New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Ooo until EOY 2017. Assign no bugs.
Closed: Oct 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: Use-after-free in blink::PageAnimator::serviceScriptedAnimations
Project Member Reported by tkent@chromium.org, Oct 8 2014 Back to list
VULNERABILITY DETAILS
Use-after-free of blink::PageAnimator object in blink::PageAnimator::serviceScriptedAnimations().

VERSION
Chrome Version: ToT as of 2014-10-08
Operating System: OSX 10.9, probably affects all

REPRODUCTION CASE

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: a renderer
Crash State: See the following.
Client ID (if relevant): 


Found by a updated layout test.

https://storage.googleapis.com/chromium-layout-test-archives/linux_blink_dbg/28175/layout-test-results/fast/forms/suggestion-picker/date-suggestion-picker-key-operations-crash-log.txt

With ASan:

==36282==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150002984c1 at pc 0x00010d359ebb bp 0x000126b070d0 sp 0x000126b070c8
WRITE of size 1 at 0x6150002984c1 thread T21
    #0 0x10d359eba in blink::PageAnimator::serviceScriptedAnimations TemporaryChange.h:55
    #1 0x10bafefee in blink::PageWidgetDelegate::animate PageWidgetDelegate.cpp:57
    #2 0x107a6be02 in content::WebTestProxyBase::AnimateNow WebWidget.h:98
    #3 0x107d617fb in base::debug::TaskAnnotator::RunTask callback.h:401
    #4 0x107de7166 in base::MessageLoop::RunTask message_loop.cc:446
    #5 0x107de8766 in base::MessageLoop::DoDelayedWork message_loop.cc:456

0x6150002984c1 is located 65 bytes inside of 296-byte region [0x615000298480,0x6150002985a8)
freed by thread T21 here:
    #0 0x106c9d608 in 0x0002c608 (in libclang_rt.asan_osx_dynamic.dylib) + 152
    #1 0x10bbc5f7b in blink::WebPagePopupImpl::closePopup OwnPtrCommon.h:52
    #2 0x10bc269f0 in non-virtual thunk to blink::WebViewImpl::closePagePopup WebViewImpl.cpp:1593
    #3 0x10e4e7e41 in blink::PagePopupControllerV8Internal::closePopupMethodCallback V8PagePopupController.cpp:81
    #4 0x10adc7c74 in v8::internal::FunctionCallbackArguments::Call) arguments.cc:33
    #5 0x10ae42767 in v8::internal::Builtin_HandleApiCall builtins.cc:1145
    #6 0x1303063ad (<unknown module>)
    #7 0x1303c2ba8 (<unknown module>)
    #8 0x13035cfbf (<unknown module>)
    #9 0x13032f810 (<unknown module>)
    #6 0x10b0ad82d in v8::internal::Invoke execution.cc:91
    #7 0x10b7a7851 in v8::internal::Runtime_Apply runtime-function.cc:559
    #12 0x1303063ad (<unknown module>)
    #13 0x13038fd1c (<unknown module>)
    #14 0x1303062b4 (<unknown module>)
    #15 0x13035cfbb (<unknown module>)
    #16 0x13032f810 (<unknown module>)
    #8 0x10b0ad82d in v8::internal::Invoke execution.cc:91
    #9 0x10ad8acda in v8::Function::Call api.cc:4119
    #10 0x10def0f14 in blink::V8ScriptRunner::callFunction V8ScriptRunner.cpp:224
    #11 0x10de49729 in blink::ScriptController::callFunction ScriptController.cpp:170
    #12 0x10de48e2f in blink::ScriptController::callFunction ScriptController.cpp:153
    #13 0x10dec454f in blink::V8EventListener::callListenerFunction V8EventListener.cpp:88
    #14 0x10deb0296 in blink::V8AbstractEventListener::invokeEventHandler V8AbstractEventListener.cpp:128
    #15 0x10deafca2 in blink::V8AbstractEventListener::handleEvent V8AbstractEventListener.cpp:98
    #16 0x10bf281c5 in blink::EventTarget::fireEventListeners EventTarget.cpp:351
    #17 0x10bf26ec6 in blink::EventTarget::fireEventListeners EventTarget.cpp:287
    #18 0x10bf3fc27 in blink::NodeEventContext::handleLocalEvents const NodeEventContext.cpp:67
    #19 0x10bf11f15 in blink::EventDispatcher::dispatch EventDispatcher.cpp:187
    #20 0x10bf0dd29 in blink::EventDispatcher::dispatchEvent EventDispatcher.cpp:50
    #21 0x10bdf12c5 in blink::Node::dispatchEvent Node.cpp:2070
    #22 0x10bf26397 in blink::EventTarget::dispatchEvent EventTarget.cpp:189
    #23 0x10d31a3c2 in blink::EventHandler::keyEvent EventHandler.cpp:3046
    #24 0x10bbc5a94 in blink::WebPagePopupImpl::handleKeyEvent WebPagePopupImpl.cpp:398
    #25 0x10bc1f425 in blink::WebViewImpl::handleKeyEvent WebViewImpl.cpp:983
    #26 0x10baffb02 in blink::PageWidgetDelegate::handleInputEvent PageWidgetDelegate.cpp:125
    #27 0x10bc30fe9 in blink::WebViewImpl::handleInputEvent WebViewImpl.cpp:2091
    #28 0x1079b5c9a in content::EventSender::KeyDown event_sender.cc:1349
    #29 0x1079a97cc in content::EventSenderBindings::KeyDown event_sender.cc:929
    #30 0x1079ca844 in gin::internal::Dispatcher<void >::DispatchToCallback callback.h:483
    #31 0x10adc7c74 in v8::internal::FunctionCallbackArguments::Call) arguments.cc:33
    #32 0x10ae42767 in v8::internal::Builtin_HandleApiCall builtins.cc:1145
    #42 0x1303063ad (<unknown module>)
    #43 0x130436b00 (<unknown module>)
    #44 0x1303062b4 (<unknown module>)
    #45 0x13035cfbb (<unknown module>)
    #46 0x13032f810 (<unknown module>)
    #33 0x10b0ad82d in v8::internal::Invoke execution.cc:91
    #34 0x10ad8acda in v8::Function::Call api.cc:4119
    #35 0x10def0f14 in blink::V8ScriptRunner::callFunction V8ScriptRunner.cpp:224
    #36 0x10de49729 in blink::ScriptController::callFunction ScriptController.cpp:170
    #37 0x10de48e2f in blink::ScriptController::callFunction ScriptController.cpp:153
    #38 0x10dec454f in blink::V8EventListener::callListenerFunction V8EventListener.cpp:88
    #39 0x10deb0296 in blink::V8AbstractEventListener::invokeEventHandler V8AbstractEventListener.cpp:128
    #40 0x10deafca2 in blink::V8AbstractEventListener::handleEvent V8AbstractEventListener.cpp:98
    #41 0x10bf281c5 in blink::EventTarget::fireEventListeners EventTarget.cpp:351
    #42 0x10bf26ec6 in blink::EventTarget::fireEventListeners EventTarget.cpp:287
    #43 0x10bf268e8 in blink::EventTarget::dispatchEvent EventTarget.cpp:197
    #44 0x10bf26397 in blink::EventTarget::dispatchEvent EventTarget.cpp:189
    #45 0x10e6091bd in blink::EventTargetV8Internal::dispatchEventMethodCallback V8EventTarget.cpp:145
    #46 0x10adc7c74 in v8::internal::FunctionCallbackArguments::Call) arguments.cc:33
    #47 0x10ae42767 in v8::internal::Builtin_HandleApiCall builtins.cc:1145
    #62 0x1303063ad (<unknown module>)
    #63 0x1303b4e31 (<unknown module>)
    #64 0x1303062b4 (<unknown module>)
    #65 0x13035cfbb (<unknown module>)
    #66 0x13032f810 (<unknown module>)
    #48 0x10b0ad82d in v8::internal::Invoke execution.cc:91
    #49 0x10ad8acda in v8::Function::Call api.cc:4119
    #50 0x10def0f14 in blink::V8ScriptRunner::callFunction V8ScriptRunner.cpp:224
    #51 0x10de49729 in blink::ScriptController::callFunction ScriptController.cpp:170
    #52 0x10de48e2f in blink::ScriptController::callFunction ScriptController.cpp:153
    #53 0x10dec454f in blink::V8EventListener::callListenerFunction V8EventListener.cpp:88
    #54 0x10deb0296 in blink::V8AbstractEventListener::invokeEventHandler V8AbstractEventListener.cpp:128
    #55 0x10deafca2 in blink::V8AbstractEventListener::handleEvent V8AbstractEventListener.cpp:98
    #56 0x10bf281c5 in blink::EventTarget::fireEventListeners EventTarget.cpp:351
    #57 0x10bf26ec6 in blink::EventTarget::fireEventListeners EventTarget.cpp:287
    #58 0x10cf30568 in blink::LocalDOMWindow::dispatchEvent LocalDOMWindow.cpp:1592
    #59 0x10be74cf8 in blink::ScriptedAnimationController::dispatchEvents ScriptedAnimationController.cpp:137
    #60 0x10be76a07 in blink::ScriptedAnimationController::serviceScriptedAnimations ScriptedAnimationController.cpp:199
    #61 0x10d359c23 in blink::PageAnimator::serviceScriptedAnimations PageAnimator.cpp:55
    #62 0x10bafefee in blink::PageWidgetDelegate::animate PageWidgetDelegate.cpp:57
    #63 0x107a6be02 in content::WebTestProxyBase::AnimateNow WebWidget.h:98
    #64 0x107d617fb in base::debug::TaskAnnotator::RunTask callback.h:401


PageAnimator::serviceScriptedAnimations dispatches an event, but PageAnimator doesn't protect |this|.

 
Comment 1 by tkent@chromium.org, Oct 8 2014
Cc: weiliangc@chromium.org
I couldn't make a reproduction without PagePopup.  This might happen only with calendar picker and suggestion picker.

Comment 2 by tkent@chromium.org, Oct 8 2014
Owner: tkent@chromium.org
Status: Started
Project Member Comment 3 by ClusterFuzz, Oct 9 2014
ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5766754310553600
Labels: Security_Severity-High
Project Member Comment 5 by ClusterFuzz, Oct 10 2014
Labels: Missing_Impact-1
Labels: -Missing_Impact-1 Security_Impact-Stable
Based on a guess from the proposed patch and blame, it looks like this impacts stable.

tkent: Could you confirm this?
Project Member Comment 7 by ClusterFuzz, Oct 14 2014
Labels: M-38
Status: Fixed
Comment 10 by tkent@chromium.org, Oct 15 2014
I think this is a regression by https://src.chromium.org/viewvc/blink?revision=167607&view=revision .  So, this affects M38 stable.

Project Member Comment 11 by ClusterFuzz, Oct 15 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-39 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Comment 12 by tkent@chromium.org, Oct 17 2014
Labels: -M-38 -Merge-Triage Merge-Requested
Comment 13 by amin...@google.com, Oct 20 2014
Labels: -Merge-Requested Merge-Approved
merge approved for m39 branch 2171
Project Member Comment 14 by bugdroid1@chromium.org, Oct 21 2014
Labels: -Merge-Approved merge-merged-2171
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=184024

------------------------------------------------------------------
r184024 | tkent@chromium.org | 2014-10-21T00:14:44.040633Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/branches/chromium/2171/Source/core/page/Page.cpp?r1=184024&r2=184023&pathrev=184024
   M http://src.chromium.org/viewvc/blink/branches/chromium/2171/Source/core/page/PageAnimator.h?r1=184024&r2=184023&pathrev=184024
   M http://src.chromium.org/viewvc/blink/branches/chromium/2171/LayoutTests/TestExpectations?r1=184024&r2=184023&pathrev=184024
   M http://src.chromium.org/viewvc/blink/branches/chromium/2171/Source/core/page/Page.h?r1=184024&r2=184023&pathrev=184024
   M http://src.chromium.org/viewvc/blink/branches/chromium/2171/Source/core/page/PageAnimator.cpp?r1=184024&r2=184023&pathrev=184024

Merge 183710 "Fix a crash in PageAnimator::serviceScriptedAnimat..."

> Fix a crash in PageAnimator::serviceScriptedAnimations.
> 
> If we switch openPicker() in date-suggestion-picker-key-operations.html, it
> crashes in PageAnimator::serviceScriptedAnimations because Page is deleted in an
> event handler. We need to protect the PageAnimator.
> 
> BUG= 409503 , 421321 
> 
> Review URL: https://codereview.chromium.org/637243002

TBR=tkent@chromium.org

Review URL: https://codereview.chromium.org/666073002
-----------------------------------------------------------------
Comment 15 by tkent@chromium.org, Oct 22 2014
Labels: -M-39 M-38 Merge-Requested
Merge-Requested for Stable channel.

Missed the cut for our final 38 stable.  Punting to 39, but will leave the 38 label on in case something changes.
Labels: -Merge-Requested Merge-Approved
Approved for 38.
Cc: amineer@chromium.org
Dev/Bug owner, please merge to M-39 branch 2171 asap. We need all these security fixes to go into the first stable.
Labels: -Merge-Approved Release-0-M39
No more m38s.
Project Member Comment 20 by ClusterFuzz, Jan 21 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 21 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 22 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment