeapCompact: don't cast to BasePage before sanity check.

Otherwise, the cast might be performed on a garbage memory and
CFI will detect that the cast is invalid as the vtable is invalid.

BUG= 688055 

Review-Url: https://codereview.chromium.org/2673683002
Cr-Commit-Position: refs/heads/master@{#447922}

[modify] https://crrev.com/4116d5e5f6fd92ae9f75cc2bfe158068232c6dbe/third_party/WebKit/Source/platform/heap/HeapCompact.cpp

Comment 3 by krasin@chromium.org, Feb 3 2017

Status: Fixed (was: Assigned)

Sign in to add a comment