New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Apr 2012
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 123530: Heap-use-after-free in AutocompleteMatch::AutocompleteMatch

Reported by ax3...@gmail.com, Apr 15 2012

Issue description

VULNERABILITY DETAILS
Heap-use-after-free happens during address bar autocomplete process.

VERSION
Version 20.0.1091.0 (130353) Ubuntu 10.10

REPRODUCTION CASE
Can't provide any testcase, crash happened while trying to append some data in address bar to existing link. Browser was a little bit frozen while I was trying to type in url.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
This is a browser crash with following ASan log.
=================================================================
==5851== ERROR: AddressSanitizer heap-use-after-free on address 0x7ff9c161df80 at pc 0x7ffa67e5d85e bp 0x7fff44172cd0 sp 0x7fff44172cc8
READ of size 1 at 0x7ff9c161df80 thread T0
    #0 0x7ffa67e5d85e in AutocompleteMatch::ACMatchClassification* std::__uninitialized_copy<false>::uninitialized_copy<__gnu_cxx::__normal_iterator<AutocompleteMatch::ACMatchClassification const*, std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > >, AutocompleteMatch::ACMatchClassification*>(__gnu_cxx::__normal_iterator<AutocompleteMatch::ACMatchClassification const*, std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > >, __gnu_cxx::__normal_iterator<AutocompleteMatch::ACMatchClassification const*, std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > >, AutocompleteMatch::ACMatchClassification*) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_uninitialized.h:75
    #1 0x7ffa67e5da20 in std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> >::vector(std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > const&) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_vector.h:246
    #2 0x7ffa67e5aa36 in AutocompleteMatch::AutocompleteMatch(AutocompleteMatch const&) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete_match.cc:69
    #3 0x7ffa6863ee13 in OmniboxPopupViewGtk::AcceptLine(unsigned long, WindowOpenDisposition) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.cc:487
    #4 0x7ffa6863f991 in OmniboxPopupViewGtk::HandleButtonRelease(_GtkWidget*, _GdkEventButton*) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.cc:597
    #5 0x7ffa6863c33f in OmniboxPopupViewGtk::HandleButtonReleaseThunk(_GtkWidget*, _GdkEventButton*, void*) /b/build/slave/ASAN_Release__symbolized_/build/./chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.h:98
    #6 0x7ffa64e3c9d8 in _gtk_marshal_BOOLEAN__BOXED /build/buildd/gtk+2.0-2.22.0/gtk/gtkmarshalers.c:90
0x7ff9c161df80 is located 0 bytes inside of 32-byte region [0x7ff9c161df80,0x7ff9c161dfa0)
freed by thread T0 here:
    #0 0x7ffa6dac2312 in operator delete(void*) ??:0
    #1 0x7ffa67e5ae75 in AutocompleteMatch::~AutocompleteMatch() /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete_match.cc:75
    #2 0x7ffa67e4b518 in void std::_Destroy_aux<false>::__destroy<AutocompleteMatch*>(AutocompleteMatch*, AutocompleteMatch*) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_construct.h:92
    #3 0x7ffa67e4b7f9 in std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> >::_M_erase_at_end(AutocompleteMatch*) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_vector.h:1151
    #4 0x7ffa67e431c4 in AutocompleteResult::Reset() /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete.cc:759
    #5 0x7ffa67e44c59 in AutocompleteController::Stop(bool) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete.cc:946
    #6 0x7ffa67cb0d16 in OmniboxViewGtk::HandleViewFocusOut(_GtkWidget*, _GdkEventFocus*) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/ui/gtk/omnibox/omnibox_view_gtk.cc:1211
    #7 0x7ffa67ca9632 in OmniboxViewGtk::HandleViewFocusOutThunk(_GtkWidget*, _GdkEventFocus*, void*) /b/build/slave/ASAN_Release__symbolized_/build/./chrome/browser/ui/gtk/omnibox/omnibox_view_gtk.h:178
    #8 0x7ffa64e3c9d8 in _gtk_marshal_BOOLEAN__BOXED /build/buildd/gtk+2.0-2.22.0/gtk/gtkmarshalers.c:90
previously allocated by thread T0 here:
    #0 0x7ffa6dac2192 in operator new(unsigned long) ??:0
    #1 0x7ffa67e5d0d5 in AutocompleteMatch::ACMatchClassification* std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> >::_M_allocate_and_copy<__gnu_cxx::__normal_iterator<AutocompleteMatch::ACMatchClassification const*, std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > > >(unsigned long, __gnu_cxx::__normal_iterator<AutocompleteMatch::ACMatchClassification const*, std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > >, __gnu_cxx::__normal_iterator<AutocompleteMatch::ACMatchClassification const*, std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > >) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_vector.h:963
    #2 0x7ffa67e5b441 in std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> >::operator=(std::vector<AutocompleteMatch::ACMatchClassification, std::allocator<AutocompleteMatch::ACMatchClassification> > const&) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/vector.tcc:165
    #3 0x7ffa67e5b03f in AutocompleteMatch::operator=(AutocompleteMatch const&) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete_match.cc:91
    #4 0x7ffa67e4e494 in void std::__insertion_sort<__gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, bool (*)(AutocompleteMatch const&, AutocompleteMatch const&)>(__gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, __gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, bool (*)(AutocompleteMatch const&, AutocompleteMatch const&)) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_algo.h:2131
    #5 0x7ffa67e4e17b in void std::__final_insertion_sort<__gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, bool (*)(AutocompleteMatch const&, AutocompleteMatch const&)>(__gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, __gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, bool (*)(AutocompleteMatch const&, AutocompleteMatch const&)) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_algo.h:2199
    #6 0x7ffa67e42762 in void std::sort<__gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, bool (*)(AutocompleteMatch const&, AutocompleteMatch const&)>(__gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, __gnu_cxx::__normal_iterator<AutocompleteMatch*, std::vector<AutocompleteMatch, std::allocator<AutocompleteMatch> > >, bool (*)(AutocompleteMatch const&, AutocompleteMatch const&)) /usr/lib/gcc/x86_64-linux-gnu/4.4/../../../../include/c++/4.4/bits/stl_algo.h:5262
    #7 0x7ffa67e4117d in AutocompleteResult::SortAndCull(AutocompleteInput const&) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete.cc:697
    #8 0x7ffa67e45be4 in AutocompleteController::UpdateResult(bool) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete.cc:995
    #9 0x7ffa67e452c4 in AutocompleteController::Start(std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, bool, bool, bool, AutocompleteInput::MatchesRequested) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete.cc:930
    #10 0x7ffa67e55b28 in AutocompleteEditModel::StartAutocomplete(bool, bool) const /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete_edit.cc:435
    #11 0x7ffa67cac7ae in OmniboxViewGtk::UpdatePopup() /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/ui/gtk/omnibox/omnibox_view_gtk.cc:602
    #12 0x7ffa67e59272 in AutocompleteEditModel::OnAfterPossibleChange(std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, unsigned long, unsigned long, bool, bool, bool, bool) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/autocomplete/autocomplete_edit.cc:880
    #13 0x7ffa67cad389 in OmniboxViewGtk::OnAfterPossibleChange() /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/ui/gtk/omnibox/omnibox_view_gtk.cc:715
    #14 0x7ffa67cafcce in OmniboxViewGtk::HandleKeyPress(_GtkWidget*, _GdkEventKey*) /b/build/slave/ASAN_Release__symbolized_/build/chrome/browser/ui/gtk/omnibox/omnibox_view_gtk.cc:1060
    #15 0x7ffa64e3c9d8 in _gtk_marshal_BOOLEAN__BOXED /build/buildd/gtk+2.0-2.22.0/gtk/gtkmarshalers.c:90
==5851== ABORTING
Stats: 5437M malloced (12622M for red zones) by 51749084 calls
Stats: 905M realloced by 2819956 calls
Stats: 5088M freed by 45501300 calls
Stats: 5043M really freed by 44457223 calls
Stats: 2592M (663636 full pages) mmaped in 622 calls
  mmaps   by size class: 8:7634478; 9:450505; 10:36855; 11:16376; 12:12288; 13:15872; 14:1280; 15:384; 16:320; 17:128; 18:64; 19:32; 20:16; 21:14; 22:1; 23:1; 24:1; 25:1; 26:1;
  mallocs by size class: 8:46158491; 9:3857477; 10:687523; 11:494869; 12:422185; 13:104464; 14:16957; 15:5996; 16:562; 17:352; 18:114; 19:44; 20:24; 21:19; 22:2; 23:1; 24:1; 25:2; 26:1;
  frees   by size class: 8:40298715; 9:3488357; 10:678014; 11:493227; 12:421632; 13:97443; 14:16875; 15:5963; 16:531; 17:342; 18:109; 19:43; 20:23; 21:19; 22:2; 23:1; 24:1; 25:2; 26:1;
  rfrees  by size class: 8:39260075; 9:3485325; 10:676156; 11:492915; 12:421444; 13:97430; 14:16868; 15:5951; 16:526; 17:337; 18:107; 19:42; 20:22; 21:18; 22:2; 23:1; 24:1; 25:2; 26:1;
Stats: malloc large: 560 small slow: 142270
Shadow byte and word:
  0x1fff382c3bf0: fd
  0x1fff382c3bf0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fff382c3bd0: fd fd fd fd fd fd fd fd
  0x1fff382c3bd8: fd fd fd fd fd fd fd fd
  0x1fff382c3be0: fa fa fa fa fa fa fa fa
  0x1fff382c3be8: fa fa fa fa fa fa fa fa
=>0x1fff382c3bf0: fd fd fd fd fd fd fd fd
  0x1fff382c3bf8: fd fd fd fd fd fd fd fd
  0x1fff382c3c00: fa fa fa fa fa fa fa fa
  0x1fff382c3c08: fa fa fa fa fa fa fa fa
  0x1fff382c3c10: fd fd fd fd fd fd fd fd
 

Comment 1 by ax3...@gmail.com, Apr 15 2012

If I get to know steps that reproduce crash, it will be reported. Hope that at least ASan log can give some clue.

Comment 2 by infe...@chromium.org, Apr 16 2012

Owner: isherman@chromium.org
Status: Assigned

Comment 3 by isherman@chromium.org, Apr 16 2012

Labels: -Area-Undefined Area-UI Feature-Omnibox
Owner: pkasting@chromium.org

Comment 4 by pkasting@chromium.org, Apr 16 2012

Owner: e...@chromium.org
This is the GTK popup code

Comment 5 by bugdroid1@chromium.org, Apr 17 2012

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=132498

------------------------------------------------------------------------
r132498 | erg@chromium.org | Mon Apr 16 17:57:30 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.h?r1=132498&r2=132497&pathrev=132498
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.cc?r1=132498&r2=132497&pathrev=132498

GTK: Stop listening to gtk signals in the omnibox before destroying the model.

BUG= 123530 
TEST=none


Review URL: http://codereview.chromium.org/10103012
------------------------------------------------------------------------

Comment 6 by infe...@chromium.org, Apr 17 2012

Labels: -Restrict-View-SecurityTeam -Pri-0 Restrict-View-SecurityNotify Pri-1 SecSeverity-Low OS-All Mstone-18 SecImpacts-Stable SecImpacts-Beta Merge-Approved
Status: FixUnreleased

Comment 7 by scarybea...@gmail.com, Apr 17 2012

Labels: reward-topanel

Comment 8 by jsc...@chromium.org, Apr 17 2012

Labels: -OS-All OS-Linux

Comment 9 by scarybea...@gmail.com, Apr 30 2012

Labels: -Mstone-18 -Merge-Approved -reward-topanel Mstone-19 Merge-Merged
M19: r134517

Comment 10 by bugdroid1@chromium.org, Apr 30 2012

Project Member
Labels: merge-merged-1084
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=134517

------------------------------------------------------------------------
r134517 | cevans@chromium.org | Mon Apr 30 02:02:13 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/1084/src/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.h?r1=134517&r2=134516&pathrev=134517
 M http://src.chromium.org/viewvc/chrome/branches/1084/src/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.cc?r1=134517&r2=134516&pathrev=134517

Merge 132498 - GTK: Stop listening to gtk signals in the omnibox before destroying the model.

BUG= 123530 
TEST=none


Review URL: http://codereview.chromium.org/10103012

TBR=erg@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10269005
------------------------------------------------------------------------

Comment 11 by scarybea...@gmail.com, May 14 2012

Labels: CVE-2011-3096

Comment 12 by cdn@chromium.org, May 15 2012

Status: Fixed
Updating status to Fixed on security bugs which were fixed when m19 went to stable.

Comment 13 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 14 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-UI -Feature-Omnibox -SecSeverity-Low -Mstone-19 -SecImpacts-Stable -SecImpacts-Beta Security-Severity-Low Security-Impact-Stable Security-Impact-Beta Cr-UI M-19 Cr-UI-Browser-Omnibox Type-Bug-Security

Comment 15 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: Restrict-View-EditIssue

Comment 16 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 17 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 18 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-Low Security_Severity-Low

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 21 by bugdroid1@chromium.org, Aug 26 2013

Project Member
------------------------------------------------------------------------
r219636 | estade@chromium.org | 2013-08-26T23:14:49.232298Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.cc?r1=219636&r2=219635&pathrev=219636
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/omnibox/omnibox_popup_view_gtk.h?r1=219636&r2=219635&pathrev=219636

gtk: Fix use after free

This undoes r132498, which I'm pretty sure was barking up the wrong tree.

The issue in the bug is that the model is cleared and the popup is /hidden/ (not destroyed), but still has events queued up. LineFromY does attempt to sanitize the result (in case the model has changed without the UI having a chance to catch up), but doesn't handle an empty model.

BUG= 123530 

Review URL: https://chromiumcodereview.appspot.com/23257002
------------------------------------------------------------------------

Comment 22 by mpear...@chromium.org, Aug 26 2013

> This undoes r132498, which I'm pretty sure was barking up the wrong tree.

Perhaps you want to re-open this bug then?

Comment 23 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 24 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 25 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 26 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 27 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment