search

GoogleChromeLabs / chromeos_smart_card_connector

Smart Card Connector App for Chrome OS
https://chrome.google.com/webstore/detail/smart-card-connector/khpfeaanjngmcnplbdlpegiifgpfgdco
Apache License 2.0
133 stars 50 forks source link

ASan use-after-free report in case multiple readers are used #1090

Closed emaxx-google closed 9 months ago

emaxx-google commented 9 months ago

This was discovered after writing a test that involves multiple readers: #1088.

=================================================================
==2074344==ERROR: AddressSanitizer: heap-use-after-free on address 0xf03b1616 at pc 0x56cbee84 bp 0xeacfa868 sp 0xeacfa860
READ of size 1 at 0xf03b1616 thread T315
    #0 0x56cbee83 in google_smart_card::LibusbJsProxy::LibusbSubmitTransfer(libusb_transfer*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_js_proxy.cc:862:21
    #1 0x56d1d1f7 in google_smart_card::LibusbTracingWrapper::LibusbSubmitTransfer(libusb_transfer*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_tracing_wrapper.cc:873:24
    #2 0x56cacd67 in libusb_submit_transfer /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/public/libusb_web_port_service.cc:162:27
    #3 0x56c6af43 in InterruptRead /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/ccid/webport/build/../../src/src/ccid_usb.c:1511:8
    #4 0x56c2ec7b in IFDHPolling /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/ccid/webport/build/../../src/src/ifdhandler.c:321:9
    #5 0x56beeb11 in EHStatusHandlerThread /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/eventhandler.c:467:10
    #6 0x568e6db9 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x34ddb9) (BuildId: b015cb3716efed5f2f06b7a629358212a20882c6)
    #7 0x568c389e in asan_thread_start(void*) asan_interceptors.cpp.o
    #8 0xf788793c  (/lib/i386-linux-gnu/libc.so.6+0x8793c) (BuildId: 764acc44300dd15b6ecda32b094904da523c3fa4)
    #9 0xf7921177  (/lib/i386-linux-gnu/libc.so.6+0x121177) (BuildId: 764acc44300dd15b6ecda32b094904da523c3fa4)

0xf03b1616 is located 6 bytes inside of 40-byte region [0xf03b1610,0xf03b1638)
freed by thread T310 here:
    #0 0x56918c67 in operator delete(void*) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x37fc67) (BuildId: b015cb3716efed5f2f06b7a629358212a20882c6)
    #1 0x56cc80de in google_smart_card::LibusbJsProxy::LibusbFreeTransfer(libusb_transfer*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_js_proxy.cc:901:3
    #2 0x56cd310b in google_smart_card::LibusbJsProxy::WrapLibusbTransferCallback(libusb_transfer*)::$_1::operator()(google_smart_card::RequestResult<google_smart_card::LibusbJsTransferResult>) const /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_js_proxy.cc:1101:7
    #3 0x56cd1dfa in void std::__invoke_impl<void, google_smart_card::LibusbJsProxy::WrapLibusbTransferCallback(libusb_transfer*)::$_1&, google_smart_card::RequestResult<google_smart_card::LibusbJsTransferResult> >(std::__invoke_other, google_smart_card::LibusbJsProxy::WrapLibusbTransferCallback(libusb_transfer*)::$_1&, google_smart_card::RequestResult<google_smart_card::LibusbJsTransferResult>&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:61:14
    #4 0x56cd1c99 in std::enable_if<is_void<void>::value, void>::type std::__invoke_r<void, google_smart_card::LibusbJsProxy::WrapLibusbTransferCallback(libusb_transfer*)::$_1&, google_smart_card::RequestResult<google_smart_card::LibusbJsTransferResult> >(google_smart_card::LibusbJsProxy::WrapLibusbTransferCallback(libusb_transfer*)::$_1&, google_smart_card::RequestResult<google_smart_card::LibusbJsTransferResult>&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:150:7
    #5 0x56cd1ab9 in std::_Function_handler<void (google_smart_card::RequestResult<google_smart_card::LibusbJsTransferResult>), google_smart_card::LibusbJsProxy::WrapLibusbTransferCallback(libusb_transfer*)::$_1>::_M_invoke(std::_Any_data const&, google_smart_card::RequestResult<google_smart_card::LibusbJsTransferResult>&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:290:9
    #6 0x56d0d409 in std::function<void (google_smart_card::RequestResult<google_smart_card::LibusbJsTransferResult>)>::operator()(google_smart_card::RequestResult<google_smart_card::LibusbJsTransferResult>) const /usr/bin/../lib/gcc-cross/i686-linux-gnu/12/../../../../i686-linux-gnu/include/c++/12/bits/std_function.h:591:9
    #7 0x56cfb067 in google_smart_card::AsyncRequestState<google_smart_card::LibusbJsTransferResult>::SetResult(google_smart_card::RequestResult<google_smart_card::LibusbJsTransferResult>) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../../../../common/cpp/src/public/requesting/async_request.h:65:7
    #8 0x56cf3281 in libusb_context::SetTransferResult(google_smart_card::AsyncRequestState<google_smart_card::LibusbJsTransferResult>*, google_smart_card::RequestResult<google_smart_card::LibusbJsTransferResult>) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_opaque_types.cc:319:3
    #9 0x56cf1bb1 in libusb_context::WaitAndProcessAsyncTransferReceivedResults(std::chrono::time_point<std::chrono::_V2::system_clock, std::chrono::duration<long long, std::ratio<1ll, 1000000000ll> > > const&, int*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_opaque_types.cc:80:3
    #10 0x56cc9ccd in google_smart_card::LibusbJsProxy::LibusbHandleEventsCompleted(libusb_context*, int*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_js_proxy.cc:1039:8
    #11 0x56d2923a in google_smart_card::LibusbTracingWrapper::LibusbHandleEventsCompleted(libusb_context*, int*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_tracing_wrapper.cc:1039:24
    #12 0x56cad4c8 in libusb_handle_events_completed /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/public/libusb_web_port_service.cc:216:27
    #13 0x56c6b2b2 in InterruptRead /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/ccid/webport/build/../../src/src/ccid_usb.c:1531:9
    #14 0x56c2ec7b in IFDHPolling /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/ccid/webport/build/../../src/src/ifdhandler.c:321:9
    #15 0x56beeb11 in EHStatusHandlerThread /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/eventhandler.c:467:10
    #16 0x568e6db9 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x34ddb9) (BuildId: b015cb3716efed5f2f06b7a629358212a20882c6)

previously allocated by thread T315 here:
    #0 0x569183e9 in operator new(unsigned int) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x37f3e9) (BuildId: b015cb3716efed5f2f06b7a629358212a20882c6)
    #1 0x56cbc735 in google_smart_card::LibusbJsProxy::LibusbAllocTransfer(int) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_js_proxy.cc:591:35
    #2 0x56d3a879 in google_smart_card::LibusbTracingWrapper::LibusbTransferTracingWrapper::LibusbTransferTracingWrapper(libusb_transfer*, google_smart_card::LibusbTracingWrapper*, google_smart_card::LibusbInterface*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_tracing_wrapper.cc:558:42
    #3 0x56d35107 in google_smart_card::LibusbTracingWrapper::LibusbTransferTracingWrapper::CreateWrappedTransfer(libusb_transfer*, google_smart_card::LibusbTracingWrapper*, google_smart_card::LibusbInterface*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_tracing_wrapper.cc:539:13
    #4 0x56d1d0b5 in google_smart_card::LibusbTracingWrapper::LibusbSubmitTransfer(libusb_transfer*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_tracing_wrapper.cc:868:7
    #5 0x56cacd67 in libusb_submit_transfer /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/public/libusb_web_port_service.cc:162:27
    #6 0x56c6af43 in InterruptRead /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/ccid/webport/build/../../src/src/ccid_usb.c:1511:8
    #7 0x56c2ec7b in IFDHPolling /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/ccid/webport/build/../../src/src/ifdhandler.c:321:9
    #8 0x56beeb11 in EHStatusHandlerThread /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/eventhandler.c:467:10
    #9 0x568e6db9 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x34ddb9) (BuildId: b015cb3716efed5f2f06b7a629358212a20882c6)

Thread T315 created by T309 here:
    #0 0x568c37cc in __interceptor_pthread_create (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x32a7cc) (BuildId: b015cb3716efed5f2f06b7a629358212a20882c6)
    #1 0x56bfbeb8 in ThreadCreate /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/utils.c:184:8
    #2 0x56bec6c2 in EHSpawnEventHandler /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/eventhandler.c:233:7
    #3 0x56be0d8e in RFAddReaderOriginal /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/readerfactory.c:397:8
    #4 0x56c04d4d in RFAddReader /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../src/readerfactory_webport.cc:52:22
    #5 0x56c0337e in HPAddHotPluggable /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/hotplug_libusb.c:736:8
    #6 0x56c017ff in HPRescanUsbBus /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/hotplug_libusb.c:431:5
    #7 0x56c0036b in HPEstablishUSBNotifications /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/hotplug_libusb.c:510:4
    #8 0x568e6db9 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x34ddb9) (BuildId: b015cb3716efed5f2f06b7a629358212a20882c6)

Thread T309 created by T308 here:
    #0 0x568c37cc in __interceptor_pthread_create (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x32a7cc) (BuildId: b015cb3716efed5f2f06b7a629358212a20882c6)
    #1 0x56bfbeb8 in ThreadCreate /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/utils.c:184:8
    #2 0x56bfe113 in HPSearchHotPluggables /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/hotplug_libusb.c:575:3
    #3 0x56bbfdb3 in google_smart_card::PcscLiteServerWebPortService::InitializeAndRunDaemonThread() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../src/public/pcsc_lite_server_web_port_service.cc:247:17
    #4 0x56b0c5fa in google_smart_card::Application::InitializeServicesOnBackgroundThread() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/cpp_lib/../../../smart_card_connector_app/src/application.cc:69:39
    #5 0x56b0f2f7 in void std::__invoke_impl<void, void (google_smart_card::Application::*)(), google_smart_card::Application*>(std::__invoke_memfun_deref, void (google_smart_card::Application::*&&)(), google_smart_card::Application*&&) /usr/bin/../lib/gcc-cross/i686-linux-gnu/12/../../../../i686-linux-gnu/include/c++/12/bits/invoke.h:74:14
    #6 0x56b0f0e9 in std::__invoke_result<void (google_smart_card::Application::*)(), google_smart_card::Application*>::type std::__invoke<void (google_smart_card::Application::*)(), google_smart_card::Application*>(void (google_smart_card::Application::*&&)(), google_smart_card::Application*&&) /usr/bin/../lib/gcc-cross/i686-linux-gnu/12/../../../../i686-linux-gnu/include/c++/12/bits/invoke.h:96:14
    #7 0x56b0f091 in void std::thread::_Invoker<std::tuple<void (google_smart_card::Application::*)(), google_smart_card::Application*> >::_M_invoke<0u, 1u>(std::_Index_tuple<0u, 1u>) /usr/bin/../lib/gcc-cross/i686-linux-gnu/12/../../../../i686-linux-gnu/include/c++/12/bits/std_thread.h:252:13
    #8 0x56b0f020 in std::thread::_Invoker<std::tuple<void (google_smart_card::Application::*)(), google_smart_card::Application*> >::operator()() /usr/bin/../lib/gcc-cross/i686-linux-gnu/12/../../../../i686-linux-gnu/include/c++/12/bits/std_thread.h:259:11
    #9 0x56b0ed01 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (google_smart_card::Application::*)(), google_smart_card::Application*> > >::_M_run() /usr/bin/../lib/gcc-cross/i686-linux-gnu/12/../../../../i686-linux-gnu/include/c++/12/bits/std_thread.h:210:13
    #10 0xf7cc00bc  (/lib/i386-linux-gnu/libstdc++.so.6+0xc00bc) (BuildId: 61fa329d7cf2c420631e6340cd122f1a962b36dc)
    #11 0x568e6db9 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x34ddb9) (BuildId: b015cb3716efed5f2f06b7a629358212a20882c6)

Thread T308 created by T0 here:
    #0 0x568c37cc in __interceptor_pthread_create (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x32a7cc) (BuildId: b015cb3716efed5f2f06b7a629358212a20882c6)
    #1 0xf7cc02d7 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/i386-linux-gnu/libstdc++.so.6+0xc02d7) (BuildId: 61fa329d7cf2c420631e6340cd122f1a962b36dc)
    #2 0x56b0bff8 in google_smart_card::Application::ScheduleServicesInitialization() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/cpp_lib/../../../smart_card_connector_app/src/application.cc:60:3
    #3 0x56b0bda6 in google_smart_card::Application::Application(google_smart_card::GlobalContext*, google_smart_card::TypedMessageRouter*, std::function<void ()>) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/cpp_lib/../../../smart_card_connector_app/src/application.cc:47:3
    #4 0x569e18dc in std::unique_ptr<google_smart_card::Application, std::default_delete<google_smart_card::Application> > google_smart_card::MakeUnique<google_smart_card::Application, google_smart_card::TestingGlobalContext*, google_smart_card::TypedMessageRouter*, std::function<void ()> >(google_smart_card::TestingGlobalContext*&&, google_smart_card::TypedMessageRouter*&&, std::function<void ()>&&) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/../../../../common/cpp/src/public/unique_ptr_utils.h:26:33
    #5 0x569b0ee1 in google_smart_card::SmartCardConnectorApplicationTest::StartApplication() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/../../../src/application_unittest.cc:257:20
    #6 0x569404a1 in google_smart_card::SmartCardConnectorApplicationSingleClientTest_SCardGetStatusChangeMultipleReaders_Test::TestBody() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/../../../src/application_unittest.cc:1363:3
    #7 0x56e97da0 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/googletest/src/googletest/src/gtest.cc:2607:10
    #8 0x56e7c548 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/googletest/src/googletest/src/gtest.cc:2643:14
    #9 0x56e4dc25 in testing::Test::Run() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/googletest/src/googletest/src/gtest.cc:2682:5
    #10 0x56e4ebef in testing::TestInfo::Run() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/googletest/src/googletest/src/gtest.cc:2861:11
    #11 0x56e4f559 in testing::TestSuite::Run() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/googletest/src/googletest/src/gtest.cc:3015:28
    #12 0x56e64ecf in testing::internal::UnitTestImpl::RunAllTests() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/googletest/src/googletest/src/gtest.cc:5855:44
    #13 0x56e9b480 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/googletest/src/googletest/src/gtest.cc:2607:10
    #14 0x56e7f1a8 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/googletest/src/googletest/src/gtest.cc:2643:14
    #15 0x56e64998 in testing::UnitTest::Run() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/googletest/src/googletest/src/gtest.cc:5438:10
    #16 0x56e28df5 in RUN_ALL_TESTS() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/googletest/src/googletest/include/gtest/gtest.h:2490:46
    #17 0x56e28dc7 in main /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/googletest/src/googletest/src/gtest_main.cc:52:10
    #18 0xf78237c4  (/lib/i386-linux-gnu/libc.so.6+0x237c4) (BuildId: 764acc44300dd15b6ecda32b094904da523c3fa4)

Thread T310 created by T309 here:
    #0 0x568c37cc in __interceptor_pthread_create (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x32a7cc) (BuildId: b015cb3716efed5f2f06b7a629358212a20882c6)
    #1 0x56bfbeb8 in ThreadCreate /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/utils.c:184:8
    #2 0x56bec6c2 in EHSpawnEventHandler /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/eventhandler.c:233:7
    #3 0x56be0d8e in RFAddReaderOriginal /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/readerfactory.c:397:8
    #4 0x56c04d4d in RFAddReader /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../src/readerfactory_webport.cc:52:22
    #5 0x56c0337e in HPAddHotPluggable /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/hotplug_libusb.c:736:8
    #6 0x56c017ff in HPRescanUsbBus /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/hotplug_libusb.c:431:5
    #7 0x56bffcca in HPEstablishUSBNotifications /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/hotplug_libusb.c:468:2
    #8 0x568e6db9 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x34ddb9) (BuildId: b015cb3716efed5f2f06b7a629358212a20882c6)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_js_proxy.cc:862:21 in google_smart_card::LibusbJsProxy::LibusbSubmitTransfer(libusb_transfer*)
Shadow bytes around the buggy address:
  0x3e076270: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x3e076280: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x3e076290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e0762a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e0762b0: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
=>0x3e0762c0: fa fa[fd]fd fd fd fd fa fa fa 00 00 00 00 00 00
  0x3e0762d0: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fd
  0x3e0762e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x3e0762f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x3e076300: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x3e076310: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2074344==ABORTING
emaxx-google commented 9 months ago

Looks like the use-after-free is happening in this line that dereferences a freshly added transfer: https://github.com/GoogleChromeLabs/chromeos_smart_card_connector/blob/df83738650e975dbbaa4ffb9712abfe33b60faf2/third_party/libusb/webport/src/libusb_js_proxy.cc#L862

The problem seems to be that this transfer might've been already processed and freed by the other thread, because after the AddAsyncTransferInFlight() call above this transfer is placed into a data structure that's visible by other threads and, in case there's already a matching previously obtained transfer result, can be resolved by another thread immediately.