New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 270758: Heap-use-after-free in WebCore::HRTFElevation::calculateKernelsForAzimuthElevation

Reported by ClusterFuzz, Aug 9 2013 Project Member

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6133378520711168

Fuzzer: Attekett_webaudio_fuzzer
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x603000050db0
Crash State:
  - crash stack -
  WTF::HashTableAddResult<WTF::HashTableIterator<WTF::String, WTF::KeyValuePair<WTF::String, WTF::RefP
  WebCore::HRTFElevation::calculateKernelsForAzimuthElevation
  - free stack -
  WTF::HashTableAddResult<WTF::HashTableIterator<WTF::String, WTF::KeyValuePair<WTF::String, WTF::RefP
  WebCore::HRTFElevation::calculateKernelsForAzimuthElevation
  


Fully reproducible crash found using linux_tsan_chrome_mp job type (history_size=6).
 

Comment 1 by infe...@chromium.org, Aug 9 2013

Cc: rtoy@chromium.org crogers@chromium.org attek...@gmail.com
Owner: crogers@chromium.org
Status: Assigned
fuzz-185.html
91.6 KB View Download

Comment 2 by infe...@chromium.org, Aug 14 2013

Cc: rogerm@chromium.org sebmarchand@chromium.org
Labels: Syzyasan

Comment 3 by ClusterFuzz, Aug 14 2013

Project Member
Summary: Use-after-free in WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WTF::RefPtr<WebCore::AudioBus> >,WTF::KeyVa (was: Heap-use-after-free in WTF::HashTableAddResult<WTF::HashTableIterator<WTF::String, WTF::KeyValuePair<WTF::String, WTF::RefP)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5954860553863168

Fuzzer: Attekett_webaudio_fuzzer
Job Type: Windows_syzyasan_chrome

Crash Type: Use-after-free READ 4
Crash Address: 0x04371b6b
Crash State:
  - crash stack -
  WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WTF::RefPtr<WebCore::AudioBus> >,WTF::KeyVa
  WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WTF::RefPtr<WebCore::AudioBus> >,WTF::KeyVa
  - free stack -
  WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WTF::RefPtr<WebCore::AudioBus> >,WTF::KeyVa
  WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WTF::RefPtr<WebCore::AudioBus> >,WTF::KeyVa

Comment 4 by ClusterFuzz, Aug 14 2013

Project Member
Summary: Heap-buffer-overflow in WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WTF::OwnPtr<WebCore::ScopedPersistent<v8::S (was: Use-after-free in WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WTF::RefPtr<WebCore::AudioBus> >,WTF::KeyVa)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6171464344535040

Fuzzer: Attekett_webaudio_fuzzer
Job Type: Windows_syzyasan_chrome

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x04f046a3
Crash State:
  - crash stack -
  WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WTF::OwnPtr<WebCore::ScopedPersistent<v8::S
  WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WTF::RefPtr<WebCore::AudioBus> >,WTF::KeyVa
  WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WTF::RefPtr<WebCore::AudioBus> >,WTF::KeyVa

Comment 5 by infe...@chromium.org, Aug 15 2013

Cc: kbr@chromium.org
Labels: ReleaseBlock-Stable M-30
Chris, can you please take a look. This is an important high severity bug that is hitting a lot on the bots. If you are not free, please disable HRTFElevation functionality.

Comment 6 by infe...@chromium.org, Aug 15 2013

Owner: rtoy@chromium.org
Chris is no longer in team. Assigning to Ray for help with triage.

Comment 7 by kareng@google.com, Aug 26 2013

ping?

Comment 8 by jsc...@chromium.org, Aug 27 2013

Labels: Security_Impact-Beta

Comment 9 by rtoy@chromium.org, Aug 29 2013

I cannot reproduce this with my local asan build.  Can someone help me to reproduce this?

Comment 10 by ClusterFuzz, Sep 3 2013

Project Member
Summary: Heap-use-after-free in WebCore::HRTFElevation::calculateKernelsForAzimuthElevation (was: Heap-buffer-overflow in WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WTF::OwnPtr<WebCore::ScopedPersistent<v8::S)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4626741238693888

Fuzzer: Attekett_webaudio_fuzzer
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x606000053f00
Crash State:
  - crash stack -
  WebCore::HRTFElevation::calculateKernelsForAzimuthElevation
  WebCore::HRTFElevation::createForSubject
  - free stack -
  WTF::HashMap<WTF::String, WTF::RefPtr<WebCore::AudioBus>, WTF::StringHash, WTF::HashTraits<WTF::Stri
  WebCore::HRTFElevation::calculateKernelsForAzimuthElevation

Comment 11 by ClusterFuzz, Sep 3 2013

Project Member
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6291334197411840

Fuzzer: Attekett_webaudio_fuzzer
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x606000056f08
Crash State:
  - crash stack -
  WebCore::HRTFElevation::calculateKernelsForAzimuthElevation
  WebCore::HRTFElevation::createForSubject
  - free stack -
  WebCore::AudioBus::create
  WebKit::WebAudioBus::initialize
  


Fully reproducible crash found using linux_tsan_chrome_mp job type (history_size=6).

Comment 12 by ClusterFuzz, Sep 3 2013

Project Member
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5531180283723776

Fuzzer: Attekett_webaudio_fuzzer
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x6060000554c0
Crash State:
  - crash stack -
  WebCore::HRTFElevation::calculateKernelsForAzimuthElevation
  WebCore::HRTFElevation::createForSubject
  - free stack -
  WebCore::HRTFElevation::calculateKernelsForAzimuthElevation
  WebCore::HRTFElevation::createForSubject
  


Fully reproducible crash found using linux_tsan_chrome_mp job type (history_size=6).

Comment 13 by rtoy@chromium.org, Sep 3 2013

Cc: gregsimon@chromium.org

Comment 14 by infe...@chromium.org, Sep 3 2013

Labels: -M-30 M-29 Security_Impact-Stable Cr-Blink-Audio

Comment 15 by infe...@chromium.org, Sep 3 2013

Labels: -Security_Severity-High Security_Severity-Medium
Fixing severity based on the fact, that all of these are race conditions (free, crash on different threads). No reliable reproducer.

Comment 16 by gregsimon@chromium.org, Sep 3 2013

Cc: haraken@chromium.org

Comment 17 by haraken@chromium.org, Sep 3 2013

This is also a threading issue.

READ of size 8 at 0x603000050db0 thread T5
  #1 0x7f7a7f98ac68 in WebCore::HRTFElevation::calculateKernelsForAzimuthElevation(int, int, float, WTF::String const&, WTF::RefPtr<WebCore::HRTFKernel>&, WTF::RefPtr<WebCore::HRTFKernel>&) src/third_party/WebKit/Source/wtf/HashMap.h:342

freed by thread T7 here:
  #2 0x7f7a7f98ac68 in WebCore::HRTFElevation::calculateKernelsForAzimuthElevation(int, int, float, WTF::String const&, WTF::RefPtr<WebCore::HRTFKernel>&, WTF::RefPtr<WebCore::HRTFKernel>&) src/third_party/WebKit/Source/wtf/HashMap.h:342

Two threads call calculateKernelsForAzimuthElevation(). The first thread clears some data in the method. The second thread touches the data and crashes.

Comment 18 by haraken@chromium.org, Sep 3 2013

I think the core issue is that the access to AudioBusMap is not thread-safe.

static PassRefPtr<AudioBus> getConcatenatedImpulseResponsesForSubject(const String& subjectName) {
  typedef HashMap<String, RefPtr<AudioBus> > AudioBusMap;
    DEFINE_STATIC_LOCAL(AudioBusMap, audioBusMap, ());
    RefPtr<AudioBus> bus;
    AudioBusMap::iterator iterator = audioBusMap.find(subjectName); // (A)
    if (iterator == audioBusMap.end()) {
        ...;
        audioBusMap.set(subjectName, bus);  // (B)
    }
}

It's possible that:

- Thread 1 executes (A)
- Thread 2 executes (A)
- Thread 1 executes (B)
- Thread 2 executes (B) and crashes.

I'll write a CL soon.

Comment 19 by haraken@chromium.org, Sep 4 2013

Owner: haraken@chromium.org

Comment 20 by bugdroid1@chromium.org, Sep 5 2013

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=157273

------------------------------------------------------------------------
r157273 | haraken@chromium.org | 2013-09-05T04:59:19.902020Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/platform/audio/HRTFElevation.cpp?r1=157273&r2=157272&pathrev=157273

Fix threading races on HRTFElevation::audioBusMap

According to the crash report (https://cluster-fuzz.appspot.com/testcase?key=6291334197411840),
there is a threading race in HRTFElevation::getConcatenatedImpulseResponsesForSubject.

static PassRefPtr<AudioBus> getConcatenatedImpulseResponsesForSubject(...) {
    typedef HashMap<String, RefPtr<AudioBus> > AudioBusMap;
    DEFINE_STATIC_LOCAL(AudioBusMap, audioBusMap, ());
    RefPtr<AudioBus> bus;
    AudioBusMap::iterator iterator = audioBusMap.find(subjectName); // (A)
    if (iterator == audioBusMap.end()) {
        ...;
        audioBusMap.set(subjectName, bus);  // (B)
    }
}

It's possible that:

(1) Thread 1 executes (A)
(2) Thread 2 executes (A)
(3) Thread 1 executes (B)
(4) Thread 2 executes (B) and crashes.

This CL protects accesses to the AudioBusMap with mutex.

BUG= 270758 
No tests because the crash depends on threading races and thus not reproducible.

Review URL: https://chromiumcodereview.appspot.com/23613007
------------------------------------------------------------------------

Comment 21 by infe...@chromium.org, Sep 5 2013

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: Fixed

Comment 22 by infe...@chromium.org, Sep 12 2013

Please merge your change to the m30 branch (1599) by early next week [using drover]. We have m30 beta coming next week and we want all the security changes in by that time.

Comment 23 by bugdroid1@chromium.org, Sep 12 2013

Project Member
Labels: -Merge-Approved merge-merged-1599
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=157691

------------------------------------------------------------------------
r157691 | haraken@chromium.org | 2013-09-12T19:22:42.991190Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/branches/chromium/1599/Source/core/platform/audio/HRTFElevation.cpp?r1=157691&r2=157690&pathrev=157691

Merge 157273 "Fix threading races on HRTFElevation::audioBusMap"

> Fix threading races on HRTFElevation::audioBusMap
> 
> According to the crash report (https://cluster-fuzz.appspot.com/testcase?key=6291334197411840),
> there is a threading race in HRTFElevation::getConcatenatedImpulseResponsesForSubject.
> 
> static PassRefPtr<AudioBus> getConcatenatedImpulseResponsesForSubject(...) {
>     typedef HashMap<String, RefPtr<AudioBus> > AudioBusMap;
>     DEFINE_STATIC_LOCAL(AudioBusMap, audioBusMap, ());
>     RefPtr<AudioBus> bus;
>     AudioBusMap::iterator iterator = audioBusMap.find(subjectName); // (A)
>     if (iterator == audioBusMap.end()) {
>         ...;
>         audioBusMap.set(subjectName, bus);  // (B)
>     }
> }
> 
> It's possible that:
> 
> (1) Thread 1 executes (A)
> (2) Thread 2 executes (A)
> (3) Thread 1 executes (B)
> (4) Thread 2 executes (B) and crashes.
> 
> This CL protects accesses to the AudioBusMap with mutex.
> 
> BUG= 270758 
> No tests because the crash depends on threading races and thus not reproducible.
> 
> Review URL: https://chromiumcodereview.appspot.com/23613007

TBR=haraken@chromium.org

Review URL: https://codereview.chromium.org/23437031
------------------------------------------------------------------------

Comment 24 by haraken@chromium.org, Sep 12 2013

Merged into M30.

Comment 25 by infe...@chromium.org, Sep 12 2013

Labels: Release-0

Comment 26 by laforge@google.com, Sep 13 2013

Labels: -Syzyasan Hotlist-SyzyASAN

Comment 27 by infe...@chromium.org, Sep 16 2013

Labels: -M-29 M-30 Merge-Merged

Comment 28 by infe...@chromium.org, Sep 25 2013

Did you saw our new criteria for possibly issuing higher rewards? See http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program/reward-nomination-process
E.g. If you are able to provide a repro that faulted at an address of 0x41414141, it will qualify for the new higher rewards. Or, if you can show that you have control between free and crash points, etc.

Comment 29 by mbarbe...@chromium.org, Sep 26 2013

Labels: CVE-2013-2906

Comment 30 by scarybea...@gmail.com, Sep 28 2013

Labels: -reward-topanel reward-500 reward-unpaid
$500

Comment 31 by parisa@chromium.org, Oct 18 2013

Labels: -reward-unpaid reward-inprocess

Comment 32 by ClusterFuzz, Feb 6 2014

Project Member
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 33 by timwillis@chromium.org, Feb 28 2014

Labels: -reward-inprocess

Comment 34 by glider@chromium.org, Jun 29 2015

Labels: Stability-ThreadSanitizer

Comment 35 by ClusterFuzz, Feb 2 2016

Project Member
Labels: -Security_Impact-Beta

Comment 36 by sshru...@google.com, Mar 21 2016

Components: -Blink>Audio Blink>Media>Audio
Renaming Blink>Audio to Blink>Media>Audio for better characterization

Comment 37 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 38 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 39 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 40 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment