GWP-ASan is generally available for 64-bit Android

[Kalvin Lee]

Hi folks,

You probably saw the GWP-ASan paper that went out some time back. I'm happy to bring the good news that GWP-ASan is now enabled by default for Chrome on 64-bit Android.

• For a general overview of GWP-ASan, see the public docs.
• To see the public configuration for Android (taking effect in M121), see this revision.
• GWP-ASan is actually already enabled on Android in M120 stable, but this configuration is done through Google's internal experimentation framework.

In the near future, we'd like to increase the sampling rate of GWP-ASan on Android to catch even more UaFs - stay tuned.

Cheers,

Kalvin

[Kentaro Hara]

Finally! Congratulation for the launch 🎉

@Kostya Serebryany @Matt Denton 

--
You received this message because you are subscribed to the Google Groups "memory-safety-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to memory-safety-...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/memory-safety-dev/69414a8b-32fd-4839-81ad-39bcd8765447n%40chromium.org.

--

Kentaro Hara, Tokyo

[Mitch Phillips]

Yay!

Any early bugs you can share with us?

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/memory-safety-dev/CABg10jzrEPf0N-GacqGaL6dukOM6qHmaiXhfF6TPgaGDG%3DH1Gw%40mail.gmail.com.

[Kalvin Lee]

I wish I had more to offer, but I can only drill down from the top-level dashboard, filtering by reports with GWP-ASan errors included (note: Google-internal). There aren't a whole lot yet. Let's hope that increasing the sampling will get us more :)

Interestingly, we are receiving concrete stack traces for OverlayWindowAndroid::Destroy() (the no. 2 crashiest trace at time of writing). This is associated with a nearly-cold-case bug and may provide new information. I reached out to the previous assignee and they thought it might be actionable (but we've yet to find out concretely).

On Wed, Jan 17, 2024 at 10:33 AM Kostya Serebryany <k...@google.com> wrote:

Sweet!

And yes, indeed, we'd love to see the stats, once you have them.

[Mitch Phillips]

> Interestingly, we are receiving concrete stack traces for OverlayWindowAndroid::Destroy() (the no. 2 crashiest trace at time of writing). This is associated with a nearly-cold-case bug and may provide new information. I reached out to the previous assignee and they thought it might be actionable (but we've yet to find out concretely).

When you say "no. 2 crashiest trace", is that #2 GWP-ASan or #2 segv-on-android? Either way, we love examples like this (sanitizers turning impossible crashes -> fixable)!

[Matt Denton]

On Wed, Jan 17, 2024 at 11:22 PM Kalvin Lee <kd...@chromium.org> wrote:

I wish I had more to offer, but I can only drill down from the top-level dashboard, filtering by reports with GWP-ASan errors included (note: Google-internal). There aren't a whole lot yet. Let's hope that increasing the sampling will get us more :)

You're missing AndroidWebView. :)

We received our first ever Android WebView bug through the Chrome GWP-ASan pipeline the other day. It was fixed within a couple days. The actual bug was a racy UAF on an object that was already refcounted, but a task was posted to a different thread with a raw pointer to the object (instead of taking a reference), followed by the object being destroyed on the original thread, IIUC.

[Kalvin Lee]

Wahoo! Thanks for the correction, Matt.

I should have broken down my "number two" wording - number two on the list of (Webview-excluded) GWP-ASan heap-use-after-free crashes is what I meant.

[Bartek Nowierski]

We received our first ever Android WebView bug through the Chrome GWP-ASan pipeline the other day. It was fixed within a couple days.

Wow, I'm so happy to hear!

Btw the file has several other occurrences of `base::Unretained(manager_.get())` pattern, would they need fixing too?

Cheers,

Bartek

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/memory-safety-dev/CAOP0%2BRjryL%3DKL%2BjAq%2BV4ZQbNKwYeFaHTXvVBq5UwuCDmtDdgGA%40mail.gmail.com.