New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: Mar 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment
Heap-use-after-free in base::subtle::RefCountedThreadSafeBase::Release
Project Member Reported by clusterf...@chromium.org, Aug 7 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4531412776517632

Fuzzer: Meacer_extension_apis
Job Type: Windows_asan_chrome

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x1cb69f44
Crash State:
  - crash stack -
  base::subtle::RefCountedThreadSafeBase::Release
  base::internal::BindState<base::internal::RunnableAdapter<void
  - free stack -
  extensions::PageCaptureSaveAsMHTMLFunction::`scalar
  base::DeleteHelper<UIThreadExtensionFunction>::DoDelete
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=287514:287661

Minimized Testcase (7.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96vnHwj1NYdmCx4aj0xoQm_7yHRpMKG4tEBMYuo4n6Fdo44c6oghxTcEIYaUewp1nJlMbw3nT_rkWXts8WoeD4WHrd65Dcx8UqxQ-SHIVk7nEmZBxMJvJ376Juryo10kxSL2zIbI4l-2xfFqQt-KYrblIcYzw

Filer: inferno
 
Cc: erikkay@chromium.org
Owner: meacer@chromium.org
Status: Assigned
Mustafa, any idea what regressed this from range - http://build.chromium.org/f/chromium/perf/dashboard/ui/changelog.html?url=/trunk/src&range=287514:287661&mode=html
Cc: -erikkay@chromium.org kalman@chromium.org rdevlin....@chromium.org
I don't see anything obvious in the regression, but this is the most recent change for saveAsMHTML:

https://codereview.chromium.org/384653002/diff/40001/chrome/renderer/resources/extensions/page_capture_custom_bindings.js

Devlin/Ben, any thoughts?
a JS change shouldn't affect browser refcounting. is it consistently reproducible in that range I wonder?
sometimes regression range can be wrong, but in this case, this is a fully reproducible crash on trunk, see Reproducible	Yes in report.
Project Member Comment 5 by clusterf...@chromium.org, Aug 9 2014
Labels: Pri-1 Security_Impact-Head
Project Member Comment 6 by clusterf...@chromium.org, Aug 9 2014
Labels: M-38
Project Member Comment 7 by clusterf...@chromium.org, Aug 9 2014
Labels: ReleaseBlock-Beta
This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz
Comment 8 by meacer@chromium.org, Aug 11 2014
I can't repro this on Linux and I don't have a Windows machine handy right now. I'm speculating, but could this have to do something with the SaveAs dialog that saveAsMHTML triggers? Looking at the stack, that seems to be the only OS specific thing that might be relevant.
Comment 9 by meacer@chromium.org, Aug 15 2014
Cc: -kalman@chromium.org meacer@chromium.org
Owner: kalman@chromium.org
Ben, assigning this to you, perhaps you can make sense of the stack trace.
I run the test case (using --load-extension) and it crashes on the renderer funnily enough. I'll have a look at the renderer crash, maybe it could be related to dying processes playing badly with the pageCapture API.
[13:13:0815/121637:FATAL:console.cc(61)] Check failed: false. (BLESSED_EXTENSION context for pkappolkbmfnnkpdajaojmieeejomokl) extensions::schemaUtils:34: Uncaught Error: Invalid value for argument 1. Property 'dataRemovalPermitted.serviceWorkers': Unexpected property, Property 'dataToRemove.serviceWorkers': Unexpected property.{Error: Invalid value for argument 1. Property 'dataRemovalPermitted.serviceWorkers': Unexpected property, Property 'dataToRemove.serviceWorkers': Unexpected property.


something to do with the browsingData API.
Ok this crash is r288784, 3 days ago (11th August), so can't have caused this crash (just a happy accident that this test case found it).

After fixing the renderer issue, I can't repro this crash.
Oh, I didn't build with asan, that would be why.
Project Member Comment 14 by clusterf...@chromium.org, Aug 18 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5192258912518144

Fuzzer: Meacer_extension_apis
Job Type: Windows_asan_chrome

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x1c4db8c4
Crash State:
  base::subtle::RefCountedThreadSafeBase::Release
  base::internal::BindState<base::internal::RunnableAdapter<void
  ValueStoreChange::~ValueStoreChange
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=289604:289622

Minimized Testcase (5.26 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95a2vHGx0lJtq0iiEdEeMf_nT5TtW76Zp13fFYeEVQ3IGC1wkxNR68jERZ_J8E6u5Kcw2LzZFz6qOEG_dtuV8H7YDmyLnrMDghO6u3Wc6_qYXPSosBhXN_CY-YUZEc9LYDVrzrotmA5V7X2cp5fdYHmSaPCXg

Filer: inferno
Project Member Comment 15 by clusterf...@chromium.org, Aug 18 2014
Labels: -Security_Impact-Head Security_Impact-Beta
Project Member Comment 16 by clusterf...@chromium.org, Aug 18 2014
Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
I'm not sure if this is related or not, but I get a renderer crash with the attached extension. It uses pageCapture API.

Open the extension settings page, close it, and open it again. The renderer should crash (otherwise try a few more times).
pagecapture_test_minimal.zip
1.7 KB Download
I can't make that test case crash on trunk (haven't tried on other versions). Linux.

I open google.com, then open chrome://extensions, then close it, then restore it, many times. Also tried just closing it and opening it by typing the URL in several times.
Ah yes, I should have mentioned. It doesn't repro on trunk for me either, but it repros on stable (and builds around May/June). Again, not sure if it's related to this bug.
Project Member Comment 20 by clusterf...@chromium.org, Aug 23 2014
Labels: Cr-OS-Kernel-Power
Project Member Comment 21 by clusterf...@chromium.org, Aug 28 2014
Labels: Nag
kalman@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 22 by clusterf...@chromium.org, Sep 4 2014
kalman@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 23 by clusterf...@chromium.org, Sep 12 2014
kalman@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: roc...@chromium.org
Owner: roc...@chromium.org
Having a hell of a time getting an instrumented Windows build.

Instrumentation keeps failing on chrome.dll.

I've built chrome with flags "fastbuild=0 target_arch=ia32 syzyasan=1 syzygy_optimize=1 chromium_win_pch=0".

Any advice?
Project Member Comment 28 by clusterf...@chromium.org, Sep 26 2014
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Labels: -M-38 M-39
Punting to 39, if a fix becomes available, feel free to merge request back into 38.
Project Member Comment 30 by clusterf...@chromium.org, Oct 3 2014
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 31 by clusterf...@chromium.org, Oct 11 2014
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 32 by clusterf...@chromium.org, Oct 18 2014
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: -roc...@chromium.org timurrrr@chromium.org
Labels: -Cr-OS-Kernel-Power
rockot@, did you try the windows clang asan instructions on http://www.chromium.org/developers/testing/addresssanitizer
Project Member Comment 34 by clusterf...@chromium.org, Oct 24 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4958333705388032

Fuzzer: Meacer_extension_apis
Job Type: Windows_asan_chrome

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x1a5dc9c4
Crash State:
  base::subtle::RefCountedThreadSafeBase::Release
  base::internal::BindState<base::internal::RunnableAdapter<void
  ValueStoreChange::~ValueStoreChange
  

Minimized Testcase (8.29 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97mrJbjVQZSLqg2JIbrDQ8CBe6PNFMYZtptzuMrbs6SoOYtAGq_QKAdtuNtuBQW9NIS8Cep_veE8kKIdr9buL9vBHJ5BY59-_bN3ugpCJ2LbNpN4n-TsrqlLx9439KSIZpFwAnNvARpZWuohhtpozRwHrwRbg

Filer: inferno
Yes, although I haven't tried again since about two weeks ago. I followed those instructions, along with lots of other suggestions along the way. I never managed produce a single working asan build on Windows.

I plan to revisit this early next week.
I'm here to help you get a working ASan/Win build if you still have any problems.
Alright, I've got a working (branded, official) ASan build and I can't repro with any of these test cases. I'm not sure where to go from here.
Project Member Comment 38 by clusterf...@chromium.org, Oct 28 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5147401923854336

Fuzzer: Meacer_extension_apis
Job Type: Windows_asan_chrome

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x1892e244
Crash State:
  Release
  ~BindState
  ~DnsResponse
  

Minimized Testcase (8.71 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95cx5MAvATcPPrAzElfTy0hB7wxPWnbYqhl1fK64GPaHa1v2mju8PBodv4pO8VHPznyt-8xhZWq5RbpPEJNLKEr3-B0cUkvnfPXGPDOiRX6bq6EHeXbt7rTrfDYramjn2r8ZOGY8QK2j1YxNMhXSINoQwZjjg

Filer: inferno
try with last testcase in c#38. try with the same command as in report (so that extension loads) and make sure to set ASAN_OPTIONS env variable

--enable-logging --allow-file-access-from-files --use-gl=any --disable-gl-drawing-for-tests --no-sandbox --disable-click-to-play --disable-hang-monitor --disable-metrics --disable-popup-blocking --disable-prompt-on-repost --enable-experimental-extension-apis --enable-extension-apps --enable-extension-timeline-api --enable-nacl --enable-search-provider-api-v2 --js-flags="--expose-gc" --new-window --no-default-browser-check --no-first-run --no-process-singleton-dialog --use-fake-device-for-media-stream --use-fake-ui-for-media-stream --user-data-dir=C:\clusterfuzz\slave-bot\inputs\user-profile-dirs\user_profile_0 --log-net-log=C:\tmp\net_log_0 --load-extension=C:\clusterfuzz\slave-bot\inputs\fuzzer-testcases\extension_78_1414417479 C:\clusterfuzz\slave-bot\inputs\fuzzer-testcases\extension_78_1414417479\fuzz-extension-run.html

[Environment] ASAN_OPTIONS = alloc_dealloc_mismatch=0:strict_memcmp=0:redzone=16:handle_segv=1:symbolize=false:check_malloc_usable_size=0:fast_unwind_on_fatal=1:allocator_may_return_null=1
Identical command line and ASAN_OPTIONS. I see lots of process churn and things stabilize after about 30 seconds of running.
I just realized that this may have been fixed since branch though (doh.) - I suppose I should be trying on 2171 rather than master.
Sigh. Building 2717:

<set up environment>
git checkout -b foo branch-heads/2171
gclient sync
ninja ...

Build dies on "'enableDecodeToYUV' is not a member of 'blink::WebRuntimeFeatures'"

Am I missing some important step for building from release branch?
I've tried reproing with all these test cases using ASan builds from:

master
tags/39.0.2171.44
tags/39.0.2171.42
tags/39.0.2171.36
tags/40.0.2204.1

All of these are "official" branded builds for Windows with asan enabled and the appropriate ASAN_OPTIONS environment. I cannot reproduce any of the crashes.

I've spent a considerable amount of time on this and so far it has produced nothing of value.
Sorry about that.

Mustafa, do you have any idea what is going wrong with PageCaptureSaveAsMHTMLFunction ? see free stack. Can you please help rockot@ for a fix.
I notice that there are different crash states for 3 out of 4 test cases here. What is it that correlates these with each other?
the free stack looks like the same with PageCaptureSaveAsMHTMLFunction and all of them use extensions.
The only common thread seems to be that someone is mismanaging a ref count that may be related to all of these different APIs (looks like page capture, storage, and DNS)?
Ahh, OK. Thanks. I didn't know how to parse all that information. :)
Not sure what's going on, but I'm also going to try to repro this (currently building ToT with ASAN). #47 sounds about right though.
Labels: -ReleaseBlock-Stable ReleaseBlock-NA
changing to RB-NA per conversation with inferno@ - we won't block m39 stable as this isn't reproducible.
Project Member Comment 51 by clusterf...@chromium.org, Nov 7 2014
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
inferno@ -- were you able to reproduce the crash locally?
Project Member Comment 53 by clusterf...@chromium.org, Nov 8 2014
Labels: -Security_Impact-Beta Security_Impact-Stable
Project Member Comment 54 by clusterf...@chromium.org, Nov 14 2014
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 55 by clusterf...@chromium.org, Nov 21 2014
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 56 by clusterf...@chromium.org, Nov 29 2014
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 57 by clusterf...@chromium.org, Dec 6 2014
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 58 by clusterf...@chromium.org, Dec 14 2014
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 59 by clusterf...@chromium.org, Dec 18 2014
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 41 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 60 by clusterf...@chromium.org, Dec 19 2014
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 41 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
inferno@ -- were you able to reproduce the crash locally?
Project Member Comment 62 by clusterf...@chromium.org, Jan 2 2015
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Labels: -M-39 M-40
No more M39 patches, moving to M40.
Project Member Comment 64 by clusterf...@chromium.org, Jan 12 2015
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6103987739688960

Fuzzer: Meacer_extension_apis
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x613000448b88
Crash State:
  base::subtle::RefCountedThreadSafeBase::Release
  base::internal::BindState<base::internal::RunnableAdapter<void
  base::PendingTask::~PendingTask
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=299471:299489

Minimized Testcase (7.54 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95p3QLnGjCoty22IoXzPrBjgawJDoYLB-i2wP8V_H6AiGe5gvY9Urj4SDofpFnemi-hz_oXjG6WlpVV48kjxxJYe51G3ZPmWmm083Noya0GyQMCsB-tJs6sPfTbFiPNbHg-CgP_nyI4ryxf0JGs1iXUM8BxFw

Filer: inferno
Project Member Comment 65 by clusterf...@chromium.org, Jan 17 2015
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 28 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 66 by clusterf...@chromium.org, Feb 2 2015
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 45 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
timurrrr / meacer / inferno: Have any of you been able to repro this locally? If we can't do so, I'd rather mark this as WontFix and reopen if we need to.
I don't remember ever being able to repro the exact issue, but on one occasion I hit a crash with something similar. I'm OK with closing it.
Status: WontFix
Project Member Comment 70 by clusterf...@chromium.org, Mar 14 2015
ClusterFuzz has detected this issue as fixed in range 319056:319080.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6103987739688960

Fuzzer: Meacer_extension_apis
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x613000448b88
Crash State:
  base::subtle::RefCountedThreadSafeBase::Release
  base::internal::BindState<base::internal::RunnableAdapter<void
  base::PendingTask::~PendingTask
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=299471:299489
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=319056:319080

Minimized Testcase (7.54 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95p3QLnGjCoty22IoXzPrBjgawJDoYLB-i2wP8V_H6AiGe5gvY9Urj4SDofpFnemi-hz_oXjG6WlpVV48kjxxJYe51G3ZPmWmm083Noya0GyQMCsB-tJs6sPfTbFiPNbHg-CgP_nyI4ryxf0JGs1iXUM8BxFw

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member Comment 71 by clusterf...@chromium.org, May 21 2015
Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.
Status: Assigned
Project Member Comment 73 by clusterf...@chromium.org, Dec 26 2015
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4865708741099520

Fuzzer: meacer_extension_apis
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x613000492e08
Crash State:
  base::subtle::RefCountedThreadSafeBase::Release
  base::internal::BindState<base::internal::RunnableAdapter<void
  base::internal::CallbackBase::~CallbackBase
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=323926:323973

Minimized Testcase (9.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95WTLaeS8mabXBNZMIukUnlP99J9OTbWwKqUH5J4Rr2pbKDyPXfJddf9EcZyJGUdMP6E9po_RrkUMCS7jllVPDKUSBZBDvuVwAMb10Aa7cPSvU77WM7ZCKqK4Kh8rexCUHg2AhIY8XYpPw9Ido_nle4z5b0Sw

Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member Comment 74 by clusterf...@chromium.org, Dec 27 2015
Labels: -M-40 M-47
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 317 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Labels: Cr-Platform-Extensions
Project Member Comment 76 by clusterf...@chromium.org, Dec 30 2015
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4865708741099520

Fuzzer: meacer_extension_apis
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x613000492e08
Crash State:
  base::subtle::RefCountedThreadSafeBase::Release
  base::internal::BindState<base::internal::RunnableAdapter<void
  base::internal::CallbackBase::~CallbackBase
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=323926:323973

Minimized Testcase (9.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95WTLaeS8mabXBNZMIukUnlP99J9OTbWwKqUH5J4Rr2pbKDyPXfJddf9EcZyJGUdMP6E9po_RrkUMCS7jllVPDKUSBZBDvuVwAMb10Aa7cPSvU77WM7ZCKqK4Kh8rexCUHg2AhIY8XYpPw9Ido_nle4z5b0Sw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect,try re-doing that job on the test case report page.
Project Member Comment 77 by clusterf...@chromium.org, Jan 10 2016
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 332 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 78 by clusterf...@chromium.org, Jan 15 2016
Labels: -M-47 M-48
Project Member Comment 79 by clusterf...@chromium.org, Jan 24 2016
rockot@: Uh oh! This issue is still open and hasn't been updated in the last 346 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: roc...@chromium.org
Labels: Restrict-View-SecurityTeam
Owner: meacer@chromium.org
ClusterFuzz is still able to reproduce the issue (https://cluster-fuzz.appspot.com/testcase?key=4865708741099520).

meacer, do you mind to look at this once again?
Project Member Comment 81 by clusterf...@chromium.org, Feb 8 2016
meacer@: Uh oh! This issue is still open and hasn't been updated in the last 361 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
I've been unable to repro this with the clusterfuzz testcases. Will try a bit more.
OK, here's what seems to be happening based on analysing the stacks and source code. Sorry for the long post.. The tl;dr is that there is a race when a failure occurs in the PageCaptureSaveAsMHTMLFunction extension function (pageCapture.saveAsMHTML).

pageCapture.saveAsMHTML is implemented in chrome/browser/extensions/api/page_capture/page_capture_api.cc as PageCaptureSaveAsMHTMLFunction.

After the API call completes and the callback is called, SendResponseAck(request.id) is called (src/chrome/renderer/resources/extensions/page_capture_custom_bindings.js) 

This results in a ExtensionHostMsg_ResponseAck IPC message being sent to the browser after each API call. It will eventually be forwarded to PageCaptureSaveAsMHTMLFunction::OnMessageReceived(), as long as its RenderFrameHostTracker (|tracker_|) is registered as an observer on the RenderFrameHost.

There are a few different ways the use-after-free can occur, but suppose we have the following background extension script:

    chrome.pageCapture.saveAsMHTML({"tabId": 1337}, function(results) {});

When this function’s RunAsync() is called, a single AddRef() is called to add an additional reference to the function. This is “balanced” with a Release() in ReturnFailure(), and in OnMessageReceived(). The problem is that it’s possible for both Release()s to be called.

The sequence of calls (PostTasks) looks like this: (UI) RunSync -> (FILE) CreateTemporaryFile -> (IO) TemporaryFileCreated -> (UI) TemporaryFileCreated -> ...

Assuming 1337 is not a valid tab ID, we eventually call ReturnFailure() in TemporaryFileCreated() on the UI thread, which does a Release(), removing a reference. If this is the only reference, then since we’re on the UI thread, the PageCaptureSaveAsMHTMLFunction is deleted immediately, and its |tracker_| is removed from the extension process’ RenderFrameHosts’s observers, preventing PageCaptureSaveAsMHTMLFunction::OnMessageReceived() from being called (and thus the second Release()).

However, it’s possible that this won’t be the case. If for example, CreateTemporaryFile() on the FILE thread happens to have not yet returned at the point when ReturnFailure() is called, there will be an extra reference from the base::Bind() in RunAsync(), and the Release() won’t cause |this| to be deleted.

In this case, PageCaptureSaveAsMHTMLFunction::OnMessageReceived() can still be called, leading to an extra Release() and the deletion of |this|. When CreateTemporaryFile() then returns, the implicit Release() from the completion of the posted task will lead to the UaF.

I’ve attached an extension repro, and a patch to introduce an artificial stall in the FILE thread before CreateTemporaryFile() returns to help reproduce it.
patch_capture_sleep.patch
685 bytes Download
repro.tgz
701 bytes Download
For a fix, perhaps the Release() should just be removed from ReturnFailure()? The deletion will be deferred until the ResponseAck is received in OnMessageReceived, as for the success case.
Project Member Comment 85 by clusterf...@chromium.org, Feb 28 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4865708741099520

Fuzzer: meacer_extension_apis
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x613000492e08
Crash State:
  base::subtle::RefCountedThreadSafeBase::Release
  base::internal::BindState<base::internal::RunnableAdapter<void
  base::internal::CallbackBase::~CallbackBase
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=334850:334949

Minimized Testcase (9.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95WTLaeS8mabXBNZMIukUnlP99J9OTbWwKqUH5J4Rr2pbKDyPXfJddf9EcZyJGUdMP6E9po_RrkUMCS7jllVPDKUSBZBDvuVwAMb10Aa7cPSvU77WM7ZCKqK4Kh8rexCUHg2AhIY8XYpPw9Ido_nle4z5b0Sw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member Comment 86 by clusterf...@chromium.org, Mar 3 2016
Labels: -M-48 M-49
Labels: -M-49 M-51
meacer@, any plan to get it fix in M51 (or even M50)? 
Add "M-51" label for now, please feel free to change.
Cc: jialiul@chromium.org
Labels: -M-51 M-49
Since this is a high severity security bug, we'd like to keep the milestone at M-49 and likely merge to both the beta and stable branches.
Argh, another bug from which I missed recent updates.

@oliver, huge thanks for comment #83. The Release()s in PageCaptureSaveAsMHTMLFunction looked suspicious but I couldn't figure out what was going on. I'll make sure this is taken care of.
Project Member Comment 90 by bugdroid1@chromium.org, Mar 4 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/587ba472dfefe862855487c4e6faee859b686160

commit 587ba472dfefe862855487c4e6faee859b686160
Author: meacer <meacer@chromium.org>
Date: Fri Mar 04 21:24:07 2016

Remove extra Release in pageCapture extension function implementation.

BUG= 401364 

Review URL: https://codereview.chromium.org/1761303003

Cr-Commit-Position: refs/heads/master@{#379361}

[modify] https://crrev.com/587ba472dfefe862855487c4e6faee859b686160/chrome/browser/extensions/api/page_capture/page_capture_api.cc

Status: Fixed
Thanks for fixing this 1.5~ year old bug!
Labels: -Restrict-View-SecurityTeam Merge-Request-49 Restrict-View-SecurityNotify
Comment 94 by tin...@google.com, Mar 7 2016
Labels: -Merge-Request-49 Merge-Review-49 Hotlist-Merge-Review
[Automated comment] Less than 2 weeks to go before stable on M49, manual review required.
Labels: -Merge-Review-49 Merge-Approved-49
Merge approved for M49 (branch 2623)
Labels: -ReleaseBlock-NA
Note that this won't ship with the M49 scheduled for today, but when landed, will ship with a future M49 patch release.
Project Member Comment 97 by bugdroid1@chromium.org, Mar 8 2016
Labels: -merge-approved-49 merge-merged-2623
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/086206ef10bc3cef44adb9be6ed9c84d2783f3e8

commit 086206ef10bc3cef44adb9be6ed9c84d2783f3e8
Author: Mustafa Emre Acer - Google <meacer@google.com>
Date: Tue Mar 08 18:33:32 2016

[Merge to 2623] Remove extra Release in pageCapture extension function implementation.

BUG= 401364 

Review URL: https://codereview.chromium.org/1761303003

Cr-Commit-Position: refs/heads/master@{#379361}
(cherry picked from commit 587ba472dfefe862855487c4e6faee859b686160)

Review URL: https://codereview.chromium.org/1776003003 .

Cr-Commit-Position: refs/branch-heads/2623@{#601}
Cr-Branched-From: 92d77538a86529ca35f9220bd3cd512cbea1f086-refs/heads/master@{#369907}

[modify] https://crrev.com/086206ef10bc3cef44adb9be6ed9c84d2783f3e8/chrome/browser/extensions/api/page_capture/page_capture_api.cc

Labels: Merge-Request-50
Tim: Ack.

Requesting merge for M-50 too.
Project Member Comment 99 by bugdroid1@chromium.org, Mar 8 2016
The following revision refers to this bug:
  https://chrome-internal.googlesource.com/bling/chromium.git/+/086206ef10bc3cef44adb9be6ed9c84d2783f3e8

commit 086206ef10bc3cef44adb9be6ed9c84d2783f3e8
Author: Mustafa Emre Acer - Google <meacer@google.com>
Date: Tue Mar 08 18:33:32 2016

Labels: -Merge-Request-50 Merge-Approved-50 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M50 (branch: 2661)

Please try to merge your change to M50 branch 2661 ASAP if you think it is a safe merge as we're very close to M50 Beta candidate cut. Thank you.
Project Member Comment 102 by bugdroid1@chromium.org, Mar 10 2016
Labels: -merge-approved-50 merge-merged-2661
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c16a861540875fffcf40fbda5de1a88ac0bbdd1a

commit c16a861540875fffcf40fbda5de1a88ac0bbdd1a
Author: Mustafa Emre Acer - Google <meacer@google.com>
Date: Thu Mar 10 00:07:11 2016

[Merge to 2661] Remove extra Release in pageCapture extension function implementation.

BUG= 401364 

Review URL: https://codereview.chromium.org/1761303003

Cr-Commit-Position: refs/heads/master@{#379361}
(cherry picked from commit 587ba472dfefe862855487c4e6faee859b686160)

Review URL: https://codereview.chromium.org/1780813002 .

Cr-Commit-Position: refs/branch-heads/2661@{#159}
Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081}

[modify] https://crrev.com/c16a861540875fffcf40fbda5de1a88ac0bbdd1a/chrome/browser/extensions/api/page_capture/page_capture_api.cc

Labels: Release-2-M49
Project Member Comment 104 by sheriffbot@chromium.org, Jun 11 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 105 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 106 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment