anansi2safe/CVE-2026-5281

# CVE-2026-5281 ## Chromium commit commit e00a64ead1abef9447943efede7bc26362ac3797 (HEAD -> 146.0.7680.71, tag: 146.0.7680.71) Author: Roger McFarlane Date: Mon Mar 9 12:52:01 2026 -0700 [M146-desktop-respin] Make LimitedLayerEntropyCostTracker time-aware. This change modifies the LimitedLayerEntropyCostTracker to account for the entropy cost of studies that are active at a specific evaluation time. The evaluation time is passed to the tracker's constructor and is used to check against the study's filter dates and Google web visibility dates. The current time for entropy evaluation is sourced from VariationsIdsProvider. (cherry picked from commit 2ec2c50b47686def251947a2675a207863803cac) Bug: 490248046, 490432663 Change-Id: I3174730f35b037d533bf10b2b1d0531e3781acfe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7639358 Reviewed-by: Alexei Svitkine Commit-Queue: Alexei Svitkine Cr-Original-Commit-Position: refs/heads/main@{#1595543} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7637760 Bot-Commit: Rubber Stamper Cr-Commit-Position: refs/branch-heads/7680_65@{#23} Cr-Branched-From: efe36a9d42443b4091a5be1be21e93ceff9b7a5e-refs/branch-heads/7680@{#1898} Cr-Branched-From: 76b7d80e5cda23fe6537eed26d68c92e995c7f39-refs/heads/main@{#1582197} ## Build arguments # Set build arguments here. See `gn help buildargs`. is_official_build = false is_debug = false is_asan = true symbol_level = 0 v8_symbol_level = 0 blink_symbol_level = 0 is_component_build = false proprietary_codecs = true ffmpeg_branding = "Chrome" v8_enable_sandbox = true dcheck_always_on = false optimize_webui = true target_os = "linux" target_cpu = "x64" ## ASAN Log ================================================================= ==1780424==ERROR: AddressSanitizer: heap-use-after-free on address 0x76ca5a1351d0 at pc 0x5c3a49a29eea bp 0x7ffc5ece7110 sp 0x7ffc5ece7108 READ of size 8 at 0x76ca5a1351d0 thread T0 (chrome) #0 0x5c3a49a29ee9 in dawn::wire::server::Server::DoAdapterRequestDevice(dawn::wire::server::Known, dawn::wire::ObjectHandle, WGPUFuture, dawn::wire::ObjectHandle, WGPUFuture, WGPUDeviceDescriptor const*)::$_0::__invoke(WGPUDeviceImpl* const*, WGPUErrorType, WGPUStringView, void*, void*) ServerAdapter.cpp #1 0x5c3a2b68ef0b in dawn::native::DeviceBase::HandleError(std::__Cr::unique_ptr>, dawn::native::InternalErrorType, wgpu::DeviceLostReason, dawn::native::DeviceBase::ForwardToErrorScope) Device.cpp #2 0x5c3a2b79f46d in dawn::native::QueueBase::APIWriteBuffer(dawn::native::BufferBase*, unsigned long, void const*, unsigned long) Queue.cpp #3 0x5c3a2b52b9be in dawn::native::NativeQueueWriteBuffer(WGPUQueueImpl*, WGPUBufferImpl*, unsigned long, void const*, unsigned long) ProcTable.cpp #4 0x5c3a49a3c449 in dawn::wire::server::Server::DoQueueWriteBuffer(dawn::wire::server::Known, dawn::wire::server::Known, unsigned long, unsigned char const*, unsigned long) ServerQueue.cpp #5 0x5c3a49a1c14a in dawn::wire::server::Server::HandleQueueWriteBuffer(dawn::wire::DeserializeBuffer*) ServerHandlers_autogen.cpp #6 0x5c3a49a201f9 in dawn::wire::server::Server::HandleCommands(char const volatile*, unsigned long) ServerHandlers_autogen.cpp #7 0x5c3a499db517 in gpu::webgpu::(anonymous namespace)::DawnWireServer::HandleCommands(char const volatile*, unsigned long) webgpu_decoder_impl.cc #8 0x5c3a499db98d in gpu::webgpu::(anonymous namespace)::WebGPUDecoderImpl::HandleDawnCommands(unsigned int, void const volatile*) webgpu_decoder_impl.cc #9 0x5c3a499cf882 in gpu::webgpu::(anonymous namespace)::WebGPUDecoderImpl::DoCommands(unsigned int, void const volatile*, int, int*) webgpu_decoder_impl.cc #10 0x5c3a32edce84 in gpu::CommandBufferService::Flush(int, gpu::AsyncAPIInterface*) command_buffer_service.cc #11 0x5c3a491024ab in gpu::CommandBufferStub::OnAsyncFlush(int, unsigned int, std::__Cr::vector> const&) command_buffer_stub.cc #12 0x5c3a49101711 in gpu::CommandBufferStub::ExecuteDeferredRequest(gpu::mojom::DeferredCommandBufferRequestParams&, gpu::FenceSyncReleaseDelegate*) command_buffer_stub.cc #13 0x5c3a4912483c in gpu::GpuChannel::ExecuteDeferredRequest(mojo::StructPtr, gpu::FenceSyncReleaseDelegate*) gpu_channel.cc #14 0x5c3a49132b97 in void base::internal::DecayedFunctorTraits, gpu::FenceSyncReleaseDelegate*), base::WeakPtr&&, mojo::StructPtr&&>::Invoke, gpu::FenceSyncReleaseDelegate*), base::WeakPtr const&, mojo::StructPtr, gpu::FenceSyncReleaseDelegate*>(void (gpu::GpuChannel::*)(mojo::StructPtr, gpu::FenceSyncReleaseDelegate*), base::WeakPtr const&, mojo::StructPtr&&, gpu::FenceSyncReleaseDelegate*&&) gpu_channel.cc #15 0x5c3a49132979 in base::internal::Invoker, gpu::FenceSyncReleaseDelegate*), base::WeakPtr&&, mojo::StructPtr&&>, base::internal::BindState, gpu::FenceSyncReleaseDelegate*), base::WeakPtr, mojo::StructPtr>, void (gpu::FenceSyncReleaseDelegate*)>::RunOnce(base::internal::BindStateBase*, gpu::FenceSyncReleaseDelegate*) gpu_channel.cc #16 0x5c3a32f1f831 in void base::internal::Invoker&&, gpu::FenceSyncReleaseDelegate*>, base::internal::BindState, base::internal::UnretainedWrapper>, void ()>::RunImpl, std::__Cr::tuple>, 0ul>(base::OnceCallback&&, std::__Cr::tuple>&&, std::__Cr::integer_sequence) task_graph.cc #17 0x5c3a32ef3f77 in gpu::Scheduler::ExecuteSequence(base::IdType) scheduler.cc #18 0x5c3a32ef1fa8 in gpu::Scheduler::RunNextTask() scheduler.cc #19 0x5c3a32ef5b91 in base::internal::Invoker, base::internal::BindState>, void ()>::RunOnce(base::internal::BindStateBase*) scheduler.cc #20 0x5c3a3f89be16 in base::TaskAnnotator::RunTaskImpl(base::PendingTask&) task_annotator.cc #21 0x5c3a3f913257 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*) thread_controller_with_message_pump_impl.cc #22 0x5c3a3f91212a in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() thread_controller_with_message_pump_impl.cc #23 0x5c3a3f75c6e9 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) message_pump_default.cc #24 0x5c3a3f914947 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool, base::TimeDelta) thread_controller_with_message_pump_impl.cc #25 0x5c3a3f8170f0 in base::RunLoop::Run(base::Location const&) run_loop.cc #26 0x5c3a4b4f979c in content::GpuMain(content::MainFunctionParams) gpu_main.cc #27 0x5c3a3b59708f in content::RunZygote(content::ContentMainDelegate*) content_main_runner_impl.cc #28 0x5c3a3b5983a0 in content::RunOtherNamedProcessTypeMain(std::__Cr::basic_string, std::__Cr::allocator> const&, content::MainFunctionParams, content::ContentMainDelegate*) content_main_runner_impl.cc #29 0x5c3a3b59afc8 in content::ContentMainRunnerImpl::Run() content_main_runner_impl.cc #30 0x5c3a3b594aa1 in content::RunContentProcess(content::ContentMainParams, content::ContentMainRunner*) content_main.cc #31 0x5c3a3b59509c in content::ContentMain(content::ContentMainParams) content_main.cc #32 0x5c3a28461289 in ChromeMain (/home/anansi/myspace/google/chrome/chromium/src/out/release/chrome+0x10749289) (BuildId: 95e169161bdcaa2a) #33 0x7aaa5bc2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #34 0x7aaa5bc2a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #35 0x5c3a28384029 in _start (/home/anansi/myspace/google/chrome/chromium/src/out/release/chrome+0x1066c029) (BuildId: 95e169161bdcaa2a) 0x76ca5a1351d0 is located 0 bytes inside of 16-byte region [0x76ca5a1351d0,0x76ca5a1351e0) freed by thread T0 (chrome) here: #0 0x5c3a28460752 in operator delete(void*, unsigned long) (/home/anansi/myspace/google/chrome/chromium/src/out/release/chrome+0x10748752) (BuildId: 95e169161bdcaa2a) #1 0x5c3a49a3066d in dawn::wire::server::Server::DoUnregisterObject(dawn::wire::ObjectType, unsigned int) ServerDoers_autogen.cpp #2 0x5c3a49a218cf in dawn::wire::server::Server::HandleCommands(char const volatile*, unsigned long) ServerHandlers_autogen.cpp #3 0x5c3a499db517 in gpu::webgpu::(anonymous namespace)::DawnWireServer::HandleCommands(char const volatile*, unsigned long) webgpu_decoder_impl.cc #4 0x5c3a499db98d in gpu::webgpu::(anonymous namespace)::WebGPUDecoderImpl::HandleDawnCommands(unsigned int, void const volatile*) webgpu_decoder_impl.cc #5 0x5c3a499cf882 in gpu::webgpu::(anonymous namespace)::WebGPUDecoderImpl::DoCommands(unsigned int, void const volatile*, int, int*) webgpu_decoder_impl.cc #6 0x5c3a32edce84 in gpu::CommandBufferService::Flush(int, gpu::AsyncAPIInterface*) command_buffer_service.cc #7 0x5c3a491024ab in gpu::CommandBufferStub::OnAsyncFlush(int, unsigned int, std::__Cr::vector> const&) command_buffer_stub.cc #8 0x5c3a49101711 in gpu::CommandBufferStub::ExecuteDeferredRequest(gpu::mojom::DeferredCommandBufferRequestParams&, gpu::FenceSyncReleaseDelegate*) command_buffer_stub.cc #9 0x5c3a4912483c in gpu::GpuChannel::ExecuteDeferredRequest(mojo::StructPtr, gpu::FenceSyncReleaseDelegate*) gpu_channel.cc #10 0x5c3a49132b97 in void base::internal::DecayedFunctorTraits, gpu::FenceSyncReleaseDelegate*), base::WeakPtr&&, mojo::StructPtr&&>::Invoke, gpu::FenceSyncReleaseDelegate*), base::WeakPtr const&, mojo::StructPtr, gpu::FenceSyncReleaseDelegate*>(void (gpu::GpuChannel::*)(mojo::StructPtr, gpu::FenceSyncReleaseDelegate*), base::WeakPtr const&, mojo::StructPtr&&, gpu::FenceSyncReleaseDelegate*&&) gpu_channel.cc #11 0x5c3a49132979 in base::internal::Invoker, gpu::FenceSyncReleaseDelegate*), base::WeakPtr&&, mojo::StructPtr&&>, base::internal::BindState, gpu::FenceSyncReleaseDelegate*), base::WeakPtr, mojo::StructPtr>, void (gpu::FenceSyncReleaseDelegate*)>::RunOnce(base::internal::BindStateBase*, gpu::FenceSyncReleaseDelegate*) gpu_channel.cc #12 0x5c3a32f1f831 in void base::internal::Invoker&&, gpu::FenceSyncReleaseDelegate*>, base::internal::BindState, base::internal::UnretainedWrapper>, void ()>::RunImpl, std::__Cr::tuple>, 0ul>(base::OnceCallback&&, std::__Cr::tuple>&&, std::__Cr::integer_sequence) task_graph.cc #13 0x5c3a32ef3f77 in gpu::Scheduler::ExecuteSequence(base::IdType) scheduler.cc #14 0x5c3a32ef1fa8 in gpu::Scheduler::RunNextTask() scheduler.cc #15 0x5c3a32ef5b91 in base::internal::Invoker, base::internal::BindState>, void ()>::RunOnce(base::internal::BindStateBase*) scheduler.cc #16 0x5c3a3f89be16 in base::TaskAnnotator::RunTaskImpl(base::PendingTask&) task_annotator.cc #17 0x5c3a3f913257 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*) thread_controller_with_message_pump_impl.cc #18 0x5c3a3f91212a in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() thread_controller_with_message_pump_impl.cc #19 0x5c3a3f75c6e9 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) message_pump_default.cc #20 0x5c3a3f914947 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool, base::TimeDelta) thread_controller_with_message_pump_impl.cc #21 0x5c3a3f8170f0 in base::RunLoop::Run(base::Location const&) run_loop.cc #22 0x5c3a4b4f979c in content::GpuMain(content::MainFunctionParams) gpu_main.cc #23 0x5c3a3b59708f in content::RunZygote(content::ContentMainDelegate*) content_main_runner_impl.cc #24 0x5c3a3b5983a0 in content::RunOtherNamedProcessTypeMain(std::__Cr::basic_string, std::__Cr::allocator> const&, content::MainFunctionParams, content::ContentMainDelegate*) content_main_runner_impl.cc #25 0x5c3a3b59afc8 in content::ContentMainRunnerImpl::Run() content_main_runner_impl.cc #26 0x5c3a3b594aa1 in content::RunContentProcess(content::ContentMainParams, content::ContentMainRunner*) content_main.cc #27 0x5c3a3b59509c in content::ContentMain(content::ContentMainParams) content_main.cc #28 0x5c3a28461289 in ChromeMain (/home/anansi/myspace/google/chrome/chromium/src/out/release/chrome+0x10749289) (BuildId: 95e169161bdcaa2a) #29 0x7aaa5bc2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 previously allocated by thread T0 (chrome) here: #0 0x5c3a2845fb4d in operator new(unsigned long) (/home/anansi/myspace/google/chrome/chromium/src/out/release/chrome+0x10747b4d) (BuildId: 95e169161bdcaa2a) #1 0x5c3a49a29fe6 in dawn::wire::server::KnownObjectsBase::Allocate(dawn::wire::server::Reserved*, dawn::wire::ObjectHandle, dawn::wire::server::AllocationState) ServerAdapter.cpp #2 0x5c3a49a28a46 in dawn::wire::server::Server::DoAdapterRequestDevice(dawn::wire::server::Known, dawn::wire::ObjectHandle, WGPUFuture, dawn::wire::ObjectHandle, WGPUFuture, WGPUDeviceDescriptor const*) ServerAdapter.cpp #3 0x5c3a49a15275 in dawn::wire::server::Server::HandleAdapterRequestDevice(dawn::wire::DeserializeBuffer*) ServerHandlers_autogen.cpp #4 0x5c3a49a1f748 in dawn::wire::server::Server::HandleCommands(char const volatile*, unsigned long) ServerHandlers_autogen.cpp #5 0x5c3a499db517 in gpu::webgpu::(anonymous namespace)::DawnWireServer::HandleCommands(char const volatile*, unsigned long) webgpu_decoder_impl.cc #6 0x5c3a499db98d in gpu::webgpu::(anonymous namespace)::WebGPUDecoderImpl::HandleDawnCommands(unsigned int, void const volatile*) webgpu_decoder_impl.cc #7 0x5c3a499cf882 in gpu::webgpu::(anonymous namespace)::WebGPUDecoderImpl::DoCommands(unsigned int, void const volatile*, int, int*) webgpu_decoder_impl.cc #8 0x5c3a32edce84 in gpu::CommandBufferService::Flush(int, gpu::AsyncAPIInterface*) command_buffer_service.cc #9 0x5c3a491024ab in gpu::CommandBufferStub::OnAsyncFlush(int, unsigned int, std::__Cr::vector> const&) command_buffer_stub.cc #10 0x5c3a49101711 in gpu::CommandBufferStub::ExecuteDeferredRequest(gpu::mojom::DeferredCommandBufferRequestParams&, gpu::FenceSyncReleaseDelegate*) command_buffer_stub.cc #11 0x5c3a4912483c in gpu::GpuChannel::ExecuteDeferredRequest(mojo::StructPtr, gpu::FenceSyncReleaseDelegate*) gpu_channel.cc #12 0x5c3a49132b97 in void base::internal::DecayedFunctorTraits, gpu::FenceSyncReleaseDelegate*), base::WeakPtr&&, mojo::StructPtr&&>::Invoke, gpu::FenceSyncReleaseDelegate*), base::WeakPtr const&, mojo::StructPtr, gpu::FenceSyncReleaseDelegate*>(void (gpu::GpuChannel::*)(mojo::StructPtr, gpu::FenceSyncReleaseDelegate*), base::WeakPtr const&, mojo::StructPtr&&, gpu::FenceSyncReleaseDelegate*&&) gpu_channel.cc #13 0x5c3a49132979 in base::internal::Invoker, gpu::FenceSyncReleaseDelegate*), base::WeakPtr&&, mojo::StructPtr&&>, base::internal::BindState, gpu::FenceSyncReleaseDelegate*), base::WeakPtr, mojo::StructPtr>, void (gpu::FenceSyncReleaseDelegate*)>::RunOnce(base::internal::BindStateBase*, gpu::FenceSyncReleaseDelegate*) gpu_channel.cc #14 0x5c3a32f1f831 in void base::internal::Invoker&&, gpu::FenceSyncReleaseDelegate*>, base::internal::BindState, base::internal::UnretainedWrapper>, void ()>::RunImpl, std::__Cr::tuple>, 0ul>(base::OnceCallback&&, std::__Cr::tuple>&&, std::__Cr::integer_sequence) task_graph.cc #15 0x5c3a32ef3f77 in gpu::Scheduler::ExecuteSequence(base::IdType) scheduler.cc #16 0x5c3a32ef1fa8 in gpu::Scheduler::RunNextTask() scheduler.cc #17 0x5c3a32ef5b91 in base::internal::Invoker, base::internal::BindState>, void ()>::RunOnce(base::internal::BindStateBase*) scheduler.cc #18 0x5c3a3f89be16 in base::TaskAnnotator::RunTaskImpl(base::PendingTask&) task_annotator.cc #19 0x5c3a3f913257 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*) thread_controller_with_message_pump_impl.cc #20 0x5c3a3f91212a in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() thread_controller_with_message_pump_impl.cc #21 0x5c3a3f75c6e9 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) message_pump_default.cc #22 0x5c3a3f914947 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool, base::TimeDelta) thread_controller_with_message_pump_impl.cc #23 0x5c3a3f8170f0 in base::RunLoop::Run(base::Location const&) run_loop.cc #24 0x5c3a4b4f979c in content::GpuMain(content::MainFunctionParams) gpu_main.cc #25 0x5c3a3b59708f in content::RunZygote(content::ContentMainDelegate*) content_main_runner_impl.cc #26 0x5c3a3b5983a0 in content::RunOtherNamedProcessTypeMain(std::__Cr::basic_string, std::__Cr::allocator> const&, content::MainFunctionParams, content::ContentMainDelegate*) content_main_runner_impl.cc #27 0x5c3a3b59afc8 in content::ContentMainRunnerImpl::Run() content_main_runner_impl.cc #28 0x5c3a3b594aa1 in content::RunContentProcess(content::ContentMainParams, content::ContentMainRunner*) content_main.cc #29 0x5c3a3b59509c in content::ContentMain(content::ContentMainParams) content_main.cc SUMMARY: AddressSanitizer: heap-use-after-free ServerAdapter.cpp in dawn::wire::server::Server::DoAdapterRequestDevice(dawn::wire::server::Known, dawn::wire::ObjectHandle, WGPUFuture, dawn::wire::ObjectHandle, WGPUFuture, WGPUDeviceDescriptor const*)::$_0::__invoke(WGPUDeviceImpl* const*, WGPUErrorType, WGPUStringView, void*, void*) Shadow bytes around the buggy address: 0x76ca5a134f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x76ca5a134f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x76ca5a135000: f7 fa fd fa f7 fa fd fa f7 fa fd fd f7 fa fd fa 0x76ca5a135080: f7 fa fd fa f7 fa fd fa f7 fa 00 04 f7 fa 00 04 0x76ca5a135100: f7 fa fd fa f7 fa fd fa f7 fa fd fa f7 fa fd fa =>0x76ca5a135180: f7 fa fd fa f7 fa 00 00 f7 fa[fd]fd f7 fa fd fa 0x76ca5a135200: f7 fa fd fa f7 fa fd fa f7 fa fd fd f7 fa fd fd 0x76ca5a135280: f7 fa fd fd f7 fa fd fa f7 fa fd fd f7 fa 00 00 0x76ca5a135300: f7 fa fd fa f7 fa fd fd f7 fa 00 04 f7 fa 00 fa 0x76ca5a135380: f7 fa fd fd f7 fa fd fd f7 fa 00 00 f7 fa 00 fa 0x76ca5a135400: f7 fa 00 fa f7 fa 00 fa f7 fa fd fd f7 fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1780424==ADDITIONAL INFO ## Usage 1. In the `third_party/dawn` directory, apply the patch files. 2. Open browser chrome /poc.html ## In Chrome stable In the stable version of Chromium, directly applying patches may not be feasible or desirable. So, you can rewrite the patch logic as hook functions to intercept and modify the relevant processing functions at runtime.

标签：后端开发