New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 284786: Heap-use-after-free in content::WebAudioSourceProviderImpl::provideInput

Reported by ClusterFuzz, Sep 3 2013 Project Member

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4697390229487616

Fuzzer: Attekett_webaudio_fuzzer
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x605000115378
Crash State:
  - crash stack -
  content::WebAudioSourceProviderImpl::provideInput
  WebKit::WebMediaPlayerClientImpl::AudioSourceProviderImpl::provideInput
  - free stack -
  content::WebAudioSourceProviderImpl::~WebAudioSourceProviderImpl
  non-virtual thunk to content::WebAudioSourceProviderImpl::~WebAudioSourceProviderImpl
  


Fully reproducible crash found using linux_tsan_chrome_mp job type (history_size=6).
 

Comment 1 by infe...@chromium.org, Sep 3 2013

Owner: rtoy@chromium.org
Status: Assigned

Comment 2 by infe...@chromium.org, Sep 3 2013

Cc: gregsimon@chromium.org
Labels: M-29 Security_Impact-Beta Security_Impact-Stable Cr-Blink-Audio

Comment 3 by infe...@chromium.org, Sep 3 2013

Labels: -Security_Severity-High Security_Severity-Medium
Fixing severity based on the fact, that all of these are race conditions (free, crash on different threads). No reliable reproducer.

Comment 4 by infe...@chromium.org, Sep 3 2013

Cc: haraken@chromium.org

Comment 5 by haraken@chromium.org, Sep 4 2013

Cc: rtoy@chromium.org
Owner: haraken@chromium.org
This is due to threading races on WebAudioSourceProviderImpl::bus_wrapper_ in WebAudioSourceProviderImpl::provideInput. I'll write a CL soon.

Comment 6 by haraken@chromium.org, Sep 4 2013

Cc: scherkus@chromium.org dalecur...@chromium.org kbr@chromium.org

Comment 7 by bugdroid1@chromium.org, Sep 5 2013

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=157259

------------------------------------------------------------------------
r157259 | haraken@chromium.org | 2013-09-05T02:06:57.884260Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLMediaElement.cpp?r1=157259&r2=157258&pathrev=157259

Fix threading races on WebAudioSourceProviderImpl::provideInput

Fix threading races on WebAudioSourceProviderImpl::provideInput 

According to the crash report (https://cluster-fuzz.appspot.com/testcase?key=4697390229487616), 
there is a threading race. Specifically, WebAudioSourceProviderImpl can be destructed by the main thread while WebAudioSourceProviderImpl::Stop() is being called by the audio thread. 

The core problem is that we're not calling WebAudioSourceProviderImpl::setClient(NULL) when HTMLMediaElement clears the audio source provider. 

BUG= 284786 
No tests because the crash depends on threading races and thus not reproducible.

Review URL: https://chromiumcodereview.appspot.com/23969007
------------------------------------------------------------------------

Comment 8 by haraken@chromium.org, Sep 5 2013

Status: Fixed

Comment 9 by infe...@chromium.org, Sep 5 2013

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved

Comment 10 by infe...@chromium.org, Sep 12 2013

Please merge your change to the m30 branch (1599) by early next week [using drover]. We have m30 beta coming next week and we want all the security changes in by that time.

Comment 11 by haraken@chromium.org, Sep 12 2013

Merged into M30.

Comment 12 by bugdroid1@chromium.org, Sep 12 2013

Project Member
Labels: -Merge-Approved merge-merged-1599
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=157694

------------------------------------------------------------------------
r157694 | haraken@chromium.org | 2013-09-12T19:25:42.497379Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/branches/chromium/1599/Source/core/html/HTMLMediaElement.cpp?r1=157694&r2=157693&pathrev=157694

Merge 157259 "Fix threading races on WebAudioSourceProviderImpl:..."

> Fix threading races on WebAudioSourceProviderImpl::provideInput
> 
> Fix threading races on WebAudioSourceProviderImpl::provideInput 
> 
> According to the crash report (https://cluster-fuzz.appspot.com/testcase?key=4697390229487616), 
> there is a threading race. Specifically, WebAudioSourceProviderImpl can be destructed by the main thread while WebAudioSourceProviderImpl::Stop() is being called by the audio thread. 
> 
> The core problem is that we're not calling WebAudioSourceProviderImpl::setClient(NULL) when HTMLMediaElement clears the audio source provider. 
> 
> BUG= 284786 
> No tests because the crash depends on threading races and thus not reproducible.
> 
> Review URL: https://chromiumcodereview.appspot.com/23969007

TBR=haraken@chromium.org

Review URL: https://codereview.chromium.org/23658042
------------------------------------------------------------------------

Comment 13 by infe...@chromium.org, Sep 12 2013

Labels: Release-0

Comment 14 by infe...@chromium.org, Sep 16 2013

Labels: -M-29 M-30 Merge-Merged

Comment 15 by infe...@chromium.org, Sep 25 2013

Did you saw our new criteria for possibly issuing higher rewards? See http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program/reward-nomination-process
E.g. If you are able to provide a repro that faulted at an address of 0x41414141, it will qualify for the new higher rewards. Or, if you can show that you have control between free and crash points, etc.

Comment 16 by mbarbe...@chromium.org, Sep 26 2013

Labels: CVE-2013-2906

Comment 17 by scarybea...@gmail.com, Sep 28 2013

Labels: -reward-topanel reward-500 reward-unpaid

Comment 18 by parisa@chromium.org, Oct 18 2013

Labels: -reward-unpaid reward-inprocess

Comment 19 by ClusterFuzz, Feb 6 2014

Project Member
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 20 by timwillis@chromium.org, Feb 28 2014

Labels: -reward-inprocess

Comment 21 by glider@chromium.org, Jun 29 2015

Labels: Stability-ThreadSanitizer

Comment 22 by ClusterFuzz, Feb 2 2016

Project Member
Labels: -Security_Impact-Beta

Comment 23 by sshru...@google.com, Mar 21 2016

Components: -Blink>Audio Blink>Media>Audio
Renaming Blink>Audio to Blink>Media>Audio for better characterization

Comment 24 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 25 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 26 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 27 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment