Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: potential crash in crashReporter.getUploadedReports #20428

Merged
merged 1 commit into from Oct 8, 2019

Conversation

@nornagon
Copy link
Member

@nornagon nornagon commented Oct 4, 2019

Description of Change

This fixes a buffer overflow that could occur when calling crashReporter.getUploadedReports in certain situations. std::sort requires that its comparator meet the Compare requirements, one of which is that:

For all a, comp(a,a)==false

I found this crash by running the crashReporter tests with ASan. Report:

==67882==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100055b2c0 at pc 0x00010de7a807 bp 0x7ffeebfa4310 sp 0x7ffeebfa4308
READ of size 4 at 0x61100055b2c0 thread T0
    #0 0x10de7a806 in void std::__1::__sort<crash_reporter::CrashReporterCrashpad::GetUploadedReports(base::FilePath const&)::$_0&, std::__1::pair<int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >*>(std::__1::pair<int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >*, std::__1::pair<int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >*, crash_reporter::CrashReporterCrashpad::GetUploadedReports(base::FilePath const&)::$_0&) crash_reporter_crashpad.cc:112
    #1 0x10de76a8f in crash_reporter::CrashReporterCrashpad::GetUploadedReports(base::FilePath const&) crash_reporter_crashpad.cc:114
[...]

I think the violation of the Compare rules was causing std::sort to access memory beyond the end of the array in certain situations.

Checklist

Release Notes

Notes: Fixed a crash that could occur when calling crashReporter.getUploadedReports.

@nornagon nornagon changed the title fix: fix crash in crashReporter.getUploadedReports fix: potential crash in crashReporter.getUploadedReports Oct 6, 2019
miniak
miniak approved these changes Oct 7, 2019
@nornagon nornagon merged commit ebd55c1 into master Oct 8, 2019
14 of 15 checks passed
Loading
@release-clerk
Copy link

@release-clerk release-clerk bot commented Oct 8, 2019

Release Notes Persisted

Fixed a crash that could occur when calling crashReporter.getUploadedReports.

Loading

@nornagon nornagon deleted the fix-crash-reporter-crash branch Oct 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants