Update Crashpad to 74490f00a47bbe38b08354eb9286f616285e8d22

0208c1a175e1 fuchsia: Don't capture incorrect/unreasonably large stacks 2291bfa32ef1 android, gyp: fix the build 74490f00a47b linux: roll lss and use sys_sigtimedwait/sys_sigprocmask Change-Id: I220c774c372f59303e62f1da5a1946549ce47cb8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1914901 Commit-Queue: Mark Mentovai <mark@chromium.org> Auto-Submit: Joshua Peraza <jperaza@chromium.org> Reviewed-by: Mark Mentovai <mark@chromium.org> Cr-Commit-Position: refs/heads/master@{#715384}

Update Crashpad to 74490f00a47bbe38b08354eb9286f616285e8d22
0208c1a175e1 fuchsia: Don't capture incorrect/unreasonably large stacks 2291bfa32ef1 android, gyp: fix the build 74490f00a47b linux: roll lss and use sys_sigtimedwait/sys_sigprocmask Change-Id: I220c774c372f59303e62f1da5a1946549ce47cb8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1914901 Commit-Queue: Mark Mentovai <mark@chromium.org> Auto-Submit: Joshua Peraza <jperaza@chromium.org> Reviewed-by: Mark Mentovai <mark@chromium.org> Cr-Commit-Position: refs/heads/master@{#715384}
7030d91a · Joshua Peraza · Commit Bot · 8045afd1 · 7030d91a · 7030d91a
Commit 7030d91a authored Nov 14, 2019 by Joshua Peraza Committed by Commit Bot Nov 14, 2019
7 changed files
--- a/third_party/crashpad/README.chromium
+++ b/third_party/crashpad/README.chromium
@@ -2,7 +2,7 @@ Name: Crashpad
 Short Name: crashpad
 URL: https://crashpad.chromium.org/
 Version: unknown
-Revision: a8d66ae7839a59d104b35ec6eb31f95cddd1813c
+Revision: 74490f00a47bbe38b08354eb9286f616285e8d22
 License: Apache 2.0
 License File: crashpad/LICENSE
 Security Critical: yes

--- a/third_party/crashpad/crashpad/DEPS
+++ b/third_party/crashpad/crashpad/DEPS
@@ -30,7 +30,7 @@ deps = {
      '8bee09f4a57807136593ddc906b0b213c21f9014',
  'crashpad/third_party/lss/lss':
      Var('chromium_git') + '/linux-syscall-support.git@' +
-      '8048ece6c16c91acfe0d36d1d3cc0890ab6e945c',
+      '726d71ec08d15493b94eff456bc31faecf0a5902',
  'crashpad/third_party/mini_chromium/mini_chromium':
      Var('chromium_git') + '/chromium/mini_chromium@' +
      'cdab1e6263ec7f3f61763efc1dac863f8dc07c80',

--- a/third_party/crashpad/crashpad/handler/linux/exception_handler_server_test.cc
+++ b/third_party/crashpad/crashpad/handler/linux/exception_handler_server_test.cc
@@ -367,16 +367,7 @@ TEST_P(ExceptionHandlerServerTest, RequestCrashDumpError) {
 INSTANTIATE_TEST_SUITE_P(ExceptionHandlerServerTestSuite,
                         ExceptionHandlerServerTest,
-#if defined(OS_ANDROID) && __ANDROID_API__ < 23
-                         // TODO(jperaza): Using a multi-client socket is not
-                         // supported on Android until an lss sigtimedwait()
-                         // wrapper is available to use in
-                         // ExceptionHandlerClient::SignalCrashDump().
-                         // https://crbug.com/crashpad/265
-                         testing::Values(false)
-#else
                         testing::Bool()
-#endif
 );
 }  // namespace

--- a/third_party/crashpad/crashpad/snapshot/fuchsia/process_reader_fuchsia.cc
+++ b/third_party/crashpad/crashpad/snapshot/fuchsia/process_reader_fuchsia.cc
@@ -53,7 +53,9 @@ void GetStackRegions(
  }
  if (range_with_sp.type != ZX_INFO_MAPS_TYPE_MAPPING) {
-    LOG(ERROR) << "stack range has unexpected type, continuing anyway";
+    LOG(ERROR) << "stack range has unexpected type " << range_with_sp.type
+               << ", aborting";
+    return;
  }
  if (range_with_sp.u.mapping.mmu_flags & ZX_VM_PERM_EXECUTE) {
@@ -75,8 +77,16 @@ void GetStackRegions(
               range_with_sp.base);
  const size_t region_size =
      range_with_sp.size - (start_address - range_with_sp.base);
+  // Because most Fuchsia processes use safestack, it is very unlikely that a
+  // stack this large would be valid. Even if it were, avoid creating
+  // unreasonably large dumps by artificially limiting the captured amount.
+  constexpr uint64_t kMaxStackCapture = 1048576u;
+  LOG_IF(ERROR, region_size > kMaxStackCapture)
+      << "clamping unexpectedly large stack capture of " << region_size;
+  const size_t clamped_region_size = std::min(region_size, kMaxStackCapture);
  stack_regions->push_back(
-      CheckedRange<zx_vaddr_t, size_t>(start_address, region_size));
+      CheckedRange<zx_vaddr_t, size_t>(start_address, clamped_region_size));
  // TODO(scottmg): https://crashpad.chromium.org/bug/196, once the retrievable
  // registers include FS and similar for ARM, retrieve the region for the

--- a/third_party/crashpad/crashpad/snapshot/fuchsia/process_snapshot_fuchsia_test.cc
+++ b/third_party/crashpad/crashpad/snapshot/fuchsia/process_snapshot_fuchsia_test.cc
@@ -24,6 +24,7 @@
 #include "gtest/gtest.h"
 #include "snapshot/fuchsia/process_snapshot_fuchsia.h"
 #include "test/multiprocess_exec.h"
+#include "util/fuchsia/koid_utilities.h"
 #include "util/fuchsia/scoped_task_suspend.h"
 namespace crashpad {
@@ -139,6 +140,96 @@ TEST(ProcessSnapshotFuchsiaTest, AddressSpaceMapping) {
  test.Run();
 }
+CRASHPAD_CHILD_TEST_MAIN(StackPointerIntoInvalidLocation) {
+  // Map a large block, output the base address of it, and block. The parent
+  // will artificially set the SP into this large block to confirm that a huge
+  // stack is not accidentally captured.
+  zx_handle_t large_vmo;
+  constexpr uint64_t kSize = 1 << 30u;
+  zx_status_t status = zx_vmo_create(kSize, 0, &large_vmo);
+  ZX_CHECK(status == ZX_OK, status) << "zx_vmo_create";
+  zx_vaddr_t mapped_addr;
+  status = zx_vmar_map(zx_vmar_root_self(),
+                       ZX_VM_PERM_READ | ZX_VM_PERM_WRITE,
+                       0,
+                       large_vmo,
+                       0,
+                       kSize,
+                       &mapped_addr);
+  ZX_CHECK(status == ZX_OK, status) << "zx_vmar_map";
+  CheckedWriteFile(StdioFileHandle(StdioStream::kStandardOutput),
+                   &mapped_addr,
+                   sizeof(mapped_addr));
+  zx_nanosleep(ZX_TIME_INFINITE);
+  return 0;
+}
+class InvalidStackPointerTest : public MultiprocessExec {
+ public:
+  InvalidStackPointerTest() : MultiprocessExec() {
+    SetChildTestMainFunction("StackPointerIntoInvalidLocation");
+    SetExpectedChildTermination(kTerminationNormal,
+                                ZX_TASK_RETCODE_SYSCALL_KILL);
+  }
+  ~InvalidStackPointerTest() {}
+ private:
+  void MultiprocessParent() override {
+    uint64_t address_of_large_mapping;
+    ASSERT_TRUE(ReadFileExactly(ReadPipeHandle(),
+                                &address_of_large_mapping,
+                                sizeof(address_of_large_mapping)));
+    ScopedTaskSuspend suspend(*ChildProcess());
+    std::vector<zx::thread> threads = GetThreadHandles(*ChildProcess());
+    ASSERT_EQ(threads.size(), 1u);
+    zx_thread_state_general_regs_t regs;
+    ASSERT_EQ(threads[0].read_state(
+                  ZX_THREAD_STATE_GENERAL_REGS, &regs, sizeof(regs)),
+              ZX_OK);
+    constexpr uint64_t kOffsetIntoMapping = 1024;
+#if defined(ARCH_CPU_X86_64)
+    regs.rsp = address_of_large_mapping + kOffsetIntoMapping;
+#elif defined(ARCH_CPU_ARM64)
+    regs.sp = address_of_large_mapping + kOffsetIntoMapping;
+#else
+#error
+#endif
+    ASSERT_EQ(threads[0].write_state(
+                  ZX_THREAD_STATE_GENERAL_REGS, &regs, sizeof(regs)),
+              ZX_OK);
+    ProcessSnapshotFuchsia process_snapshot;
+    ASSERT_TRUE(process_snapshot.Initialize(*ChildProcess()));
+    ASSERT_EQ(process_snapshot.Threads().size(), 1u);
+    const MemorySnapshot* stack = process_snapshot.Threads()[0]->Stack();
+    ASSERT_TRUE(stack);
+    // Ensure the stack capture isn't unreasonably large.
+    EXPECT_LT(stack->Size(), 10 * 1048576u);
+    // As we've corrupted the child, don't let it run again.
+    ASSERT_EQ(ChildProcess()->kill(), ZX_OK);
+  }
+  DISALLOW_COPY_AND_ASSIGN(InvalidStackPointerTest);
+};
+// This is a test for a specific failure detailed in
+// https://bugs.fuchsia.dev/p/fuchsia/issues/detail?id=41212. A test of stack
+// behavior that was intentionally overflowing the stack, and so when Crashpad
+// received the exception the SP did not point into the actual stack. This
+// caused Crashpad to erronously capture the "stack" from the next mapping in
+// the address space (which could be very large, cause OOM, etc.).
+TEST(ProcessSnapshotFuchsiaTest, InvalidStackPointer) {
+  InvalidStackPointerTest test;
+  test.Run();
+}
 }  // namespace
 }  // namespace test
 }  // namespace crashpad
--- a/third_party/crashpad/crashpad/util/linux/exception_handler_client.cc
+++ b/third_party/crashpad/crashpad/util/linux/exception_handler_client.cc
@@ -23,6 +23,7 @@
 #include "base/logging.h"
 #include "base/posix/eintr_wrapper.h"
 #include "build/build_config.h"
+#include "third_party/lss/lss.h"
 #include "util/file/file_io.h"
 #include "util/linux/ptrace_broker.h"
 #include "util/linux/socket.h"
@@ -39,20 +40,21 @@ namespace {
 class ScopedSigprocmaskRestore {
 public:
-  explicit ScopedSigprocmaskRestore(const sigset_t& set_to_block)
+  explicit ScopedSigprocmaskRestore(const kernel_sigset_t& set_to_block)
      : orig_mask_(), mask_is_set_(false) {
-    mask_is_set_ = sigprocmask(SIG_BLOCK, &set_to_block, &orig_mask_) == 0;
+    mask_is_set_ = sys_sigprocmask(SIG_BLOCK, &set_to_block, &orig_mask_) == 0;
    DPLOG_IF(ERROR, !mask_is_set_) << "sigprocmask";
  }
  ~ScopedSigprocmaskRestore() {
-    if (mask_is_set_ && sigprocmask(SIG_SETMASK, &orig_mask_, nullptr) != 0) {
+    if (mask_is_set_ &&
+        sys_sigprocmask(SIG_SETMASK, &orig_mask_, nullptr) != 0) {
      DPLOG(ERROR) << "sigprocmask";
    }
  }
 private:
-  sigset_t orig_mask_;
+  kernel_sigset_t orig_mask_;
  bool mask_is_set_;
  DISALLOW_COPY_AND_ASSIGN(ScopedSigprocmaskRestore);
@@ -119,11 +121,9 @@ void ExceptionHandlerClient::SetCanSetPtracer(bool can_set_ptracer) {
 int ExceptionHandlerClient::SignalCrashDump(
    const ExceptionHandlerProtocol::ClientInformation& info,
    VMAddress stack_pointer) {
-  // TODO(jperaza): Use lss for system calls when sys_sigtimedwait() exists.
+  kernel_sigset_t dump_done_sigset;
-  // https://crbug.com/crashpad/265
+  sys_sigemptyset(&dump_done_sigset);
-  sigset_t dump_done_sigset;
+  sys_sigaddset(&dump_done_sigset, ExceptionHandlerProtocol::kDumpDoneSignal);
-  sigemptyset(&dump_done_sigset);
-  sigaddset(&dump_done_sigset, ExceptionHandlerProtocol::kDumpDoneSignal);
  ScopedSigprocmaskRestore scoped_block(dump_done_sigset);
  int status = SendCrashDumpRequest(info, stack_pointer);
@@ -131,19 +131,14 @@ int ExceptionHandlerClient::SignalCrashDump(
    return status;
  }
-#if defined(OS_ANDROID) && __ANDROID_API__ < 23
-  // sigtimedwait() wrappers aren't available on Android until API 23 but this
-  // can use the lss wrapper when it's available.
-  NOTREACHED();
-#else
  siginfo_t siginfo = {};
  timespec timeout;
  timeout.tv_sec = 5;
  timeout.tv_nsec = 0;
-  if (HANDLE_EINTR(sigtimedwait(&dump_done_sigset, &siginfo, &timeout)) < 0) {
+  if (HANDLE_EINTR(sys_sigtimedwait(&dump_done_sigset, &siginfo, &timeout)) <
+      0) {
    return errno;
  }
-#endif
  return 0;
 }

--- a/third_party/crashpad/crashpad/util/util.gyp
+++ b/third_party/crashpad/crashpad/util/util.gyp
@@ -416,6 +416,7 @@
            ['include', '^linux/'],
            ['include', '^misc/capture_context_linux\\.S$'],
            ['include', '^misc/paths_linux\\.cc$'],
+            ['include', '^misc/time_linux\\.cc$'],
            ['include', '^posix/process_info_linux\\.cc$'],
            ['include', '^process/process_memory_linux\\.cc$'],
            ['include', '^process/process_memory_linux\\.h$'],