Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 285380 Heap-use-after-free in content::QuotaDispatcherHost::RequestQuotaDispatcher::DidFinish
Starred by 0 users Project Member Reported by clusterf...@chromium.org, Sep 4 2013 Back to list
Status: Fixed
Owner:
Closed: Sep 2013
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4594841442844672

Fuzzer: Aedla_ipc_fuzzer
Job Type: Linux_asan_chrome_ipc

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60f0000324a0
Crash State:
  - crash stack -
  content::QuotaDispatcherHost::RequestQuotaDispatcher::DidFinish
  content::QuotaDispatcherHost::RequestQuotaDispatcher::DidGetPermissionResponse
  - free stack -
  IPC::ChannelProxy::Context::OnChannelClosed
  base::MessageLoop::RunTask
 
Comment 1 by aedla@chromium.org, Sep 4 2013
Cc: kinuko@chromium.org
This reproduces reliably for me.

From the stack it looks like:

- renderer calls QuotaHostMsg_RequestStorageQuota handled by QuotaDispatcherHost

- which does:
  RequestQuotaDispatcher* dispatcher = new RequestQuotaDispatcher(
      this, request_id, origin, type, requested_size, render_view_id);
  dispatcher->Start();

- which does:
      quota_manager()->GetPersistentHostQuota(
          host_,
          base::Bind(&self_type::DidGetHostQuota,
                     weak_factory_.GetWeakPtr(), host_, type_));

RequestQuotaDispatcher has a raw pointer to QuotaDispatcherHost and is waiting for ::DidGetHostQuota to be called

- meanwhile a channel to the renderer disappears (not yet sure how) and the QuotaDispatcherHost filter is deleted

- DidGetHostQuota triggers and tries to use QuotaDispatcherHost
I feel like this may be similar to  issue 176692  or  issue 225546 .
Owner: kinuko@chromium.org
Status: Assigned
Will look into it.
Comment 4 by aedla@chromium.org, Sep 5 2013
Thank you. I'll give you some background. IPC fuzzer assumes a compromised renderer and tries to break the browser by sending bad messages. So the testcase in the CF report contains the messages to send to trigger this. At this point it is pretty difficult for you to reproduce it, sorry about that. I'm still working on getting the code to replay messages into Chrome tree. I can send you a patch with this code though, if you'd like.
Thanks for the background. I'm sending a strawman CL which uses WeakPtr to start with.
Labels: Security_Impact-Beta Security_Impact-Stable M-29
I am assuming that this is not a regression. If yes, please update milestone and SecImpacts flags.
Project Member Comment 7 by bugdroid1@chromium.org, Sep 9 2013
------------------------------------------------------------------------
r222026 | kinuko@chromium.org | 2013-09-09T14:45:51.800090Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/quota_dispatcher_host.cc?r1=222026&r2=222025&pathrev=222026
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/quota_dispatcher_host.h?r1=222026&r2=222025&pathrev=222026

RequestQuotaDispatcher should handle unexpected death of QuotaDispatcherHost gracefully

BUG= 285380 

Review URL: https://chromiumcodereview.appspot.com/23783005
------------------------------------------------------------------------
Cc: -kinuko@chromium.org
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: Fixed
Please merge your change to the m30 branch (1599) by early next week [using drover]. We have m30 beta coming next week and we want all the security changes in by that time. 
Comment 10 by kareng@google.com, Sep 16 2013
Labels: -M-29 -Merge-Approved M-30 Merge-Merged
i merged Committed revision 223360
Labels: Release-0
Project Member Comment 12 by bugdroid1@chromium.org, Sep 16 2013
Labels: merge-merged-1599
------------------------------------------------------------------------
r223360 | karen@chromium.org | 2013-09-16T18:00:49.794468Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1599/src/content/browser/quota_dispatcher_host.cc?r1=223360&r2=223359&pathrev=223360
   M http://src.chromium.org/viewvc/chrome/branches/1599/src/content/browser/quota_dispatcher_host.h?r1=223360&r2=223359&pathrev=223360

Merge 222026 "RequestQuotaDispatcher should handle unexpected de..."

> RequestQuotaDispatcher should handle unexpected death of QuotaDispatcherHost gracefully
> 
> BUG= 285380 
> 
> Review URL: https://chromiumcodereview.appspot.com/23783005

TBR=kinuko@chromium.org

Review URL: https://codereview.chromium.org/23567034
------------------------------------------------------------------------
Project Member Comment 13 by clusterf...@chromium.org, Feb 6 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 14 by clusterf...@chromium.org, Feb 2 2016
Labels: -Security_Impact-Beta
Project Member Comment 15 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 16 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment