Fix UAF and reenable test

RestrictedTokenTest.OpenLowPrivilegedProcess was occasionally failing under asan due to a use-after-free failure. Some of the output was misleading (in particular the line number of the claimed use-after-free) but the size/offset/alloc-size/alloc-site/free-site information was enough to find the bug and create a simple fix. The lesson is to not use a member of an object to identify the object to delete. Bug: 1012356 Change-Id: Iac5e032c5f4bc364eb367a8424a18868918f6181 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2427055Reviewed-by: James Forshaw <forshaw@chromium.org> Commit-Queue: Bruce Dawson <brucedawson@chromium.org> Cr-Commit-Position: refs/heads/master@{#810213}

Fix UAF and reenable test
RestrictedTokenTest.OpenLowPrivilegedProcess was occasionally failing under asan due to a use-after-free failure. Some of the output was misleading (in particular the line number of the claimed use-after-free) but the size/offset/alloc-size/alloc-site/free-site information was enough to find the bug and create a simple fix. The lesson is to not use a member of an object to identify the object to delete. Bug: 1012356 Change-Id: Iac5e032c5f4bc364eb367a8424a18868918f6181 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2427055Reviewed-by: James Forshaw <forshaw@chromium.org> Commit-Queue: Bruce Dawson <brucedawson@chromium.org> Cr-Commit-Position: refs/heads/master@{#810213}
b8479b16 · Bruce Dawson · Commit Bot · a758cf08 · b8479b16 · b8479b16
Commit b8479b16 authored Sep 24, 2020 by Bruce Dawson Committed by Commit Bot Sep 24, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 11 deletions

sandbox/win/src/broker_services.cc sandbox/win/src/broker_services.cc +4 -3

sandbox/win/src/restricted_token_test.cc sandbox/win/src/restricted_token_test.cc +1 -8

No files found.
--- a/sandbox/win/src/broker_services.cc
+++ b/sandbox/win/src/broker_services.cc
@@ -338,12 +338,13 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) {

      ::UnregisterWait(tracker->wait_handle);
      tracker->wait_handle = INVALID_HANDLE_VALUE;
-
+      // Copy process_id so that we can legally reference it even after we have
+      // found the ProcessTracker object to delete.
+      const DWORD process_id = tracker->process_id;
      // PID is unique until the process handle is closed in dtor.
      processes.erase(std::remove_if(processes.begin(), processes.end(),
                                     [&](auto&& p) -> bool {
-                                       return p->process_id ==
-                                              tracker->process_id;
+                                       return p->process_id == process_id;
                                     }),
                      processes.end());


--- a/sandbox/win/src/restricted_token_test.cc
+++ b/sandbox/win/src/restricted_token_test.cc
@@ -143,14 +143,7 @@ SBOX_TESTS_COMMAND int RestrictedTokenTest_IsRestricted(int argc,
  return token_groups->GroupCount > 0 ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FAILED;
 }

-#if defined(ADDRESS_SANITIZER)
-// Flaky under asan: https://crbug.com/1012356
-#define MAYBE_OpenLowPrivilegedProcess DISABLED_OpenLowPrivilegedProcess
-#else
-#define MAYBE_OpenLowPrivilegedProcess OpenLowPrivilegedProcess
-#endif
-
-TEST(RestrictedTokenTest, MAYBE_OpenLowPrivilegedProcess) {
+TEST(RestrictedTokenTest, OpenLowPrivilegedProcess) {
  // Test limited privilege to renderer open.
  ASSERT_EQ(SBOX_TEST_SUCCEEDED,
            RunOpenProcessTest(false, false, GENERIC_READ | GENERIC_WRITE));