New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 177410 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Feb 2013
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in extensions::BookmarksIOFunction::ShowSelectFileDialog

Project Member Reported by infe...@chromium.org, Feb 21 2013

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=166604321

Fuzzer: Meacer_extension_apis

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x602a00016068
Crash State:
  - crash stack -
  extensions::BookmarksIOFunction::ShowSelectFileDialog
  MessageLoop::RunTask
  - free stack -
  ExtensionProcessManager::CloseBackgroundHost
  ExtensionProcessManager::Observe
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=166461:166515

Minimized Testcase (3.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97bdYyCqJEBgM4-BeFlaMQVGkmxUXfzs7N7NHY0zkJJ9gr5orxzuJqHsFypw_Bf9bygorkz4O5A-XB6FrG8vZCPB7Kj0PgJQsUO8ZDjp2j8c1TMEVLl27i1tfbSRFve8FZr6wwT30bPzDyPPvaxRdVtcWtpE86g7_mocbhkRu3340FrMVo
 
Labels: Feature-Extensions
Owner: erikkay@chromium.org
Status: Assigned
Owner: mpcomplete@chromium.org
Matt, could you please find an owner?
The bookmarks API is not properly NULL-checking its ExtensionFunction::dispatcher() in an async function.

Comment 4 by meacer@google.com, Feb 21 2013

I figured Clusterfuzz minimized testcase is still a bit too long, so I manually minimized it (in background.js):

chrome.bookmarks.export(
  function() {
    chrome.runtime.reload();
});

This should crash on null pointer.
Project Member

Comment 5 by bugdroid1@chromium.org, Feb 26 2013

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=184586

------------------------------------------------------------------------
r184586 | mpcomplete@chromium.org | 2013-02-26T04:53:04.857629Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/extensions/api/bookmarks/bookmarks_api.cc?r1=184586&r2=184585&pathrev=184586

Fix heap-use-after-free in BookmarksIOFunction::ShowSelectFileDialog.

BUG= 177410 


Review URL: https://chromiumcodereview.appspot.com/12326086
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: Fixed
Project Member

Comment 7 by ClusterFuzz, Feb 28 2013

ClusterFuzz has detected this issue as fixed in range 184577:184931.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=166604321

Fuzzer: Meacer_extension_apis

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x602a00016068
Crash State:
  - crash stack -
  extensions::BookmarksIOFunction::ShowSelectFileDialog
  MessageLoop::RunTask
  - free stack -
  ExtensionProcessManager::CloseBackgroundHost
  ExtensionProcessManager::Observe
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=166461:166515
Fixed: https://cluster-fuzz.appspot.com/revisions?range=184577:184931

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97bdYyCqJEBgM4-BeFlaMQVGkmxUXfzs7N7NHY0zkJJ9gr5orxzuJqHsFypw_Bf9bygorkz4O5A-XB6FrG8vZCPB7Kj0PgJQsUO8ZDjp2j8c1TMEVLl27i1tfbSRFve8FZr6wwT30bPzDyPPvaxRdVtcWtpE86g7_mocbhkRu3340FrMVo

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Project Member

Comment 8 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Internals -Type-Security -SecSeverity-Medium -SecImpacts-Beta -Mstone-25 -Stability-AddressSanitizer -Feature-Extensions Cr-Platform-Extensions Performance-Memory-AddressSanitizer Security-Impact-Beta Security-Severity-Medium Cr-Internals M-25 Type-Bug-Security
Labels: -Merge-Approved -M-25 Merge-Merged M-26 Release-0
Project Member

Comment 10 by bugdroid1@chromium.org, Mar 12 2013

Labels: merge-merged-1410
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=187460

------------------------------------------------------------------------
r187460 | cevans@chromium.org | 2013-03-12T02:34:38.720660Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/browser/extensions/api/bookmarks/bookmarks_api.cc?r1=187460&r2=187459&pathrev=187460

Merge 184586 "Fix heap-use-after-free in BookmarksIOFunction::Sh..."

> Fix heap-use-after-free in BookmarksIOFunction::ShowSelectFileDialog.
> 
> BUG= 177410 
> 
> 
> Review URL: https://chromiumcodereview.appspot.com/12326086

TBR=mpcomplete@chromium.org
Review URL: https://codereview.chromium.org/12440034
------------------------------------------------------------------------
Project Member

Comment 11 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 12 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Labels: CVE-2013-0920
Project Member

Comment 14 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Project Member

Comment 16 by sheriffbot@chromium.org, Jun 14 2016

Labels: -release-0
This bug is a regression and does not impact stable. Removing incorrectly added Release- labels.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 17 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 18 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment