New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 123530 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Apr 2012
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Heap-use-after-free in AutocompleteMatch::AutocompleteMatch

Reported by ax3...@gmail.com, Apr 15 2012

Issue description

VULNERABILITY DETAILS
Heap-use-after-free happens during address bar autocomplete process.

VERSION
Version 20.0.1091.0 (130353) Ubuntu 10.10

REPRODUCTION CASE
Can't provide any testcase, crash happened while trying to append some data in address bar to existing link. Browser was a little bit frozen while I was trying to type in url.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
This is a browser crash with following ASan log.
=================================================================
==5851== ERROR: AddressSanitizer heap-use-after-free on address 0x7ff9c161df80 at pc 0x7ffa67e5d85e bp 0x7fff44172cd0 sp 0x7fff44172cc8
READ of size 1 at 0x7ff9c161df80 thread T0
    #0 0x7ffa67e5d85e in AutocompleteMatch::ACMatchClassification* std::__uninitialized_copy<false>::uninitialized_copy<__gnu_cxx::__normal_iterator<AutocompleteMatch::ACMatchClassification const*, std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > >, AutocompleteMatch::ACMatchClassification*>(__gnu_cxx::__normal_iterator<AutocompleteMatch::ACMatchClassification const*, std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > >, __gnu_cxx::__normal_iterator<AutocompleteMatch::ACMatchClassification const*, std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > >, AutocompleteMatch::ACMatchClassification*) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_uninitialized.h:75
    #1 0x7ffa67e5da20 in std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> >::vector(std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > const&) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_vector.h:246
    #2 0x7ffa67e5aa36 in AutocompleteMatch::AutocompleteMatch(AutocompleteMatch const&) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete_match.cc:69
    #3 0x7ffa6863ee13 in OmniboxPopupViewGtk::AcceptLine(unsigned long, WindowOpenDisposition) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.cc:487
    #4 0x7ffa6863f991 in OmniboxPopupViewGtk::HandleButtonRelease(_GtkWidget*, _GdkEventButton*) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.cc:597
    #5 0x7ffa6863c33f in OmniboxPopupViewGtk::HandleButtonReleaseThunk(_GtkWidget*, _GdkEventButton*, void*) /b/build/slave/ASAN_Release__symbolized_/build/./chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.h:98
    #6 0x7ffa64e3c9d8 in _gtk_marshal_BOOLEAN__BOXED /build/buildd/gtk+2.0-2.22.0/gtk/gtkmarshalers.c:90
0x7ff9c161df80 is located 0 bytes inside of 32-byte region [0x7ff9c161df80,0x7ff9c161dfa0)
freed by thread T0 here:
    #0 0x7ffa6dac2312 in operator delete(void*) ??:0
    #1 0x7ffa67e5ae75 in AutocompleteMatch::~AutocompleteMatch() /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete_match.cc:75
    #2 0x7ffa67e4b518 in void std::_Destroy_aux<false>::__destroy<AutocompleteMatch*>(AutocompleteMatch*, AutocompleteMatch*) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_construct.h:92
    #3 0x7ffa67e4b7f9 in std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> >::_M_erase_at_end(AutocompleteMatch*) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_vector.h:1151
    #4 0x7ffa67e431c4 in AutocompleteResult::Reset() /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete.cc:759
    #5 0x7ffa67e44c59 in AutocompleteController::Stop(bool) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete.cc:946
    #6 0x7ffa67cb0d16 in OmniboxViewGtk::HandleViewFocusOut(_GtkWidget*, _GdkEventFocus*) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/ui/gtk/omnibox/omnibox_view_gtk.cc:1211
    #7 0x7ffa67ca9632 in OmniboxViewGtk::HandleViewFocusOutThunk(_GtkWidget*, _GdkEventFocus*, void*) /b/build/slave/ASAN_Release__symbolized_/build/./chrome/browser/ui/gtk/omnibox/omnibox_view_gtk.h:178
    #8 0x7ffa64e3c9d8 in _gtk_marshal_BOOLEAN__BOXED /build/buildd/gtk+2.0-2.22.0/gtk/gtkmarshalers.c:90
previously allocated by thread T0 here:
    #0 0x7ffa6dac2192 in operator new(unsigned long) ??:0
    #1 0x7ffa67e5d0d5 in AutocompleteMatch::ACMatchClassification* std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> >::_M_allocate_and_copy<__gnu_cxx::__normal_iterator<AutocompleteMatch::ACMatchClassification const*, std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > > >(unsigned long, __gnu_cxx::__normal_iterator<AutocompleteMatch::ACMatchClassification const*, std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > >, __gnu_cxx::__normal_iterator<AutocompleteMatch::ACMatchClassification const*, std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > >) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_vector.h:963
    #2 0x7ffa67e5b441 in std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> >::operator=(std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > const&) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/vector.tcc:165
    #3 0x7ffa67e5b03f in AutocompleteMatch::operator=(AutocompleteMatch const&) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete_match.cc:91
    #4 0x7ffa67e4e494 in void std::__insertion_sort<__gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, bool (*)(AutocompleteMatch const&, AutocompleteMatch const&)>(__gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, __gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, bool (*)(AutocompleteMatch const&, AutocompleteMatch const&)) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_algo.h:2131
    #5 0x7ffa67e4e17b in void std::__final_insertion_sort<__gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, bool (*)(AutocompleteMatch const&, AutocompleteMatch const&)>(__gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, __gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, bool (*)(AutocompleteMatch const&, AutocompleteMatch const&)) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_algo.h:2199
    #6 0x7ffa67e42762 in void std::sort<__gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, bool (*)(AutocompleteMatch const&, AutocompleteMatch const&)>(__gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, __gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, bool (*)(AutocompleteMatch const&, AutocompleteMatch const&)) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_algo.h:5262
    #7 0x7ffa67e4117d in AutocompleteResult::SortAndCull(AutocompleteInput const&) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete.cc:697
    #8 0x7ffa67e45be4 in AutocompleteController::UpdateResult(bool) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete.cc:995
    #9 0x7ffa67e452c4 in AutocompleteController::Start(std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, bool, bool, bool, AutocompleteInput::MatchesRequested) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete.cc:930
    #10 0x7ffa67e55b28 in AutocompleteEditModel::StartAutocomplete(bool, bool) const /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete_edit.cc:435
    #11 0x7ffa67cac7ae in OmniboxViewGtk::UpdatePopup() /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/ui/gtk/omnibox/omnibox_view_gtk.cc:602
    #12 0x7ffa67e59272 in AutocompleteEditModel::OnAfterPossibleChange(std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, unsigned long, unsigned long, bool, bool, bool, bool) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete_edit.cc:880
    #13 0x7ffa67cad389 in OmniboxViewGtk::OnAfterPossibleChange() /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/ui/gtk/omnibox/omnibox_view_gtk.cc:715
    #14 0x7ffa67cafcce in OmniboxViewGtk::HandleKeyPress(_GtkWidget*, _GdkEventKey*) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/ui/gtk/omnibox/omnibox_view_gtk.cc:1060
    #15 0x7ffa64e3c9d8 in _gtk_marshal_BOOLEAN__BOXED /build/buildd/gtk+2.0-2.22.0/gtk/gtkmarshalers.c:90
==5851== ABORTING
Stats: 5437M malloced (12622M for red zones) by 51749084 calls
Stats: 905M realloced by 2819956 calls
Stats: 5088M freed by 45501300 calls
Stats: 5043M really freed by 44457223 calls
Stats: 2592M (663636 full pages) mmaped in 622 calls
  mmaps   by size class: 8:7634478; 9:450505; 10:36855; 11:16376; 12:12288; 13:15872; 14:1280; 15:384; 16:320; 17:128; 18:64; 19:32; 20:16; 21:14; 22:1; 23:1; 24:1; 25:1; 26:1;
  mallocs by size class: 8:46158491; 9:3857477; 10:687523; 11:494869; 12:422185; 13:104464; 14:16957; 15:5996; 16:562; 17:352; 18:114; 19:44; 20:24; 21:19; 22:2; 23:1; 24:1; 25:2; 26:1;
  frees   by size class: 8:40298715; 9:3488357; 10:678014; 11:493227; 12:421632; 13:97443; 14:16875; 15:5963; 16:531; 17:342; 18:109; 19:43; 20:23; 21:19; 22:2; 23:1; 24:1; 25:2; 26:1;
  rfrees  by size class: 8:39260075; 9:3485325; 10:676156; 11:492915; 12:421444; 13:97430; 14:16868; 15:5951; 16:526; 17:337; 18:107; 19:42; 20:22; 21:18; 22:2; 23:1; 24:1; 25:2; 26:1;
Stats: malloc large: 560 small slow: 142270
Shadow byte and word:
  0x1fff382c3bf0: fd
  0x1fff382c3bf0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fff382c3bd0: fd fd fd fd fd fd fd fd
  0x1fff382c3bd8: fd fd fd fd fd fd fd fd
  0x1fff382c3be0: fa fa fa fa fa fa fa fa
  0x1fff382c3be8: fa fa fa fa fa fa fa fa
=>0x1fff382c3bf0: fd fd fd fd fd fd fd fd
  0x1fff382c3bf8: fd fd fd fd fd fd fd fd
  0x1fff382c3c00: fa fa fa fa fa fa fa fa
  0x1fff382c3c08: fa fa fa fa fa fa fa fa
  0x1fff382c3c10: fd fd fd fd fd fd fd fd

 

Comment 1 by ax3...@gmail.com, Apr 15 2012

If I get to know steps that reproduce crash, it will be reported. Hope that at least ASan log can give some clue.
Owner: isherman@chromium.org
Status: Assigned
Labels: -Area-Undefined Area-UI Feature-Omnibox
Owner: pkasting@chromium.org
Owner: e...@chromium.org
This is the GTK popup code
Project Member

Comment 5 by bugdroid1@chromium.org, Apr 17 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=132498

------------------------------------------------------------------------
r132498 | erg@chromium.org | Mon Apr 16 17:57:30 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.h?r1=132498&r2=132497&pathrev=132498
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.cc?r1=132498&r2=132497&pathrev=132498

GTK: Stop listening to gtk signals in the omnibox before destroying the model.

BUG= 123530 
TEST=none


Review URL: http://codereview.chromium.org/10103012
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam -Pri-0 Restrict-View-SecurityNotify Pri-1 SecSeverity-Low OS-All Mstone-18 SecImpacts-Stable SecImpacts-Beta Merge-Approved
Status: FixUnreleased
Labels: reward-topanel

Comment 8 by jsc...@chromium.org, Apr 17 2012

Labels: -OS-All OS-Linux
Labels: -Mstone-18 -Merge-Approved -reward-topanel Mstone-19 Merge-Merged
M19: r134517
Project Member

Comment 10 by bugdroid1@chromium.org, Apr 30 2012

Labels: merge-merged-1084
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=134517

------------------------------------------------------------------------
r134517 | cevans@chromium.org | Mon Apr 30 02:02:13 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/1084/src/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.h?r1=134517&r2=134516&pathrev=134517
 M http://src.chromium.org/viewvc/chrome/branches/1084/src/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.cc?r1=134517&r2=134516&pathrev=134517

Merge 132498 - GTK: Stop listening to gtk signals in the omnibox before destroying the model.

BUG= 123530 
TEST=none


Review URL: http://codereview.chromium.org/10103012

TBR=erg@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10269005
------------------------------------------------------------------------
Labels: CVE-2011-3096

Comment 12 by cdn@chromium.org, May 15 2012

Status: Fixed
Updating status to Fixed on security bugs which were fixed when m19 went to stable.
Project Member

Comment 13 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-UI -Feature-Omnibox -SecSeverity-Low -Mstone-19 -SecImpacts-Stable -SecImpacts-Beta Security-Severity-Low Security-Impact-Stable Security-Impact-Beta Cr-UI M-19 Cr-UI-Browser-Omnibox Type-Bug-Security
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 21 by bugdroid1@chromium.org, Aug 26 2013

------------------------------------------------------------------------
r219636 | estade@chromium.org | 2013-08-26T23:14:49.232298Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.cc?r1=219636&r2=219635&pathrev=219636
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.h?r1=219636&r2=219635&pathrev=219636

gtk: Fix use after free

This undoes r132498, which I'm pretty sure was barking up the wrong tree.

The issue in the bug is that the model is cleared and the popup is /hidden/ (not destroyed), but still has events queued up. LineFromY does attempt to sanitize the result (in case the model has changed without the UI having a chance to catch up), but doesn't handle an empty model.

BUG= 123530 

Review URL: https://chromiumcodereview.appspot.com/23257002
------------------------------------------------------------------------
> This undoes r132498, which I'm pretty sure was barking up the wrong tree.

Perhaps you want to re-open this bug then?

Project Member

Comment 23 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 25 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment