Renderer crash in malloc_dump_provider.cc::ReportMallinfoStats because of mallinfo wraparound [401168177]

Bug

Unconfirmed

Stability-Crash

Status Update

No update yet.

Description

ai...@beamng.gmbh

created issue #1

Mar 6, 2025 12:46PM

Info

Chrome Version: CEF 130.1.16+g5a7e5ed+chromium-130.0.6723.117 (from https://cef-builds.spotifycdn.com)

Is this the most recent version: no, the same issue is present on the main branch though

OS + version: reproduced on Ubuntu 22.04 and Fedora 41

CPU architecture (32-bit / 64-bit): 64-bit

Window manager: irrelevant

We use CEF in our product and managed to trace the cause of a "random" renderer crash we were getting while in high-memory-usage situations. This problem shows only when compiled with glibc<2.33. We cannot use glibc>2.31 to keep compatibility with Ubuntu 20.04.

Steps

What steps will reproduce the problem?

Allocate enough memory using malloc so that mallinfo data wraps around and returns negative values (between 2 GiB and 4 GiB).
Wait for 1, 5, 10 or 15 minutes after a tab is loaded for the TabMemoryMetricsReporter to request a memory dump.
Get a SIGILL inside OnMemoryDump after the checked_cast<size_t> fails (see below the source code line). This terminates the render process.

What is the expected result?

The process runs normally.

What happens instead?

The main renderer process terminates because of a SIGILL signal.

Please provide any additional information below. Attach a screenshot and backtrace if possible.

Dumps

This is a backtrace of the issue on CEF 130.1.16+g5a7e5ed+chromium-130.0.6723.117:

2025-03-05 16:20:57: minidump_processor.cc:348: INFO: Processed 82DCC2B5FA324D50.dmp
Operating system: Linux
                  6.13.5 -200 #1 SMP PREEMPT_DYNAMIC Thu Feb 27 15:07:31 UTC 2025 x86_64
CPU: amd64
     family 25 model 80 stepping 0
     12 CPUs

GPU: UNKNOWN

Crash reason:  SIGILL / ILL_ILLOPN
Crash address: 0x7ffa574bc9c1
Process uptime: 316 seconds

Thread 18 (crashed)
 0  libcef.so!OnMemoryDump [malloc_dump_provider.cc : 0 + 0x0]
    rax = 0x00000000ad1f8000   rdx = 0x00000000000011c0
    rcx = 0x0000000000000001   rbx = 0x00007ff99808c3e0
    rsi = 0x000000000001fe40   rdi = 0x00007ffa34000880
    rbp = 0x00007ff96902e850   rsp = 0x00007ff96902e800
     r8 = 0x0000000000000000    r9 = 0x00007ffa34000030
    r10 = 0x00007ff96902e6e0   r11 = 0x0000000000000000
    r12 = 0x00007ffa5d931950   r13 = 0x0000000000000000
    r14 = 0x0000555fa8bdc8d0   r15 = 0x00007ff96902e800
    rip = 0x00007ffa574bc9c1
    Found by: given as instruction pointer in context
 1  libcef.so!InvokeOnMemoryDump [memory_dump_manager.cc : 467 + 0x9]
    rbx = 0x0000555fa8bdc900   rbp = 0x00007ff96902e8c0
    rsp = 0x00007ff96902e860   r12 = 0x00007ffa5d931950
    r13 = 0x0000000000000000   r14 = 0x00007ff99808c3e0
    r15 = 0x00007ff96902e880   rip = 0x00007ffa574bec43
    Found by: call frame info
 2  libcef.so!ContinueAsyncProcessDump [memory_dump_manager.cc : 385 + 0x8]
    rbx = 0x0000555fa8e967c8   rbp = 0x00007ff96902e940
    rsp = 0x00007ff96902e8d0   r12 = 0x00007ff99802c5a8
    r13 = 0x0000555fa9a7f7e0   r14 = 0x0000555fa8bdc900
    r15 = 0x0000555fa8e967c0   rip = 0x00007ffa574be937
    Found by: call frame info
 3  libcef.so!RunTaskImpl [callback.h : 156 + 0x3]
    rbx = 0x00007ff944003380   rbp = 0x00007ff96902e9d0
    rsp = 0x00007ff96902e950   r12 = 0x00007ff96902fd38
    r13 = 0x0000000000000000   r14 = 0x00007ff96902e998
    r15 = 0x0000000000000000   rip = 0x00007ffa5743a58f
    Found by: call frame info
 4  libcef.so!<name omitted> [task_annotator.h : 90 + 0x8]
    rbx = 0x0000000000000000   rbp = 0x00007ff96902ebb0
    rsp = 0x00007ff96902e9e0   r12 = 0x00007ff944003380
    r13 = 0x0000000000000001   r14 = 0x0000555fa98ec450
    r15 = 0x00007ffa5d931950   rip = 0x00007ffa57459122
    Found by: call frame info
 5  libcef.so!Run [message_pump_default.cc : 40 + 0xb]
    rbx = 0x00007ff944000be0   rbp = 0x00007ff96902ec10
    rsp = 0x00007ff96902ebc0   r12 = 0x00007ff96902ebc0
    r13 = 0x7fffffffffffffff   r14 = 0x0000555fa98ec450
    r15 = 0x00007ff944000bf0   rip = 0x00007ffa573f16a7
    Found by: call frame info
 6  libcef.so!Run [thread_controller_with_message_pump_impl.cc : 640 + 0x6]
    rbx = 0x0000555fa98ec360   rbp = 0x00007ff96902ec60
    rsp = 0x00007ff96902ec20   r12 = 0x0000555fa98ec380
    r13 = 0x7fffffffffffffff   r14 = 0x0000000000000001
    r15 = 0x0000555fa98ec590   rip = 0x00007ffa574598a1
    Found by: call frame info
 7  libcef.so!Run [run_loop.cc : 134 + 0x12]
    rbx = 0x00007ff96902ed30   rbp = 0x00007ff96902ece0
    rsp = 0x00007ff96902ec70   r12 = 0x0000555fa990a9a0
    r13 = 0x0000000000000000   r14 = 0x00007ff96902eca0
    r15 = 0x00007ff96902ecf0   rip = 0x00007ffa5741cb2e
    Found by: call frame info
 8  libcef.so!base::Thread::Run(base::RunLoop*) + 0x38
    rbx = 0x00007ff96902ed30   rbp = 0x00007ff96902ed20
    rsp = 0x00007ff96902ecf0   r12 = 0x0000555fa990a9a0
    r13 = 0x7ffffffffffffff7   r14 = 0x00007ff96902ecf0
    r15 = 0x00007ff96902ed30   rip = 0x00007ffa5747a258
    Found by: call frame info
 9  libcef.so!ThreadMain [thread.cc : 410 + 0xc]
    rbx = 0x0000555fa990a990   rbp = 0x00007ff96902ed80
    rsp = 0x00007ff96902ed30   r12 = 0x0000555fa990a9a0
    r13 = 0x7ffffffffffffff7   r14 = 0x0000000000000000
    r15 = 0x00007ff96902ed30   rip = 0x00007ffa5747a418
    Found by: call frame info
10  libcef.so!ThreadFunc [platform_thread_posix.cc : 101 + 0x8]
    rbx = 0x00007ff9691336c0   rbp = 0x00007ff96902edc0
    rsp = 0x00007ff96902ed90   r12 = 0x00007ffa34000c10
    r13 = 0x00007ff96902fb70   r14 = 0x00007ff96902fb40
    r15 = 0x0000555fa990a990   rip = 0x00007ffa5748dbce
    Found by: call frame info
11  libc.so.6 + 0x71168
    rbx = 0x00007ff969133cdc   rbp = 0x00007ff96902ee70
    rsp = 0x00007ff96902edd0   r12 = 0x00007ff9691336c0
    r13 = 0xffffffffffefc408   r14 = 0x0000000000000016
    r15 = 0x00007ffece586630   rip = 0x00007ffa5de7e168
    Found by: call frame info
12  libc.so.6 + 0x70db0
    rbp = 0x00007ff96902ee70   rsp = 0x00007ff96902ee60
    rip = 0x00007ffa5de7ddb0
    Found by: stack scanning
13  libc.so.6 + 0xf514c
    rsp = 0x00007ff96902ee80   rip = 0x00007ffa5df0214c
    Found by: stack scanning

This is the failing check that jumps to ud2 instruction, causing a SIGILL: https://source.chromium.org/chromium/chromium/src/+/refs/tags/133.0.6943.142:base/trace_event/malloc_dump_provider.cc;l=203

The disassembly of OnMemoryDump reveals that failed casts jump to OnMemoryDump+449, which is ud2:

(gdb) disassemble OnMemoryDump
OnMemoryDump():                                                                  
   0x0000000006cbc800 <+0>:     push   %rbp                                                                          
   0x0000000006cbc801 <+1>:     mov    %rsp,%rbp                                                                     
   0x0000000006cbc804 <+4>:     push   %r15                                                                          
   0x0000000006cbc806 <+6>:     push   %r14                                                                          
   0x0000000006cbc808 <+8>:     push   %r13                                                                          
   0x0000000006cbc80a <+10>:    push   %r12                                                                          
   0x0000000006cbc80c <+12>:    push   %rbx                                                                          
   0x0000000006cbc80d <+13>:    sub    $0x28,%rsp                                                                    
   0x0000000006cbc811 <+17>:    mov    %rdx,%rbx                                                                     
   0x0000000006cbc814 <+20>:    mov    %rdi,%r15                                                                     
   0x0000000006cbc817 <+23>:    lea    0x10(%rdi),%r14                                                               
   0x0000000006cbc81b <+27>:    mov    %r14,%rdi                                                                     
   0x0000000006cbc81e <+30>:    call   0xca1eca0 <pthread_mutex_trylock@plt>                                         
   0x0000000006cbc823 <+35>:    test   %eax,%eax                                                                     
   0x0000000006cbc825 <+37>:    je     0x6cbc82f <OnMemoryDump()+47>                                                 
   0x0000000006cbc827 <+39>:    mov    %r14,%rdi                                                                     
   0x0000000006cbc82a <+42>:    call   0x6c8d5b0 <pthreadMutexEnter>                                                 
   0x0000000006cbc82f <+47>:    mov    0x8(%r15),%r15b                                                               
   0x0000000006cbc833 <+51>:    mov    %r14,%rdi                                                                     
   0x0000000006cbc836 <+54>:    call   0xca1ecb0 <pthread_mutex_unlock@plt>                                          
   0x0000000006cbc83b <+59>:    cmp    $0x1,%r15b                                                                    
   0x0000000006cbc83f <+63>:    jne    0x6cbc9b0 <OnMemoryDump()+432>                                                
   0x0000000006cbc845 <+69>:    movabs $0xaaaaaaaaaaaaaaaa,%rax                                                      
   0x0000000006cbc84f <+79>:    lea    -0x50(%rbp),%r15                                                              
   0x0000000006cbc853 <+83>:    mov    %rax,0x20(%r15)                                                               
   0x0000000006cbc857 <+87>:    movaps -0x57c3d3e(%rip),%xmm0        # 0x14f8b20                                     
   0x0000000006cbc85e <+94>:    movaps %xmm0,0x10(%r15)                                                              
   0x0000000006cbc863 <+99>:    movaps %xmm0,(%r15)                                                                  
   0x0000000006cbc867 <+103>:   mov    %r15,%rdi   
   0x0000000006cbc86a <+106>:   call   0xca20c90 <mallinfo@plt>                                                       
   0x0000000006cbc86f <+111>:   mov    0x10(%r15),%eax                                                               
   0x0000000006cbc873 <+115>:   add    (%r15),%eax    
   0x0000000006cbc876 <+118>:   js     0x6cbc9c1 <OnMemoryDump()+449>                                                 
   0x0000000006cbc87c <+124>:   movslq -0x34(%rbp),%r14                                                              
   0x0000000006cbc880 <+128>:   test   %r14,%r14       
   0x0000000006cbc883 <+131>:   js     0x6cbc9c1 <OnMemoryDump()+449>                                                 
   0x0000000006cbc889 <+137>:   lea    -0x4a(%rbp),%rcx                                                              
   0x0000000006cbc88d <+141>:   movb   $0x6,0x11(%rcx) 
   0x0000000006cbc891 <+145>:   lea    -0x548385f(%rip),%rdx        # 0x1839039                                       
   0x0000000006cbc898 <+152>:   cmp    %rdx,%r15                                                                     
   0x0000000006cbc89b <+155>:   seta   %sil     
   0x0000000006cbc89f <+159>:   cmp    %rdx,%rcx
   0x0000000006cbc8a2 <+162>:   setbe  %cl      
   0x0000000006cbc8a5 <+165>:   or     %sil,%cl            
   0x0000000006cbc8a8 <+168>:   je     0x6cbc9c1 <OnMemoryDump()+449>                                                 
   0x0000000006cbc8ae <+174>:   mov    %eax,%r15d          
   0x0000000006cbc8b1 <+177>:   lea    -0x50(%rbp),%r13    
   0x0000000006cbc8b5 <+181>:   movw   $0x636f,0x4(%r13)   
   0x0000000006cbc8bc <+188>:   movl   $0x6c6c616d,0x0(%r13)                                                          
   0x0000000006cbc8c4 <+196>:   movb   $0x0,0x6(%r13)      
   0x0000000006cbc8c9 <+201>:   mov    %rbx,%rdi           
   0x0000000006cbc8cc <+204>:   mov    %r13,%rsi           
   0x0000000006cbc8cf <+207>:   call   0x6cc0f30 <CreateAllocatorDump()>                                              
   0x0000000006cbc8d4 <+212>:   mov    %rax,%r12           
   0x0000000006cbc8d7 <+215>:   cmpb   $0x0,0x17(%r13)     
   0x0000000006cbc8dc <+220>:   jns    0x6cbc8e7 <OnMemoryDump()+231>                                                 
   0x0000000006cbc8de <+222>:   mov    -0x50(%rbp),%rdi    
   0x0000000006cbc8e2 <+226>:   call   0x6ce46a0 <UncheckedFree()>                                                    
   0x0000000006cbc8e7 <+231>:   lea    -0x556cf1d(%rip),%rsi        # 0x174f9d1                                       
   0x0000000006cbc8ee <+238>:   lea    -0x4d15573(%rip),%r13        # 0x1fa7382 <_ZN4base11trace_event19MemoryAllocatorDump11kUnitsBytesE>
   0x0000000006cbc8f5 <+245>:   mov    %r12,%rdi           
   0x0000000006cbc8f8 <+248>:   mov    %r13,%rdx           
   0x0000000006cbc8fb <+251>:   mov    %r15,%rcx           
   0x0000000006cbc8fe <+254>:   call   0x6cbd3e0 <AddScalar()>                                                        
   0x0000000006cbc903 <+259>:   lea    -0x4d155a1(%rip),%rsi        # 0x1fa7369 <_ZN4base11trace_event19MemoryAllocatorDump9kNameSizeE>
   0x0000000006cbc90a <+266>:   mov    %r12,%rdi           
   0x0000000006cbc90d <+269>:   mov    %r13,%rdx           
   0x0000000006cbc910 <+272>:   mov    %r14,%rcx           
   0x0000000006cbc913 <+275>:   call   0x6cbd3e0 <AddScalar()>                                                        
   0x0000000006cbc918 <+280>:   mov    $0x20,%edi          
   0x0000000006cbc91d <+285>:   call   0x6ce4ac0 <operator new()>                                                     
   0x0000000006cbc922 <+290>:   mov    %rax,-0x50(%rbp)    
   0x0000000006cbc926 <+294>:   movabs $0x8000000000000020,%rcx                                                       
   0x0000000006cbc930 <+304>:   mov    %rcx,-0x40(%rbp)    
   0x0000000006cbc934 <+308>:   movq   $0x18,-0x48(%rbp)   
   0x0000000006cbc93c <+316>:   lea    0x18(%rax),%rcx     
   0x0000000006cbc940 <+320>:   lea    -0x4d155f7(%rip),%rdx        # 0x1fa7350 <_ZN4base11trace_event18MallocDumpProvider17kAllocatedObjectsE>
   0x0000000006cbc947 <+327>:   cmp    %rdx,%rax
   0x0000000006cbc94a <+330>:   seta   %sil
   0x0000000006cbc94e <+334>:   cmp    %rdx,%rcx
   0x0000000006cbc951 <+337>:   setbe  %cl
   0x0000000006cbc954 <+340>:   or     %sil,%cl
   0x0000000006cbc957 <+343>:   je     0x6cbc9c1 <OnMemoryDump()+449>
   0x0000000006cbc959 <+345>:   movaps -0x4d15610(%rip),%xmm0        # 0x1fa7350 <_ZN4base11trace_event18MallocDumpProvider17kAllocatedObjectsE>
   0x0000000006cbc960 <+352>:   movups %xmm0,(%rax)
   0x0000000006cbc963 <+355>:   movabs $0x737463656a626f5f,%rcx
   0x0000000006cbc96d <+365>:   mov    %rcx,0x10(%rax)
   0x0000000006cbc971 <+369>:   movb   $0x0,0x18(%rax)
   0x0000000006cbc975 <+373>:   lea    -0x50(%rbp),%r15
   0x0000000006cbc979 <+377>:   mov    %rbx,%rdi
   0x0000000006cbc97c <+380>:   mov    %r15,%rsi
   0x0000000006cbc97f <+383>:   call   0x6cc0f30 <CreateAllocatorDump()>
   0x0000000006cbc984 <+388>:   mov    %rax,%rbx
   0x0000000006cbc987 <+391>:   cmpb   $0x0,0x17(%r15)
   0x0000000006cbc98c <+396>:   jns    0x6cbc997 <OnMemoryDump()+407>
--Type <RET> for more, q to quit, c to continue without paging--
   0x0000000006cbc98e <+398>:   mov    -0x50(%rbp),%rdi
   0x0000000006cbc992 <+402>:   call   0x6ce46a0 <UncheckedFree()>
   0x0000000006cbc997 <+407>:   lea    -0x4d15635(%rip),%rsi        # 0x1fa7369 <_ZN4base11trace_event19MemoryAllocatorDump9kNameSizeE>
   0x0000000006cbc99e <+414>:   lea    -0x4d15623(%rip),%rdx        # 0x1fa7382 <_ZN4base11trace_event19MemoryAllocatorDump11kUnitsBytesE>
   0x0000000006cbc9a5 <+421>:   mov    %rbx,%rdi
   0x0000000006cbc9a8 <+424>:   mov    %r14,%rcx
   0x0000000006cbc9ab <+427>:   call   0x6cbd3e0 <AddScalar()>
   0x0000000006cbc9b0 <+432>:   mov    $0x1,%al
   0x0000000006cbc9b2 <+434>:   add    $0x28,%rsp
   0x0000000006cbc9b6 <+438>:   pop    %rbx
   0x0000000006cbc9b7 <+439>:   pop    %r12
   0x0000000006cbc9b9 <+441>:   pop    %r13
   0x0000000006cbc9bb <+443>:   pop    %r14
   0x0000000006cbc9bd <+445>:   pop    %r15
   0x0000000006cbc9bf <+447>:   pop    %rbp
   0x0000000006cbc9c0 <+448>:   ret
   0x0000000006cbc9c1 <+449>:   ud2

Fix

We patched this locally by casting the data returned by mallinfo.

*total_virtual_size += checked_cast<size_t>((size_t)info.arena + (size_t)info.hblkhd);
size_t total_allocated_size = checked_cast<size_t>((size_t)info.uordblks);

The data will still be wrong when malloc usage is >4GiB, but the crash is prevented.

IssueTracker

This issue is a part of the Chromium tracker.