New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Nov 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment
Heap-use-after-free in base::SupportsUserData::GetUserData
Project Member Reported by clusterf...@chromium.org, Oct 30 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5817579653300224

Fuzzer: Cdiehl_peach
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61b00015f5a0
Crash State:
  base::SupportsUserData::GetUserData
  ZoomBubbleView::Refresh
  ZoomBubbleView::ShowBubble
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95M0IDCeVOpcaUz5RPKwKF11F-wBuKlQH8DSH5qxsNgrL7rUKSPpvCXFSxT_2j1fS4JEpJtjgo884ZTDycigJpafTQTCTBNWNeCDwQp454nFJOiit5Q62Dh_RikojXK3ppyngHCktL9DAcVB44-8vi9PhaV6Q


Additional requirements: Requires Gestures

Filer: inferno
 
Cc: nordi...@gmail.com
Labels: -Security_Severity-Medium Security_Severity-High
Owner: wjmaclean@chromium.org
Status: Assigned
Project Member Comment 2 by clusterf...@chromium.org, Oct 30 2014
Labels: Pri-1
 Issue 412783  has been merged into this issue.
Comment 4 by wfh@chromium.org, Nov 3 2014
Cc: mukai@chromium.org
this appears to be a lifetime issue for a WebContentsView that's closed when trying to zoom.  There are zoom gestures in the test case.

could be 63d1f9b9a1fb0e67739fdfe59d4aa5a978bf95ac
Project Member Comment 5 by clusterf...@chromium.org, Nov 5 2014
Labels: Missing_Impact-2
Project Member Comment 6 by clusterf...@chromium.org, Nov 6 2014
Labels: Nag
wjmaclean@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 7 by clusterf...@chromium.org, Nov 9 2014
Labels: -Missing_Impact-2 Missing_Impact-5
Comment 8 by meacer@chromium.org, Nov 10 2014
wjmaclean: Ping? This is a high severity security bug, can you please take a look asap?
Yes, looking at it now ...
Status: Started
Thanks for the quick fix.
Comment 12 by mal@google.com, Nov 11 2014
Cc: sky@chromium.org
So I built ToT asan-chrome and ran it with the ClusterFuzz-on-demand local repro script, and after 1000 iterations on my workstation it has failed to reproduce.

That being said, studying the stacktrace has revealed a mechanism that explains the ASAN stack trace, namely that ZoomBubbleView (which is a singleton accessed via the static ShowBubble() function) can hold onto a stale WebContents*. Even if we cannot reproduce the test result, I think we should fix the pathway regardless.
Labels: -Missing_Impact-5 Security_Impact-Stable
Speculatively setting stable impact.
Project Member Comment 15 by clusterf...@chromium.org, Nov 11 2014
Labels: M-39
Project Member Comment 16 by bugdroid1@chromium.org, Nov 13 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d1b6f4d89d002808689a156b739f8d7fd80104fb

commit d1b6f4d89d002808689a156b739f8d7fd80104fb
Author: wjmaclean <wjmaclean@chromium.org>
Date: Thu Nov 13 00:56:09 2014

Reset singleton ZoomBubbleView::zoom_bubble_ in ::Close()

The current implementation of ZoomBubbleView is capable of attempting to re-use a zoom bubble with a stale WebContents*.

This CL resets ZoomBubbleView::zoom_bubble_ in the ZoomBubbleView::Close() method to avoid inadvertent reuse. It also adds a DCHECK to make sure WebContents* are never mis-matched in calls to ZoomBubbleView::ShowBubble().

BUG= 428561 

Review URL: https://codereview.chromium.org/712993004

Cr-Commit-Position: refs/heads/master@{#303945}

[modify] https://chromium.googlesource.com/chromium/src.git/+/d1b6f4d89d002808689a156b739f8d7fd80104fb/chrome/browser/ui/views/location_bar/zoom_bubble_view.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/d1b6f4d89d002808689a156b739f8d7fd80104fb/chrome/browser/ui/views/location_bar/zoom_bubble_view_browsertest.cc

Status: Fixed
Speculatively marking 'fixed', please re-open if needed.
Project Member Comment 18 by clusterf...@chromium.org, Nov 13 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-40 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: Merge-Requested
Labels: -Merge-Requested Merge-Review Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M39), manual review required.
Labels: Merge-Approved Hotlist-Merge-Approved
Approved for M40 (branch: 2214)
Project Member Comment 22 by bugdroid1@chromium.org, Nov 24 2014
Labels: -Merge-Approved merge-merged-2214
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6f54d31218e0cc558e14dcf5814be5c21d7987bc

commit 6f54d31218e0cc558e14dcf5814be5c21d7987bc
Author: W. James MacLean <wjmaclean@chromium.org>
Date: Mon Nov 24 21:16:58 2014

Reset singleton ZoomBubbleView::zoom_bubble_ in ::Close()

The current implementation of ZoomBubbleView is capable of attempting to
re-use a zoom bubble with a stale WebContents*.

This CL resets ZoomBubbleView::zoom_bubble_ in the
ZoomBubbleView::Close() method to avoid inadvertent reuse. It also adds
a DCHECK to make sure WebContents* are never mis-matched in calls to
ZoomBubbleView::ShowBubble().

BUG= 428561 

Review URL: https://codereview.chromium.org/712993004

Cr-Commit-Position: refs/heads/master@{#303945}
(cherry picked from commit d1b6f4d89d002808689a156b739f8d7fd80104fb)

TBR=wjmaclean

Review URL: https://codereview.chromium.org/752153005

Cr-Commit-Position: refs/branch-heads/2214@{#127}
Cr-Branched-From: 03655fd3f6d72165dc3c9bd2c89807305316fe6c-refs/heads/master@{#303346}

[modify] http://crrev.com/6f54d31218e0cc558e14dcf5814be5c21d7987bc/chrome/browser/ui/views/location_bar/zoom_bubble_view.cc
[modify] http://crrev.com/6f54d31218e0cc558e14dcf5814be5c21d7987bc/chrome/browser/ui/views/location_bar/zoom_bubble_view_browsertest.cc

Looks like it's in M-40, please rerequest if you want to get this into 39.
Labels: -Merge-Review Merge-Approved
merge approved for m39 branch 2171
Labels: -Merge-Approved Merge-Merged
Labels: -M-39 -Merge-Triage Release-0-M40
 Issue 412783  has been merged into this issue.
Labels: -Security_Severity-High -Hotlist-Merge-Review -Hotlist-Merge-Approved Security_Severity-Medium
sec-medium, since it needs too many gestures and is racy.
Labels: -reward-topanel reward-unpaid CVE-2014-7936 reward-1500
Congratulations - $1500 for this report. Notes from the reward panel: "$1000 for the bug as it needs many gestures and is racy, +$500 ClusterFuzz bonus".


Project Member Comment 30 by clusterf...@chromium.org, Feb 19 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: label-inprocess
Labels: -reward-unpaid -label-inprocess reward-inprocess
Labels: -reward-inprocess
Processing via our e-payment system can take up to six weeks, but the reward should be on its way to you. Thanks again for your help!
Project Member Comment 34 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 35 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment