Fix UAF in ProcessAlternativeServicesTest gtest.
This has been introduced in: https://chromium-review.googlesource.com/c/chromium/src/+/4442833 With this change QuicStreamFactory calls CertVerifier::RemoveObserver from its destructor. Unfortunately in case of ProcessAlternativeServicesTest the CertVerifier has already been freed at this point leading to UAF. When using libstdc++ this prodices the following error: [1692085:1692085:FATAL:lock_impl_posix.cc(46)] Check failed: rv == 0 || rv == EBUSY. . Invalid argument. Hint: This is often related to a use-after-free. 0x7f33685d342c base::debug::CollectStackTrace() 0x7f3368589bca base::debug::StackTrace::StackTrace() 0x7f3368589b85 base::debug::StackTrace::StackTrace() 0x7f33682ce950 logging::LogMessage::~LogMessage() 0x7f336828118c logging::(anonymous namespace)::DCheckLogMessage::~DCheckLogMessage() 0x7f33682811b9 logging::(anonymous namespace)::DCheckLogMessage::~DCheckLogMessage() 0x7f3368280e9d logging::CheckError::~CheckError() 0x7f336855fe25 base::internal::dcheck_trylock_result() 0x7f3368278237 base::internal::LockImpl::Try() 0x7f33682781e9 base::internal::LockImpl::Lock() 0x7f33682781bd base::Lock::Acquire() 0x7f3368277253 base::internal::BasicAutoLock<>::BasicAutoLock() 0x7f33683c98cc base::SequenceCheckerImpl::CalledOnValidSequence() 0x7f33683c9675 base::ScopedValidateSequenceChecker::ScopedValidateSequenceChecker() 0x7f33682ee31a base::internal::WeakReference::Flag::IsValid() 0x7f33682ee5df base::internal::WeakReference::IsValid() 0x562bfae350b9 base::WeakPtr<>::get() 0x562bfae35089 base::internal::CheckedObserverAdapter::IsEqual() 0x562bfae36480 base::ObserverList<>::RemoveObserver()::{lambda()#1}::operator()<>() 0x562bfae3644d base::internal::InvokeImpl<>() 0x562bfae363ed base::invoke<>() 0x562bfae363c4 base::internal::ProjectedUnaryPredicate<>()::{lambda()#1}::operator()<>() 0x562bfae3635d __gnu_cxx::__ops::_Iter_pred<>::operator()<>() 0x562bfae362a9 std::__find_if<>() 0x562bfae36096 std::__find_if<>() 0x562bfae36002 std::find_if<>() 0x562bfae35f2e base::ranges::find_if<>() 0x562bfae35c73 base::ranges::find_if<>() 0x562bfae2f70e base::ObserverList<>::RemoveObserver() 0x562bfae2eb44 net::MockCertVerifier::RemoveObserver() 0x7f336958f18d net::QuicStreamFactory::~QuicStreamFactory() 0x7f33693ac856 net::HttpNetworkSession::~HttpNetworkSession() 0x562bf7c671fb std::default_delete<>::operator()() 0x562bf7c61f11 std::unique_ptr<>::~unique_ptr() 0x562bf81f1a7e net::(anonymous namespace)::ProcessAlternativeServicesTest::~ProcessAlternativeServicesTest() 0x562bf81f1b95 net::(anonymous namespace)::ProcessAlternativeServicesTest_ProcessAltSvcClear_Test::~ProcessAlternativeServicesTest_ProcessAltSvcClear_Test() 0x562bf81f1bb9 net::(anonymous namespace)::ProcessAlternativeServicesTest_ProcessAltSvcClear_Test::~ProcessAlternativeServicesTest_ProcessAltSvcClear_Test() 0x562bfad76ed8 testing::Test::DeleteSelf_() 0x562bfad8aafb testing::internal::HandleSehExceptionsInMethodIfSupported<>() 0x562bfad76a87 testing::internal::HandleExceptionsInMethodIfSupported<>() 0x562bfad61deb testing::TestInfo::Run() Fix this by re-oredering class members which should ensure proper destruction order. Bug: 1447990 Change-Id: I6ae9ef0313fd351d269dbb2e64bcbe27022862f9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4553838 Commit-Queue: Piotr Tworek <piotr.tworek@xperi.com> Reviewed-by:Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/main@{#1148944}
Loading
Please register or sign in to comment