New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
segfault (object partially on an unallocated page — possible UaF?) in ElectronDesktopWindowTreeHostLinux::OnWindowTiledStateChanged(ui::WindowTiledEdges) #41967
Comments
Hello @brjsp. Thanks for reporting this and helping to make Electron better! Would it be possible for you to make a standalone testcase with only the code necessary to reproduce the issue? For example, Electron Fiddle is a great tool for making small test cases and makes it easy to publish your test case to a gist that Electron maintainers can use. Stand-alone test cases make fixing issues go more smoothly: it ensure everyone's looking at the same issue, it removes all unnecessary variables from the equation, and it can also provide the basis for automated regression tests. Now adding the
blocked/need-repro
|
Hey @brjsp, I appreciate the write up here! We have a similar crash reported on various Linux distros elsewhere in the issue tracker, but the maintainers have unfortunately been unable to reproduce the crash on any Ubuntu devices - if you happen to have an application or gist repro that we could try to see if we can reproduce the crash, that would be extremely helpful. I'll dig into your writeup here in the meantime. |
@VerteDinde I don't even know if this can be reproduced with official builds. The crashing application is signal-desktop. For me, the crashes happen intermittently, but @JohnVeness has reported they can reproduce it every time. @JohnVeness Can you download the electron 29.3.1 binary from github and try to run Signal with it? You can do that by adding the folder with the unpacked |
Hi. I have just tried and the segfault does not occur with the official 29.3.1 binary (it still occurs every time without that binary). |
Building with |
We've been getting intermittent crashes in a custom build of Electron 29.3.1 on openSUSE Tumbleweed x64 with the following stack trace:
Let's disassemble the offending function:
The faulting instruction is the write at
0xd234f7
. If we compare that with the source code:https://github.com/electron/electron/blob/v29.3.1/shell/browser/ui/electron_desktop_window_tree_host_linux.cc#L72
https://github.com/electron/electron/blob/v29.3.1/shell/browser/ui/views/client_frame_view_linux.h#L49
…it is clear that it's this assignment.
The address at
rax
is theviews::NonClientFrameView
base of theelectron::ClientFrameViewLinux
, andrsi
are the flags we are trying to write:There should be no offset between
ClientFrameViewLinux
and itsNonClientFrameView
base (if i'm interpreting the(gdb) print *(electron::ClientFrameViewLinux*)0xsome_address
output correctly).Let's look at the memory mappings (I only have access to core dumps because the crashes are intermittent):
How large is this object?
The object overhangs the READONLY page by 0x140 bytes. That page seems to be all zeroes.
At this point i'm unsure what to do next — it'd better not be an allocator bug…
The text was updated successfully, but these errors were encountered: