New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in content::IndexedDBBackingStore::Transaction::ChainedBlobWriterImpl::ReportW

Project Member Reported by ClusterFuzz, Apr 1 2015

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6059461953716224

Fuzzer: Therealholden_worker
Job Type: Windows_asan_chrome

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x03f7de80
Crash State:
  content::IndexedDBBackingStore::Transaction::ChainedBlobWriterImpl::ReportW
  base::internal::Invoker<IndexSequence<0,1,2>,base::internal::BindState<base
  base::debug::TaskAnnotator::RunTask
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv950dm51HDGN9rk1q16pVsOX65HnOzg88PbLQ1f7My6_ZIKA0279WhRNpxUMD8W770wbDbp2aG4H040jo9VV5h8ArJSRfF8NbXGSM-Jhg1Dr__sA_956vdEsyyR5wxSu-3sVWQJxg8kTL3XKfMqcNVy2ZlGPfA


Additional requirements: Requires HTTP

Filer: inferno
 
Cc: dgro...@chromium.org therealh...@gmail.com
Labels: Cr-Blink-Storage-IndexedDB
Owner: jsb...@chromium.org
Status: Assigned
Project Member

Comment 2 by ClusterFuzz, Apr 1 2015

Labels: Pri-1
Labels: Security_Impact-Stable
Given the age of the code in question I'm going to assume it impacts stable. Please change if determined otherwise.
Cc: dmu...@chromium.org jsb...@chromium.org
Owner: cmumford@chromium.org
Passing it off to cmumford, but I'll take a quick look.
From a first glance, looks like the ChainedBlobWriterImpl's Abort() should be checking aborted_ - it looks plausible that during backing store close the transaction would be aborted and call Abort() on the writer. Later, the posted task still runs, and the writer's raw pointer to the backing store is derefed -> boom.
Project Member

Comment 6 by ClusterFuzz, Apr 1 2015

Labels: M-41
Status: Started
jsbell: I don't see how checking aborted_ (and doing an early return?) would fix this. Do you think it's possible for WriteBlobFile to result in Abort being called before it can set waiting_for_callback_ to true?
The "free" stack shows that the backing store has been closed. That would cause the transactions to all be aborted, which would Abort() their blob writers. I confess I didn't dig through the entire state machine of the writer to see what would happen next; I was guessing that if they had outstanding tasks (i.e. from the constructor?) it would fall into the bad path.

Project Member

Comment 10 by ClusterFuzz, Apr 3 2015

Labels: -M-41 M-42
Project Member

Comment 11 by ClusterFuzz, Apr 18 2015

Labels: Nag
cmumford@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Not able to reproduce, but I did put up a change (crrev.com/1060613002) which is a (very) speculative fix for this.
Project Member

Comment 13 by bugdroid1@chromium.org, Apr 23 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/29777a8ee0f45b8160ec004e74013d5b62b6828a

commit 29777a8ee0f45b8160ec004e74013d5b62b6828a
Author: cmumford <cmumford@chromium.org>
Date: Thu Apr 23 18:56:12 2015

IndexedDB: Protect against use-after-free in ChainedBlobWriter.

This is a speculative fix for a heap user-after-free bug. Was unable
to verify using a Windows SyzyASan build. The theory is that if Abort()
was called before ChainedBlobWriterImpl::WriteNextFile() could set
waiting_for_callback_ then the ReportWriteCompletion() would never know
that it was aborted and attempt to use it's dangling raw pointer to a
deleted IndexedDBBackingStore instance.

Also in this change is the elimination of the redundant aborted_
member variable.

BUG= 472614 

Review URL: https://codereview.chromium.org/1060613002

Cr-Commit-Position: refs/heads/master@{#326597}

[modify] http://crrev.com/29777a8ee0f45b8160ec004e74013d5b62b6828a/content/browser/indexed_db/indexed_db_backing_store.cc

Status: Fixed
The speculative fix in #13 _might_ fix this, and if not will hopefully shed more light on the cause. Being as I cannot reproduce this I am marking as Fixed and will revisit this issue if reopened.
Project Member

Comment 15 by ClusterFuzz, Apr 24 2015

Labels: -Restrict-View-SecurityTeam M-43 Restrict-View-SecurityNotify Merge-Triage
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -M-42 -Nag -M-43 -Merge-Triage Merge-NA M-44 Release-0-M44
We can let this roll in with M44 or reopen if the issue isn't fixed. 

(Note: If reopening, please remove the "Release-0-M44" and "Merge-NA" labels.
Labels: CVE-2015-1276
Project Member

Comment 18 by ClusterFuzz, Jul 31 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-topanel reward-3500 reward-unpaid
Congrats - $3500 for this report ($3000 for the bug + $500 ClusterFuzz bonus).

I'll start payment next week, so you should have the reward ~2 weeks from today.

Thanks again!
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Payment is on its way - should arrive in ~7 days. Thanks again for your report!
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment