Chromium Code Reviews Chromium Code Reviews
Issue 888143003:
Fix a use after free crasher in the ReadAsync task initiated on Windows by the FileStream::Context:… (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/file_stream_context.h" | 5 #include "net/base/file_stream_context.h" |
| 6 | 6 |
| 7 #include <windows.h> | 7 #include <windows.h> |
| 8 | 8 |
| 9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 23 matching lines...) Expand all Loading... | |
| 34 SetOffset(overlapped, offset); | 34 SetOffset(overlapped, offset); |
| 35 } | 35 } |
| 36 | 36 |
| 37 } // namespace | 37 } // namespace |
| 38 | 38 |
| 39 FileStream::Context::Context(const scoped_refptr<base::TaskRunner>& task_runner) | 39 FileStream::Context::Context(const scoped_refptr<base::TaskRunner>& task_runner) |
| 40 : io_context_(), | 40 : io_context_(), |
| 41 async_in_progress_(false), | 41 async_in_progress_(false), |
| 42 orphaned_(false), | 42 orphaned_(false), |
| 43 task_runner_(task_runner), | 43 task_runner_(task_runner), |
| 44 weak_ptr_factory_(this) { | 44 async_read_initiated_(false), |
| 45 async_read_completed_(false), | |
| 46 io_complete_for_read_received_(false), | |
| 47 result_(0) { | |
| 45 io_context_.handler = this; | 48 io_context_.handler = this; |
| 46 memset(&io_context_.overlapped, 0, sizeof(io_context_.overlapped)); | 49 memset(&io_context_.overlapped, 0, sizeof(io_context_.overlapped)); |
| 47 } | 50 } |
| 48 | 51 |
| 49 FileStream::Context::Context(base::File file, | 52 FileStream::Context::Context(base::File file, |
| 50 const scoped_refptr<base::TaskRunner>& task_runner) | 53 const scoped_refptr<base::TaskRunner>& task_runner) |
| 51 : io_context_(), | 54 : io_context_(), |
| 52 file_(file.Pass()), | 55 file_(file.Pass()), |
| 53 async_in_progress_(false), | 56 async_in_progress_(false), |
| 54 orphaned_(false), | 57 orphaned_(false), |
| 55 task_runner_(task_runner), | 58 task_runner_(task_runner), |
| 56 weak_ptr_factory_(this) { | 59 async_read_initiated_(false), |
| 60 async_read_completed_(false), | |
| 61 io_complete_for_read_received_(false), | |
| 62 result_(0) { | |
| 57 io_context_.handler = this; | 63 io_context_.handler = this; |
| 58 memset(&io_context_.overlapped, 0, sizeof(io_context_.overlapped)); | 64 memset(&io_context_.overlapped, 0, sizeof(io_context_.overlapped)); |
| 59 if (file_.IsValid()) { | 65 if (file_.IsValid()) { |
| 60 // TODO(hashimoto): Check that file_ is async. | 66 // TODO(hashimoto): Check that file_ is async. |
| 61 OnFileOpened(); | 67 OnFileOpened(); |
| 62 } | 68 } |
| 63 } | 69 } |
| 64 | 70 |
| 65 FileStream::Context::~Context() { | 71 FileStream::Context::~Context() { |
| 66 } | 72 } |
| 67 | 73 |
| 68 int FileStream::Context::Read(IOBuffer* buf, | 74 int FileStream::Context::Read(IOBuffer* buf, |
| 69 int buf_len, | 75 int buf_len, |
| 70 const CompletionCallback& callback) { | 76 const CompletionCallback& callback) { |
| 71 // TODO(vadimt): Remove ScopedTracker below once crbug.com/423948 is fixed. | 77 // TODO(vadimt): Remove ScopedTracker below once crbug.com/423948 is fixed. |
| 72 tracked_objects::ScopedTracker tracking_profile( | 78 tracked_objects::ScopedTracker tracking_profile( |
| 73 FROM_HERE_WITH_EXPLICIT_FUNCTION("423948 FileStream::Context::Read")); | 79 FROM_HERE_WITH_EXPLICIT_FUNCTION("423948 FileStream::Context::Read")); |
| 74 | 80 |
| 75 DCHECK(!async_in_progress_); | 81 CHECK(!async_in_progress_); |
| 82 DCHECK(!async_read_initiated_); | |
| 83 DCHECK(!async_read_completed_); | |
| 84 DCHECK(!io_complete_for_read_received_); | |
| 76 | 85 |
| 77 IOCompletionIsPending(callback, buf); | 86 IOCompletionIsPending(callback, buf); |
| 78 | 87 |
| 79 base::WorkerPool::PostTask( | 88 async_read_initiated_ = true; |
| 89 | |
| 90 task_runner_->PostTask( | |
| 80 FROM_HERE, | 91 FROM_HERE, |
| 81 base::Bind(&FileStream::Context::ReadAsync, | 92 base::Bind(&FileStream::Context::ReadAsync, base::Unretained(this), |
| 82 weak_ptr_factory_.GetWeakPtr(), file_.GetPlatformFile(), | 93 file_.GetPlatformFile(), make_scoped_refptr(buf), buf_len, |
| 83 make_scoped_refptr(buf), buf_len, &io_context_.overlapped, | 94 &io_context_.overlapped, |
| 84 base::MessageLoop::current()->message_loop_proxy()), | 95 base::MessageLoop::current()->message_loop_proxy())); |
| 85 false); | |
| 86 | |
| 87 return ERR_IO_PENDING; | 96 return ERR_IO_PENDING; |
| 88 } | 97 } |
| 89 | 98 |
| 90 int FileStream::Context::Write(IOBuffer* buf, | 99 int FileStream::Context::Write(IOBuffer* buf, |
| 91 int buf_len, | 100 int buf_len, |
| 92 const CompletionCallback& callback) { | 101 const CompletionCallback& callback) { |
| 102 CHECK(!async_in_progress_); | |
| 103 | |
| 93 DWORD bytes_written = 0; | 104 DWORD bytes_written = 0; |
| 94 if (!WriteFile(file_.GetPlatformFile(), buf->data(), buf_len, | 105 if (!WriteFile(file_.GetPlatformFile(), buf->data(), buf_len, |
| 95 &bytes_written, &io_context_.overlapped)) { | 106 &bytes_written, &io_context_.overlapped)) { |
| 96 IOResult error = IOResult::FromOSError(GetLastError()); | 107 IOResult error = IOResult::FromOSError(GetLastError()); |
| 97 if (error.os_error == ERROR_IO_PENDING) | 108 if (error.os_error == ERROR_IO_PENDING) |
| 98 IOCompletionIsPending(callback, buf); | 109 IOCompletionIsPending(callback, buf); |
| 99 else | 110 else |
| 100 LOG(WARNING) << "WriteFile failed: " << error.os_error; | 111 LOG(WARNING) << "WriteFile failed: " << error.os_error; |
| 101 return static_cast<int>(error.result); | 112 return static_cast<int>(error.result); |
| 102 } | 113 } |
| (...skipping 30 matching lines...) Expand all Loading... | |
| 133 } | 144 } |
| 134 | 145 |
| 135 void FileStream::Context::OnIOCompleted( | 146 void FileStream::Context::OnIOCompleted( |
| 136 base::MessageLoopForIO::IOContext* context, | 147 base::MessageLoopForIO::IOContext* context, |
| 137 DWORD bytes_read, | 148 DWORD bytes_read, |
| 138 DWORD error) { | 149 DWORD error) { |
| 139 DCHECK_EQ(&io_context_, context); | 150 DCHECK_EQ(&io_context_, context); |
| 140 DCHECK(!callback_.is_null()); | 151 DCHECK(!callback_.is_null()); |
| 141 DCHECK(async_in_progress_); | 152 DCHECK(async_in_progress_); |
| 142 | 153 |
| 143 async_in_progress_ = false; | 154 if (!async_read_initiated_) |
| 155 async_in_progress_ = false; | |
| 156 | |
| 144 if (orphaned_) { | 157 if (orphaned_) { |
| 158 async_in_progress_ = false; | |
| 145 callback_.Reset(); | 159 callback_.Reset(); |
| 146 in_flight_buf_ = NULL; | 160 in_flight_buf_ = NULL; |
| 147 CloseAndDelete(); | 161 CloseAndDelete(); |
| 148 return; | 162 return; |
| 149 } | 163 } |
| 150 | 164 |
| 151 int result; | |
| 152 if (error == ERROR_HANDLE_EOF) { | 165 if (error == ERROR_HANDLE_EOF) { |
| 153 result = 0; | 166 result_ = 0; |
| 154 } else if (error) { | 167 } else if (error) { |
| 155 IOResult error_result = IOResult::FromOSError(error); | 168 IOResult error_result = IOResult::FromOSError(error); |
| 156 result = static_cast<int>(error_result.result); | 169 result_ = static_cast<int>(error_result.result); |
| 157 } else { | 170 } else { |
| 158 result = bytes_read; | 171 result_ = bytes_read; |
| 159 IncrementOffset(&io_context_.overlapped, bytes_read); | 172 IncrementOffset(&io_context_.overlapped, bytes_read); |
| 160 } | 173 } |
| 161 | 174 |
| 175 if (async_read_initiated_) | |
| 176 io_complete_for_read_received_ = true; | |
| 177 | |
| 178 InvokeUserCallback(); | |
| 179 } | |
| 180 | |
| 181 void FileStream::Context::InvokeUserCallback() { | |
| 182 // For an asynchonous Read operation don't invoke the user callback until | |
| 183 // we receive the IO completion notification and the asynchronous Read | |
| 184 // completion notification. | |
| 185 if (async_read_initiated_) { | |
| 186 if (!io_complete_for_read_received_ || !async_read_completed_) | |
| 187 return; | |
| 188 async_read_initiated_ = false; | |
| 189 io_complete_for_read_received_ = false; | |
| 190 async_read_completed_ = false; | |
| 191 async_in_progress_ = false; | |
| 192 } | |
| 162 CompletionCallback temp_callback = callback_; | 193 CompletionCallback temp_callback = callback_; |
| 163 callback_.Reset(); | 194 callback_.Reset(); |
| 164 scoped_refptr<IOBuffer> temp_buf = in_flight_buf_; | 195 scoped_refptr<IOBuffer> temp_buf = in_flight_buf_; |
| 165 in_flight_buf_ = NULL; | 196 in_flight_buf_ = NULL; |
| 166 temp_callback.Run(result); | 197 temp_callback.Run(result_); |
| 167 } | 198 } |
| 168 | 199 |
| 169 // static | 200 // static |
| 170 void FileStream::Context::ReadAsync( | 201 void FileStream::Context::ReadAsync( |
| 171 const base::WeakPtr<FileStream::Context>& context, | 202 FileStream::Context* context, |
| 172 HANDLE file, | 203 HANDLE file, |
| 173 scoped_refptr<net::IOBuffer> buf, | 204 scoped_refptr<net::IOBuffer> buf, |
| 174 int buf_len, | 205 int buf_len, |
| 175 OVERLAPPED* overlapped, | 206 OVERLAPPED* overlapped, |
| 176 scoped_refptr<base::MessageLoopProxy> origin_thread_loop) { | 207 scoped_refptr<base::MessageLoopProxy> origin_thread_loop) { |
| 177 DWORD bytes_read = 0; | 208 DWORD bytes_read = 0; |
| 178 if (!ReadFile(file, buf->data(), buf_len, &bytes_read, overlapped)) { | 209 ReadFile(file, buf->data(), buf_len, &bytes_read, overlapped); |
| 179 origin_thread_loop->PostTask( | 210 origin_thread_loop->PostTask( |
| 180 FROM_HERE, base::Bind(&FileStream::Context::ReadAsyncResult, context, | 211 FROM_HERE, |
| 181 ::GetLastError())); | 212 base::Bind(&FileStream::Context::ReadAsyncResult, |
| 182 } | 213 base::Unretained(context), bytes_read, ::GetLastError())); |
|
rvargas (doing something else)
2015/02/06 01:46:33
bytes read is only valid if ReadFile returns true
ananta
2015/02/06 02:20:01
Done.
| |
| 183 } | 214 } |
| 184 | 215 |
| 185 void FileStream::Context::ReadAsyncResult(DWORD os_error) { | 216 void FileStream::Context::ReadAsyncResult(DWORD bytes_read, DWORD os_error) { |
| 217 if (bytes_read) | |
| 218 result_ = bytes_read; | |
| 219 | |
| 186 IOResult error = IOResult::FromOSError(os_error); | 220 IOResult error = IOResult::FromOSError(os_error); |
| 187 if (error.os_error == ERROR_HANDLE_EOF) { | 221 if (error.os_error == ERROR_HANDLE_EOF) { |
| 188 // Report EOF by returning 0 bytes read. | 222 // Report EOF by returning 0 bytes read. |
| 189 OnIOCompleted(&io_context_, 0, error.os_error); | 223 OnIOCompleted(&io_context_, 0, error.os_error); |
| 190 } else if (error.os_error != ERROR_IO_PENDING) { | 224 } else if (error.os_error != ERROR_IO_PENDING) { |
| 191 // We don't need to inform the caller about ERROR_PENDING_IO as that was | 225 // We don't need to inform the caller about ERROR_PENDING_IO as that was |
| 192 // already done when the ReadFile call was queued to the worker pool. | 226 // already done when the ReadFile call was queued to the worker pool. |
| 193 if (error.os_error) | 227 if (error.os_error) { |
| 194 LOG(WARNING) << "ReadFile failed: " << error.os_error; | 228 LOG(WARNING) << "ReadFile failed: " << error.os_error; |
| 195 OnIOCompleted(&io_context_, 0, error.os_error); | 229 OnIOCompleted(&io_context_, 0, error.os_error); |
| 230 } | |
| 196 } | 231 } |
| 232 async_read_completed_ = true; | |
| 233 InvokeUserCallback(); | |
| 197 } | 234 } |
| 198 | 235 |
| 199 } // namespace net | 236 } // namespace net |
| OLD | NEW |
