New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 751884 link

Starred by 1 user

Issue metadata

Status: Archived
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

Crash in SecureChannel

Project Member Reported by khorimoto@chromium.org, Aug 2 2017

Issue description

When sending a DisconnectTetheringRequest.

#0  0x00007abf99cd9cb8 in std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::string const&) () from /usr/lib64/libstdc++.so.6
warning: Could not find DWO CU obj/components/cryptauth/cryptauth/secure_channel.dwo(0x25b2f3354b861ab) referenced by CU at offset 0xe8d2b [in module /opt/google/chrome/chrome]
warning: (Internal error: pc 0x55d7629520e3 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d762952080 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d7629520e3 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d7629520e3 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d7629520e3 in read in psymtab, but not in symtab.)

#1  0x000055d7629520e4 in cryptauth::SecureChannel::ProcessMessageQueue() () at ../../components/cryptauth/secure_channel.h:125
warning: (Internal error: pc 0x55d7629520e3 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d762952eec in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d762952eec in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d762952b70 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d762952eec in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d762952eec in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d762952eec in read in psymtab, but not in symtab.)

#2  0x000055d762952eed in cryptauth::SecureChannel::OnSendCompleted(cryptauth::Connection const&, cryptauth::WireMessage const&, bool) () at ../../components/cryptauth/secure_channel.cc:167
warning: (Internal error: pc 0x55d762952eec in read in psymtab, but not in symtab.)

warning: Could not find DWO CU obj/components/cryptauth/cryptauth/connection.dwo(0x8669b84058a75eca) referenced by CU at offset 0x9cc9f [in module /opt/google/chrome/chrome]
#3  0x000055d760f108ec in cryptauth::Connection::OnDidSendMessage(cryptauth::WireMessage const&, bool) () at ../../components/cryptauth/connection.cc:73
warning: Could not find DWO CU obj/components/cryptauth/ble/ble/bluetooth_low_energy_weave_client_connection.dwo(0xa08dcadfc64532cf) referenced by CU at offset 0xe8db7 [in module /opt/google/chrome/chrome]
warning: (Internal error: pc 0x55d76295762e in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d7629575f0 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d76295762e in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d76295762e in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x55d76295762e in read in psymtab, but not in symtab.)

#4  0x000055d76295762f in cryptauth::weave::BluetoothLowEnergyWeaveClientConnection::OnRemoteCharacteristicWritten() () at ../../components/cryptauth/ble/bluetooth_low_energy_weave_client_connection.cc:529
warning: (Internal error: pc 0x55d76295762e in read in psymtab, but not in symtab.)

warning: Could not find DWO CU obj/dbus/dbus/object_proxy.dwo(0xac660992dfcc31f) referenced by CU at offset 0x70123 [in module /opt/google/chrome/chrome]
#5  0x000055d75fce3495 in base::internal::Invoker<base::internal::BindState<dbus::ObjectProxy::CallMethodWithErrorCallback(dbus::MethodCall*, int, base::Callback<void (dbus::Response*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::Callback<void (dbus::ErrorResponse*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>)::$_0, base::Callback<void (dbus::Response*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::Callback<void (dbus::ErrorResponse*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0> >, void (dbus::Response*, dbus::ErrorResponse*)>::RunOnce(base::internal::BindStateBase*, dbus::Response*&&, dbus::ErrorResponse*&&) () at ../../base/callback.h:91
#6  0x000055d75fce0b5a in dbus::ObjectProxy::RunCallMethodInternalCallback(base::Callback<void (dbus::Response*, dbus::ErrorResponse*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::TimeTicks, DBusMessage*) () at ../../base/callback.h:91
#7  0x000055d75fce37fd in base::internal::Invoker<base::internal::BindState<void (metadata::SafeMediaMetadataParser::*)(base::Callback<void (std::vector<unsigned char, std::allocator<unsigned char> > const&), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, long, long), scoped_refptr<metadata::SafeMediaMetadataParser>, base::Callback<void (std::vector<unsigned char, std::allocator<unsigned char> > const&), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, long, long>, void ()>::RunOnce(base::internal::BindStateBase*) ()
    at ../../base/bind_internal.h:196
warning: Could not find DWO CU obj/base/base/task_annotator.dwo(0x5db7ad481294bcd4) referenced by CU at offset 0x51aa7 [in module /opt/google/chrome/chrome]
#8  0x000055d75f2a867a in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) () at ../../base/callback.h:91
warning: Could not find DWO CU obj/base/base/message_loop.dwo(0x7c97e3e2e7470f10) referenced by CU at offset 0x52447 [in module /opt/google/chrome/chrome]
#9  0x000055d75f2c287f in base::MessageLoop::RunTask(base::PendingTask*) () at ../../base/message_loop/message_loop.cc:403
#10 0x000055d75f2c2c7b in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) () at ../../base/message_loop/message_loop.cc:414
#11 0x000055d75f2c30d4 in base::MessageLoop::DoWork() () at ../../base/message_loop/message_loop.cc:521
warning: Could not find DWO CU obj/base/base/message_pump_libevent.dwo(0xf19f8c968055047a) referenced by CU at offset 0x524df [in module /opt/google/chrome/chrome]
#12 0x000055d75f2c4869 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) () at ../../base/message_loop/message_pump_libevent.cc:220
warning: Could not find DWO CU obj/base/base/run_loop.dwo(0x99ba2df2ef3ce59a) referenced by CU at offset 0x52ec7 [in module /opt/google/chrome/chrome]
#13 0x000055d75f2e4b76 in base::RunLoop::Run() () at ../../base/run_loop.cc:111
warning: Could not find DWO CU obj/chrome/browser/browser/chrome_browser_main.dwo(0xb7f21cdf8fa51730) referenced by CU at offset 0x463fb [in module /opt/google/chrome/chrome]
#14 0x000055d75ef82883 in ChromeBrowserMainParts::MainMessageLoopRun(int*) () at ../../chrome/browser/chrome_browser_main.cc:1916
warning: Could not find DWO CU obj/content/browser/browser/browser_main_loop.dwo(0x1e10dca6094b8a34) referenced by CU at offset 0x190ff [in module /opt/google/chrome/chrome]
#15 0x000055d75dc36884 in content::BrowserMainLoop::RunMainMessageLoopParts() () at ../../content/browser/browser_main_loop.cc:1165
warning: Could not find DWO CU obj/content/browser/browser/browser_main_runner.dwo(0x2898802a22c9d95a) referenced by CU at offset 0x19133 [in module /opt/google/chrome/chrome]
#16 0x000055d75dc39072 in content::BrowserMainRunnerImpl::Run() () at ../../content/browser/browser_main_runner.cc:142
warning: Could not find DWO CU obj/content/browser/browser/browser_main.dwo(0xb9bd5a4a6b75e30b) referenced by CU at offset 0x190cb [in module /opt/google/chrome/chrome]
#17 0x000055d75dc321bc in content::BrowserMain(content::MainFunctionParams const&) () at ../../content/browser/browser_main.cc:46
warning: Could not find DWO CU obj/content/app/content_main_runner_both/content_main_runner.dwo(0xa1767f24c2f7dc7f) referenced by CU at offset 0x45abb [in module /opt/google/chrome/chrome]
#18 0x000055d75ef562a6 in content::ContentMainRunnerImpl::Run() () at ../../content/app/content_main_runner.cc:687
warning: Could not find DWO CU obj/services/service_manager/embedder/embedder/main.dwo(0x450546b77550d75) referenced by CU at offset 0x461db [in module /opt/google/chrome/chrome]
#19 0x000055d75ef78804 in service_manager::Main(service_manager::MainParams const&) () at ../../services/service_manager/embedder/main.cc:469
warning: Could not find DWO CU obj/content/app/both/content_main.dwo(0x867341fbad8d5d72) referenced by CU at offset 0x45a8b [in module /opt/google/chrome/chrome]
#20 0x000055d75ef55331 in content::ContentMain(content::ContentMainParams const&) () at ../../content/app/content_main.cc:19
warning: Could not find DWO CU obj/chrome/chrome_initial/chrome_main.dwo(0xee3156e1ef7c5174) referenced by CU at offset 0x30 [in module /opt/google/chrome/chrome]
#21 0x000055d75d6263ec in ChromeMain () at ../../chrome/app/chrome_main.cc:110
#22 0x00007abf9966f816 in __libc_start_main (main=warning: Could not find DWO CU obj/chrome/chrome_initial/chrome_exe_main_aura.dwo(0x2e0b001d737b2f0a) referenced by CU at offset 0x0 [in module /opt/google/chrome/chrome]
0x55d75d626340 <main>, argc=34, argv=0x7ffe8d8339b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe8d8339a8) at ../csu/libc-start.c:289
#23 0x000055d75d626209 in _start ()

 
Project Member

Comment 1 by bugdroid1@chromium.org, Aug 5 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f731607fb19cb16717f1df0c8944aa99298cca11

commit f731607fb19cb16717f1df0c8944aa99298cca11
Author: Kyle Horimoto <khorimoto@google.com>
Date: Sat Aug 05 00:03:50 2017

[CrOS Tether] Fix crash in SecureChannel during Tether disconnection.

There are 3 pieces to this fix:
(1) DisconnectTetheringOperation killed the connection when the message
    was sent successfully, but the SecureChannel still exectuted code
    after that point, which caused a crash since deleted memory was
    accessed. To remedy this, SecureChannel now uses a WeakPtr to verify
    that the object had not been deleted before continuing.
(2) DisconnectTetheringOperation returned a was_authenticated_ boolean
    to its observers after sending the message, but this does not
    actually indicate whether the operation was successful. Now,
    has_sent_message_ is returned instead.
(3) A timeout is included in DisconnectTetheringOperation even though
    we do not expect a response so that if the message is never able to
    be sent, the connection is eventually destroyed. Since the timeout
    is now being used in this case, I reworded the function so that it
    no longer refers to this timeout being a "response" timeout.

Bug:  751884 , 672263
Change-Id: I4f71f19850d47d7a06b594ac87b005631e9af67d
Reviewed-on: https://chromium-review.googlesource.com/601125
Commit-Queue: Kyle Horimoto <khorimoto@chromium.org>
Reviewed-by: Ryan Hansberry <hansberry@chromium.org>
Cr-Commit-Position: refs/heads/master@{#492187}
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/chromeos/components/tether/ble_connection_manager.cc
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/chromeos/components/tether/connect_tethering_operation.cc
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/chromeos/components/tether/connect_tethering_operation.h
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/chromeos/components/tether/connect_tethering_operation_unittest.cc
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/chromeos/components/tether/disconnect_tethering_operation.cc
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/chromeos/components/tether/disconnect_tethering_operation.h
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/chromeos/components/tether/message_transfer_operation.cc
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/chromeos/components/tether/message_transfer_operation.h
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/chromeos/components/tether/message_transfer_operation_unittest.cc
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/components/cryptauth/ble/bluetooth_low_energy_weave_client_connection.cc
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/components/cryptauth/ble/bluetooth_low_energy_weave_client_connection_unittest.cc
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/components/cryptauth/secure_channel.cc
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/components/cryptauth/secure_channel.h
[modify] https://crrev.com/f731607fb19cb16717f1df0c8944aa99298cca11/components/cryptauth/secure_channel_unittest.cc

Labels: Merge-Request-61

Comment 3 by ketakid@google.com, Aug 5 2017

Labels: -Merge-Request-61 Merge-Approved-61
Approving merge to M61 Chrome OS.
Project Member

Comment 4 by bugdroid1@chromium.org, Aug 7 2017

Labels: -merge-approved-61 merge-merged-3163
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f06784e61dda16b1041edec804f6f91593dc3fef

commit f06784e61dda16b1041edec804f6f91593dc3fef
Author: Kyle Horimoto <khorimoto@google.com>
Date: Mon Aug 07 17:17:40 2017

[CrOS Tether] Fix crash in SecureChannel during Tether disconnection.

There are 3 pieces to this fix:
(1) DisconnectTetheringOperation killed the connection when the message
    was sent successfully, but the SecureChannel still exectuted code
    after that point, which caused a crash since deleted memory was
    accessed. To remedy this, SecureChannel now uses a WeakPtr to verify
    that the object had not been deleted before continuing.
(2) DisconnectTetheringOperation returned a was_authenticated_ boolean
    to its observers after sending the message, but this does not
    actually indicate whether the operation was successful. Now,
    has_sent_message_ is returned instead.
(3) A timeout is included in DisconnectTetheringOperation even though
    we do not expect a response so that if the message is never able to
    be sent, the connection is eventually destroyed. Since the timeout
    is now being used in this case, I reworded the function so that it
    no longer refers to this timeout being a "response" timeout.

TBR=khorimoto@google.com

(cherry picked from commit f731607fb19cb16717f1df0c8944aa99298cca11)

Bug:  751884 , 672263
Change-Id: I4f71f19850d47d7a06b594ac87b005631e9af67d
Reviewed-on: https://chromium-review.googlesource.com/601125
Commit-Queue: Kyle Horimoto <khorimoto@chromium.org>
Reviewed-by: Ryan Hansberry <hansberry@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#492187}
Reviewed-on: https://chromium-review.googlesource.com/603912
Reviewed-by: Kyle Horimoto <khorimoto@chromium.org>
Cr-Commit-Position: refs/branch-heads/3163@{#353}
Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528}
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/chromeos/components/tether/ble_connection_manager.cc
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/chromeos/components/tether/connect_tethering_operation.cc
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/chromeos/components/tether/connect_tethering_operation.h
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/chromeos/components/tether/connect_tethering_operation_unittest.cc
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/chromeos/components/tether/disconnect_tethering_operation.cc
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/chromeos/components/tether/disconnect_tethering_operation.h
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/chromeos/components/tether/message_transfer_operation.cc
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/chromeos/components/tether/message_transfer_operation.h
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/chromeos/components/tether/message_transfer_operation_unittest.cc
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/components/cryptauth/ble/bluetooth_low_energy_weave_client_connection.cc
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/components/cryptauth/ble/bluetooth_low_energy_weave_client_connection_unittest.cc
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/components/cryptauth/secure_channel.cc
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/components/cryptauth/secure_channel.h
[modify] https://crrev.com/f06784e61dda16b1041edec804f6f91593dc3fef/components/cryptauth/secure_channel_unittest.cc

Status: Fixed (was: Started)

Comment 6 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Sign in to add a comment