Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(248)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 888143003: Fix a use after free crasher in the ReadAsync task initiated on Windows by the FileStream::Context:… (Closed)

Created:
5 years, 10 months ago by ananta
Modified:
5 years, 10 months ago
CC:
chromium-reviews, cbentzel+watch_chromium.org, glider+watch_chromium.org, timurrrr+watch_chromium.org, bruening+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Fix a use after free crasher in the ReadAsync task initiated on Windows by the FileStream::Context::Read operation. The crash was reported by the DrMemory bot and based on the stack happens because the OVERLAPPED structure passed into the ReadFile call is invalid. Proposed fix is the following:- 1. Have two flags io_complete_for_read_received_ and async_read_completed_ which track whether the IO completion was received for a Read and whether we received a notification on the calling thread that the ReadFile call returned. We invoke the user callback only when both these flags are true. 2. We have another flag async_read_initiated_ which is set to true if an asynchonous Read was initated. We use this to not set the async_in_progress_ flag to false until both notifications as per 1 above are received. 3. All flags above are reset when we invoke the user callback. That now happens in the InvokeUserCallback function. 4. We need to save the result in a member as the callback is invoked later. 5. Removed the Weak pointer member from the Context class as this is not needed because the Context instance should remain valid until the pending Read operation completes. BUG=455066 Committed: https://crrev.com/806016e8bf4e217f2ebe5ad052481699f2287c63 Cr-Commit-Position: refs/heads/master@{#315098}

Patch Set 1 #

Patch Set 2 : Added comments for the InvokeUserCallback function #

Patch Set 3 : Fixed trybot redness #

Total comments: 5

Patch Set 4 : Replaced the DCHECK for async_in_progress_ with a CHECK #

Total comments: 4

Patch Set 5 : Address review comments #

Patch Set 6 : Fix ReadAsyncResult #

Patch Set 7 : Fixed build error #

Total comments: 2

Patch Set 8 : Address review comments #

Total comments: 4

Patch Set 9 : Check ReadFile success and set error to 0 #

Patch Set 10 : Fix build error #

Patch Set 11 : Rebased to tip #

Unified diffs Side-by-side diffs Delta from patch set Stats (+88 lines, -46 lines) Patch
M net/base/file_stream_context.h View 1 2 3 4 4 chunks +22 lines, -6 lines 0 comments Download
M net/base/file_stream_context.cc View 1 2 3 2 chunks +4 lines, -7 lines 0 comments Download
M net/base/file_stream_context_win.cc View 1 2 3 4 5 6 7 8 9 5 chunks +62 lines, -25 lines 0 comments Download
M tools/valgrind/drmemory/suppressions.txt View 1 2 3 4 5 6 7 8 9 10 1 chunk +0 lines, -8 lines 0 comments Download

Messages

Total messages: 18 (5 generated)
ananta
5 years, 10 months ago (2015-02-05 23:10:44 UTC) #2
rvargas (doing something else)
https://chromiumcodereview.appspot.com/888143003/diff/40001/net/base/file_stream_context_win.cc File net/base/file_stream_context_win.cc (right): https://chromiumcodereview.appspot.com/888143003/diff/40001/net/base/file_stream_context_win.cc#newcode87 net/base/file_stream_context_win.cc:87: nit: remove this line https://chromiumcodereview.appspot.com/888143003/diff/40001/net/base/file_stream_context_win.cc#newcode163 net/base/file_stream_context_win.cc:163: result_ = 0; ...
5 years, 10 months ago (2015-02-06 00:07:03 UTC) #3
ananta
https://chromiumcodereview.appspot.com/888143003/diff/40001/net/base/file_stream_context_win.cc File net/base/file_stream_context_win.cc (right): https://chromiumcodereview.appspot.com/888143003/diff/40001/net/base/file_stream_context_win.cc#newcode87 net/base/file_stream_context_win.cc:87: On 2015/02/06 00:07:02, rvargas wrote: > nit: remove this ...
5 years, 10 months ago (2015-02-06 01:18:19 UTC) #4
rvargas (doing something else)
https://chromiumcodereview.appspot.com/888143003/diff/120001/net/base/file_stream_context_win.cc File net/base/file_stream_context_win.cc (right): https://chromiumcodereview.appspot.com/888143003/diff/120001/net/base/file_stream_context_win.cc#newcode213 net/base/file_stream_context_win.cc:213: base::Unretained(context), bytes_read, ::GetLastError())); bytes read is only valid if ...
5 years, 10 months ago (2015-02-06 01:46:33 UTC) #5
ananta
https://chromiumcodereview.appspot.com/888143003/diff/120001/net/base/file_stream_context_win.cc File net/base/file_stream_context_win.cc (right): https://chromiumcodereview.appspot.com/888143003/diff/120001/net/base/file_stream_context_win.cc#newcode213 net/base/file_stream_context_win.cc:213: base::Unretained(context), bytes_read, ::GetLastError())); On 2015/02/06 01:46:33, rvargas wrote: > ...
5 years, 10 months ago (2015-02-06 02:20:01 UTC) #6
rvargas (doing something else)
https://chromiumcodereview.appspot.com/888143003/diff/140001/net/base/file_stream_context_win.cc File net/base/file_stream_context_win.cc (right): https://chromiumcodereview.appspot.com/888143003/diff/140001/net/base/file_stream_context_win.cc#newcode209 net/base/file_stream_context_win.cc:209: BOOL ret = ReadFile(file, buf->data(), buf_len, &bytes_read, overlapped); nit: ...
5 years, 10 months ago (2015-02-06 02:47:20 UTC) #7
rvargas (doing something else)
Given that this is an experimental CL anyway, lgtm.
5 years, 10 months ago (2015-02-06 02:50:29 UTC) #8
ananta
https://chromiumcodereview.appspot.com/888143003/diff/140001/net/base/file_stream_context_win.cc File net/base/file_stream_context_win.cc (right): https://chromiumcodereview.appspot.com/888143003/diff/140001/net/base/file_stream_context_win.cc#newcode209 net/base/file_stream_context_win.cc:209: BOOL ret = ReadFile(file, buf->data(), buf_len, &bytes_read, overlapped); On ...
5 years, 10 months ago (2015-02-06 03:16:50 UTC) #10
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/888143003/180001
5 years, 10 months ago (2015-02-06 19:06:02 UTC) #12
commit-bot: I haz the power
Try jobs failed on following builders: chromium_presubmit on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presubmit/builds/41058)
5 years, 10 months ago (2015-02-06 19:12:07 UTC) #14
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/888143003/200001
5 years, 10 months ago (2015-02-06 19:25:56 UTC) #16
commit-bot: I haz the power
Committed patchset #11 (id:200001)
5 years, 10 months ago (2015-02-06 20:30:19 UTC) #17
commit-bot: I haz the power
5 years, 10 months ago (2015-02-06 20:30:46 UTC) #18
Message was sent while issue was closed. 
Patchset 11 (id:??) landed as
https://crrev.com/806016e8bf4e217f2ebe5ad052481699f2287c63
Cr-Commit-Position: refs/heads/master@{#315098}

Powered by Google App Engine
This is Rietveld 408576698