Crashpad crash collection is not thread-safe

[stima]

Description

During sentry__crashpad_handler crash_event is not synchronized properly.

When does the problem happen

• During build
• During run-time
• When capturing a hard crash

Environment

• OS: Unrelated
• Compiler: Unrelated
• CMake version and config: Unrelated

Steps To Reproduce

For example sentry_set_tag that executed from one thread and sentry__crashpad_handler that capturing crash in another thread, may lead to a race condition while accessing crash_event variable.

sentry_set_tag call would lead to sentry__scope_flush_unlock call, that would lead to options->backend->flush_scope_func that would lead to crashpad_backend_flush_scope and access to a crash_event that may be freed by that line https://github.com/getsentry/sentry-native/blob/164da7919172b0df9c7b75efbc36e6e897124415/src/backends/sentry_backend_crashpad.cpp#L174C4-L174C4.

[supervacuus]

Thanks for raising this, @stima. I was aware of this but forgot to tackle it. The UAF is an issue but could be easily fixed with an incremented ref-count. The more significant issue is that we could mutate the crash event between two threads and potentially in the signal handler (i.e., the synchronization must be async-safe).

[stima]

@supervacuus, you are welcome, I would agree that second part is more conseptual and actually more general to be it done properly.