New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 369525 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: May 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

ASSERTION FAILED: static_cast<FileError::ErrorCode>(code) != FileError::ABORT_ERR, Heap-use-after-free in v8::internal::GlobalHandles::Node::Release

Reported by therealh...@gmail.com, May 2 2014

Issue description

VULNERABILITY DETAILS
The repro causes a UAF in global-handles set_state (FileSystem API) with some control over the crash address. Increasing the count var (when the window is being closed), or (string) size of the blob (to be written to the file) will also increase the crash address.

The crash address (therefore) seems to be related to the position in the file when the window is closed (automatically).

VERSION
Chrome Version: 36.0.1933.0 (+) dev, ToT: 261961 (+), 261698 (no crash)
Operating System: Ubuntu 14.04 x64

REPRODUCTION CASE
(Change count (==10), or the (size of the) blob string ('1') to alter the crash address).
1. Launch the repro script
2. Press "Start"

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab UAF
Crash State: see added asan trace

 
fsys_close_UAF_repro.html
930 bytes View Download
fsys_close_UAF_asan_trace.txt
12.4 KB View Download
Cc: kinuko@chromium.org
Labels: Security_Severity-High Cr-Blink-Storage-FileSystem
Status: Available
Looks very reproducible. Clusterfuzz is working on the test case.
Project Member

Comment 2 by ClusterFuzz, May 2 2014

ClusterFuzz is analyzing your testcase. See https://cluster-fuzz.appspot.com/testcase?key=5758508358172672
Project Member

Comment 3 by ClusterFuzz, May 2 2014

Summary: ASSERTION FAILED: static_cast<FileError::ErrorCode>(code) != FileError::ABORT_ERR, Heap-use-after-free in v8::internal::GlobalHandles::Node::Release (was: Security: UAF: FileSystem API (related to file position) in global-handles set_state)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5758508358172672

Uploader: meacer@google.com
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x62500001ab0b
Crash State:
  - crash stack -
  v8::internal::GlobalHandles::Node::Release
  WebCore::V8FileWriterCallback::~V8FileWriterCallback
  - free stack -
  v8::internal::GlobalHandles::~GlobalHandles
  v8::internal::Isolate::~Isolate
  
Regressed: https://cluster-fuzz.appspot.com//revisions?job=linux_asan_chrome_mp&range=262146:262202

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94LiHQXvjpazZ2TQuycvcL-iB3LqHcGQ4-Tav7zhnhQEkRh0rMEx6bem1VvspOoNi_99wye0_9mPmGCNZ-RmB9538gU1NXTV8AxywtbDAwbvfTAcEpoJY6oMgSM88tG7L7HxCOnOmqBgGEQkRKxrW89ysPixA

Additional requirements: Requires Interaction Gestures


Comment 4 by cdn@chromium.org, May 6 2014

Labels: Security_Impact-None M-36 Pri-1

Comment 5 by tzik@chromium.org, May 7 2014

Labels: -Security_Severity-High Security_Severity-Low
Owner: tzik@chromium.org
Status: Assigned
I'm looking into this.

This start failing from http://crrev.com/262184, which enables --child-clean-exit on Asan, as a compile time condition.
Since we don't ship chrome with Asan switch, the particular code-path doesn't hit on the production.

Comment 6 by tzik@chromium.org, May 8 2014

Labels: -Security_Severity-Low Security_Severity-High
Reverting Severity to High. I heard we sometimes follow the shutdown sequence on production code.
Project Member

Comment 7 by bugdroid1@chromium.org, May 8 2014

The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=173620

------------------------------------------------------------------
r173620 | tzik@chromium.org | 2014-05-08T08:51:53.940710Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/modules/filesystem/FileWriter.cpp?r1=173620&r2=173619&pathrev=173620

[FileAPI] Drop irrelevant ASSERT in FileWriter

The error code can be ABORT_ERR if a operation is aborted by the browser.

BUG= 369525 

Review URL: https://codereview.chromium.org/267253008
-----------------------------------------------------------------
This was a crash in release build, your fix just removes an assert ?
#8 - one more patch is coming, r173620 is just a part of fix

Comment 10 by tzik@chromium.org, May 8 2014

inferno: The assertion failure and UAF are from separate bugs in both blink and chromium.
Another CL is for UAF, which is in CQ now: http://crrev.com/270633009/
Project Member

Comment 11 by bugdroid1@chromium.org, May 9 2014

------------------------------------------------------------------
r269345 | tzik@chromium.org | 2014-05-09T17:04:09.414314Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/child/child_thread.cc?r1=269345&r2=269344&pathrev=269345

[FileAPI] Clean up WebFileSystemImpl before Blink shutdown

WebFileSystemImpl should not outlive V8 instance, since it may have references to V8.
This CL ensures it deleted before Blink shutdown.

BUG= 369525 

Review URL: https://codereview.chromium.org/270633009
-----------------------------------------------------------------
Project Member

Comment 12 by bugdroid1@chromium.org, May 9 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f14efc560a12a513696d6396413b138879dabd7a

commit f14efc560a12a513696d6396413b138879dabd7a
Author: tzik@chromium.org <tzik@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Fri May 09 17:04:09 2014

[FileAPI] Clean up WebFileSystemImpl before Blink shutdown

WebFileSystemImpl should not outlive V8 instance, since it may have references to V8.
This CL ensures it deleted before Blink shutdown.

BUG= 369525 

Review URL: https://codereview.chromium.org/270633009

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@269345 0039d316-1c4b-4281-b951-d872f2087c98


Comment 13 by tzik@chromium.org, May 10 2014

Labels: -M-36 M-35 Merge-Requested
Requesting to merge r269345 to M35, which fixes a renderer UAF on renderer shutdown.
Project Member

Comment 14 by ClusterFuzz, May 11 2014

ClusterFuzz has detected this issue as fixed in range 268656:269696.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5758508358172672

Uploader: meacer@google.com
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x62500001ab0b
Crash State:
  - crash stack -
  v8::internal::GlobalHandles::Node::Release
  WebCore::V8FileWriterCallback::~V8FileWriterCallback
  - free stack -
  v8::internal::GlobalHandles::~GlobalHandles
  v8::internal::Isolate::~Isolate
  
Regressed: https://cluster-fuzz.appspot.com//revisions?job=linux_asan_chrome_mp&range=262146:262202
Fixed: https://cluster-fuzz.appspot.com//revisions?job=linux_asan_chrome_mp&range=268656:269696

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94LiHQXvjpazZ2TQuycvcL-iB3LqHcGQ4-Tav7zhnhQEkRh0rMEx6bem1VvspOoNi_99wye0_9mPmGCNZ-RmB9538gU1NXTV8AxywtbDAwbvfTAcEpoJY6oMgSM88tG7L7HxCOnOmqBgGEQkRKxrW89ysPixA

Additional requirements: Requires Interaction Gestures

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Status: Fixed
Labels: -Security_Impact-None Security_Impact-Head M-36
tzik@ - This is unlikely to make M35 as it hasn't landed on dev yet, but we can get this into M35 patch 1.
Labels: reward-topanel
Labels: Merge-Triage

Comment 19 by kareng@google.com, May 12 2014

Labels: -Merge-Requested Merge-Approved
approved for m35.
Project Member

Comment 20 by bugdroid1@chromium.org, May 13 2014

Labels: -Merge-Approved merge-merged-1916
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0ffacf6de1d0d11e3451b86ec990e70c06b40aef

commit 0ffacf6de1d0d11e3451b86ec990e70c06b40aef
Author: tzik@chromium.org <tzik@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Tue May 13 02:42:18 2014

Merge 269345 "[FileAPI] Clean up WebFileSystemImpl before Blink ..."

> [FileAPI] Clean up WebFileSystemImpl before Blink shutdown
> 
> WebFileSystemImpl should not outlive V8 instance, since it may have references to V8.
> This CL ensures it deleted before Blink shutdown.
> 
> BUG= 369525 
> 
> Review URL: https://codereview.chromium.org/270633009

TBR=tzik@chromium.org

Review URL: https://codereview.chromium.org/286483004

git-svn-id: svn://svn.chromium.org/chrome/branches/1916/src@269974 0039d316-1c4b-4281-b951-d872f2087c98


Project Member

Comment 21 by bugdroid1@chromium.org, May 13 2014

------------------------------------------------------------------
r269974 | tzik@chromium.org | 2014-05-13T02:42:18.769038Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1916/src/content/child/child_thread.cc?r1=269974&r2=269973&pathrev=269974

Merge 269345 "[FileAPI] Clean up WebFileSystemImpl before Blink ..."

> [FileAPI] Clean up WebFileSystemImpl before Blink shutdown
> 
> WebFileSystemImpl should not outlive V8 instance, since it may have references to V8.
> This CL ensures it deleted before Blink shutdown.
> 
> BUG= 369525 
> 
> Review URL: https://codereview.chromium.org/270633009

TBR=tzik@chromium.org

Review URL: https://codereview.chromium.org/286483004
-----------------------------------------------------------------
Project Member

Comment 22 by ClusterFuzz, May 13 2014

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Merge-Triage Release-0-M35
Project Member

Comment 24 by ClusterFuzz, May 16 2014

Labels: -Release-0-M35
This bug is a regression and does not impact stable. Removing incorrectly added Release-0-M35 label.

- Your friendly ClusterFuzz
Labels: -reward-topanel reward-unpaid reward-1000
Thanks for the report! This one qualifies for a $1000 reward.
Labels: Release-1-M35
Project Member

Comment 27 by ClusterFuzz, Jun 3 2014

Labels: -Release-1-M35
This bug is a regression and does not impact stable. Removing incorrectly added Release-1-M35 label.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
Labels: -Security_Impact-Head Security_Impact-Stable Security_Impact-Beta Release-1-M35
Thanks CF for detecting the label mismatch.
CF wins again!
Labels: CVE-2014-3154
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 32 by ClusterFuzz, Aug 18 2014

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-inprocess
Processing via our e-payment system can take a few weeks, but reward should be on its way to you. Thanks again for your help!
Project Member

Comment 34 by ClusterFuzz, Feb 2 2016

Labels: -Security_Impact-Beta
Project Member

Comment 35 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 36 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment