New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 473253 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: heap-use-after-free in blink::ConsumerWrapper::consumeAudio

Reported by chromium...@gmail.com, Apr 2 2015

Issue description

VERSION
Chrome Version: 41.0.2272.118
Operating System: Windows 7

==7748==ERROR: AddressSanitizer: heap-use-after-free on address 0x0301b4a0 at pc 0x113355db bp 0xdeadbeef sp 0x55cef190
READ of size 4 at 0x0301b4a0 thread T23
    #0 0x113355da in blink::ConsumerWrapper::consumeAudio C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\platform\exported\WebMediaStreamSource.cpp:209
    #1 0x113927fe in blink::MediaStreamSource::consumeAudio C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\platform\mediastream\MediaStreamSource.cpp:105
    #2 0x1325cae8 in blink::MediaStreamAudioDestinationNode::process C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\modules\webaudio\MediaStreamAudioDestina
tionNode.cpp:79
    #3 0x12ff527b in blink::AudioNode::processIfNecessary C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\modules\webaudio\AudioNode.cpp:634
    #4 0x1308809b in blink::AudioContext::processAutomaticPullNodes C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\modules\webaudio\AudioContext.cpp:1133
    #5 0x13499b3c in blink::AudioDestinationNode::render C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\modules\webaudio\AudioDestinationNode.cpp:93
    #6 0x1adfc812 in blink::AudioDestination::provideInput C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\platform\audio\AudioDestination.cpp:175
    #7 0x1af7884f in blink::AudioPullFIFO::consume C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\platform\audio\AudioPullFIFO.cpp:65
    #8 0x1adfc4d6 in blink::AudioDestination::render C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\platform\audio\AudioDestination.cpp:164
    #9 0x17529f85 in content::RendererWebAudioDeviceImpl::Render C:\b\build\slave\Win_ASan_Release\build\src\content\renderer\media\renderer_webaudiodevice_impl.cc:90
    #10 0x1a4b5a89 in media::AudioOutputDevice::AudioThreadCallback::Process C:\b\build\slave\Win_ASan_Release\build\src\media\audio\audio_output_device.cc:297
    #11 0x1a57c99b in media::AudioDeviceThread::Thread::Run C:\b\build\slave\Win_ASan_Release\build\src\media\audio\audio_device_thread.cc:183
    #12 0x1a57c67c in media::AudioDeviceThread::Thread::ThreadMain C:\b\build\slave\Win_ASan_Release\build\src\media\audio\audio_device_thread.cc:158

0x0301b4a0 is located 0 bytes inside of 88-byte region [0x0301b4a0,0x0301b4f8)
freed by thread T0 here:
    #0 0x10d41e4 in free c:\b\build\slave\win_asan_release\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:42
    #1 0x174d4c7f in content::WebAudioCapturerSource::`scalar deleting destructor' C:\b\build\slave\Win_ASan_Release\build\src\content\renderer\media\webaudio_capturer_source.cc:2
7
    #2 0x172b4f71 in content::WebRtcLocalAudioTrack::Stop C:\b\build\slave\Win_ASan_Release\build\src\base\memory\ref_counted.h:192
    #3 0x173b9eb6 in content::MediaStreamCenter::didStopMediaStreamTrack C:\b\build\slave\Win_ASan_Release\build\src\content\renderer\media\media_stream_center.cc:119
    #4 0x1addd3d7 in blink::MediaStreamCenter::didStopMediaStreamTrack C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\platform\mediastream\MediaStreamCenter
.cpp:94
    #5 0x12c2b850 in blink::MediaStreamTrack::stopTrack C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\modules\mediastream\MediaStreamTrack.cpp:159
    #6 0x12c1a9e0 in blink::Heap::allocate<blink::PositionErrorCallback> C:\b\build\slave\Win_ASan_Release\build\src\out\Release\gen\blink\bindings\modules\v8\V8MediaStreamTrack.c
pp:267
    #7 0x120631d8 in v8::internal::FunctionCallbackArguments::Call C:\b\build\slave\Win_ASan_Release\build\src\v8\src\arguments.cc:33
    #8 0x11bf50eb in v8::internal::Builtins::InvokeApiFunction C:\b\build\slave\Win_ASan_Release\build\src\v8\src\builtins.cc:1077
    #9 0x11c01e6b in v8::internal::Builtins::Builtins C:\b\build\slave\Win_ASan_Release\build\src\v8\src\builtins.cc:1100

previously allocated by thread T0 here:
    #0 0x10d42b8 in malloc c:\b\build\slave\win_asan_release\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:58
    #1 0x1be4aa9d in operator new f:\dd\vctools\crt\crtw32\heap\new.cpp:59
    #2 0x172ab278 in content::PeerConnectionDependencyFactory::CreateWebAudioSource C:\b\build\slave\Win_ASan_Release\build\src\content\renderer\media\webrtc\peer_connection_depen
dency_factory.cc:508
    #3 0x172aaa63 in content::PeerConnectionDependencyFactory::CreateLocalAudioTrack C:\b\build\slave\Win_ASan_Release\build\src\content\renderer\media\webrtc\peer_connection_depe
ndency_factory.cc:463
    #4 0x173b9cdd in content::MediaStreamCenter::didCreateMediaStreamTrack C:\b\build\slave\Win_ASan_Release\build\src\content\renderer\media\media_stream_center.cc:44
    #5 0x173b9ad1 in content::MediaStreamCenter::didCreateMediaStreamTrack C:\b\build\slave\Win_ASan_Release\build\src\content\renderer\media\media_stream_center.cc:96
    #6 0x1addd60c in blink::MediaStreamCenter::didCreateMediaStreamAndTracks C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\platform\mediastream\MediaStream
Center.cpp:123
    #7 0x1325bba6 in blink::MediaStreamAudioDestinationNode::MediaStreamAudioDestinationNode C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\modules\webaudio
\MediaStreamAudioDestinationNode.cpp:52
    #8 0x1325b46a in blink::MediaStreamAudioDestinationNode::create C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\modules\webaudio\MediaStreamAudioDestinat
ionNode.cpp:40
    #9 0x130792d9 in blink::AudioContext::createMediaStreamDestination C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\modules\webaudio\AudioContext.cpp:388
    #10 0x12e30bb4 in blink::ScreenOrientation::setOnchange C:\b\build\slave\Win_ASan_Release\build\src\out\Release\gen\blink\bindings\modules\v8\V8AudioContext.cpp:346
    #11 0x120631d8 in v8::internal::FunctionCallbackArguments::Call C:\b\build\slave\Win_ASan_Release\build\src\v8\src\arguments.cc:33
    #12 0x11bf50eb in v8::internal::Builtins::InvokeApiFunction C:\b\build\slave\Win_ASan_Release\build\src\v8\src\builtins.cc:1077
    #13 0x11c01e6b in v8::internal::Builtins::Builtins C:\b\build\slave\Win_ASan_Release\build\src\v8\src\builtins.cc:1100

Thread T23 created by T2 here:
    #0 0x10dee50 in __asan_wrap_CreateThread c:\b\build\slave\win_asan_release\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_win.cc:93

Thread T2 created by T0 here:
    #0 0x10dee50 in __asan_wrap_CreateThread c:\b\build\slave\win_asan_release\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_win.cc:93

SUMMARY: AddressSanitizer: heap-use-after-free C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\platform\exported\WebMediaStreamSource.cpp:209 blink::Consumer
Wrapper::consumeAudio
Shadow bytes around the buggy address:
  0x30603640: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x30603650: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x30603660: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x30603670: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x30603680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x30603690: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fa
  0x306036a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x306036b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 04
  0x306036c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x306036d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x306036e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7748==ABORTING



 
testcase.html
1022 bytes View Download
Crash ID : 9b70f9356a9cdf27
78632.mp4
183 KB Download
Cc: phoglund@chromium.org perkj@chromium.org
Labels: Security_Severity-High Security_Impact-Stable Pri-1 OS-All Cr-Blink-WebRTC
Owner: tommyw@chromium.org
Status: Assigned
Project Member

Comment 3 by ClusterFuzz, Apr 3 2015

Labels: M-42

Comment 4 by perkj@chromium.org, Apr 7 2015

Cc: rtoy@chromium.org
Owner: guidou@chromium.org
tommyw is still ooo.

quido, can this be related to you latest fix in WebMediaStreamSource?
Talk to rtoy for questions related to webaudio.


I haven't submitted any fix for the WebMediaStreamSource bug (469145), but it seems that both are reproduced with the same test case. They are likely to be the same bug.
I'll take a look to see if I can find something.
Labels: Stability-Memory-AddressSanitizer
Adding flags so this can be queried more easily // asan_win_trophy
Project Member

Comment 7 by bugdroid1@chromium.org, Apr 10 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/228cd9447121ede4d32ab48c8dfe066736cfdae2

commit 228cd9447121ede4d32ab48c8dfe066736cfdae2
Author: guidou <guidou@chromium.org>
Date: Fri Apr 10 13:00:37 2015

Fix heap-use-after-free issue with WebAudioCapturerSource.

WebAudioCapturerSource registers with a blink WebMediaStreamSource.
When the audio track was stopped, the WebAudioCapturerSource was
destroyed and the WebMediaStreamSource was left with a dangling
pointer, which it tried to use, resulting in access to freed
memory and usually a crashed tab.

This CL makes WebAudioCapturerSource aware of the WebMediaStreamSource
with which it is registered, so that it can be deregistered when the
audio track is stopped.

BUG= 473253 
TEST=See testcase.html in  crbug.com/473253 

Review URL: https://codereview.chromium.org/1071063005

Cr-Commit-Position: refs/heads/master@{#324622}

[modify] http://crrev.com/228cd9447121ede4d32ab48c8dfe066736cfdae2/content/renderer/media/webaudio_capturer_source.cc
[modify] http://crrev.com/228cd9447121ede4d32ab48c8dfe066736cfdae2/content/renderer/media/webaudio_capturer_source.h
[modify] http://crrev.com/228cd9447121ede4d32ab48c8dfe066736cfdae2/content/renderer/media/webrtc/peer_connection_dependency_factory.cc

Comment 8 by guidou@chromium.org, Apr 10 2015

Status: Fixed
Project Member

Comment 9 by ClusterFuzz, Apr 10 2015

Labels: -Restrict-View-SecurityTeam M-43 Restrict-View-SecurityNotify Merge-Triage
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
Labels: -Merge-Triage Merge-Requested
Merge Requested to M43 (branch 2357)

Comment 11 by laforge@google.com, May 11 2015

Labels: -Merge-Requested Merge-Review-42 Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M42), manual review required.

Comment 12 by laforge@google.com, May 11 2015

Labels: Merge-Review-43
[Automated comment] Less than 2 weeks to go before stable on M43, manual review required.

Comment 13 by laforge@google.com, May 11 2015

Labels: -Merge-Review-43 Merge-Approved
Labels: -Merge-Review-42
Not happening for 42.

Comment 15 by laforge@google.com, May 12 2015

Cc: magjed@chromium.org
Project Member

Comment 16 by bugdroid1@chromium.org, May 12 2015

Labels: -Merge-Approved merge-merged-2357
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/beca77c820c579ee29ff8387b5a42765ef8ccee4

commit beca77c820c579ee29ff8387b5a42765ef8ccee4
Author: Magnus Jedvert <magjed@google.com>
Date: Tue May 12 15:33:18 2015

Fix heap-use-after-free issue with WebAudioCapturerSource.

WebAudioCapturerSource registers with a blink WebMediaStreamSource.
When the audio track was stopped, the WebAudioCapturerSource was
destroyed and the WebMediaStreamSource was left with a dangling
pointer, which it tried to use, resulting in access to freed
memory and usually a crashed tab.

This CL makes WebAudioCapturerSource aware of the WebMediaStreamSource
with which it is registered, so that it can be deregistered when the
audio track is stopped.

BUG= 473253 
TEST=See testcase.html in  crbug.com/473253 

Review URL: https://codereview.chromium.org/1071063005

Cr-Commit-Position: refs/heads/master@{#324622}
(cherry picked from commit 228cd9447121ede4d32ab48c8dfe066736cfdae2)

R=guidou@chromium.org
TBR=henrika, perkj

Review URL: https://codereview.chromium.org/1136803003

Cr-Commit-Position: refs/branch-heads/2357@{#369}
Cr-Branched-From: 59d4494849b405682265ed5d3f5164573b9a939b-refs/heads/master@{#323860}

[modify] http://crrev.com/beca77c820c579ee29ff8387b5a42765ef8ccee4/content/renderer/media/webaudio_capturer_source.cc
[modify] http://crrev.com/beca77c820c579ee29ff8387b5a42765ef8ccee4/content/renderer/media/webaudio_capturer_source.h
[modify] http://crrev.com/beca77c820c579ee29ff8387b5a42765ef8ccee4/content/renderer/media/webrtc/peer_connection_dependency_factory.cc

Project Member

Comment 17 by bugdroid1@chromium.org, May 14 2015

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/bling/chromium.git/+/beca77c820c579ee29ff8387b5a42765ef8ccee4

commit beca77c820c579ee29ff8387b5a42765ef8ccee4
Author: Magnus Jedvert <magjed@google.com>
Date: Tue May 12 15:33:18 2015

Labels: -M-42 Release-0-M43 reward-topanel
Labels: -reward-topanel reward-unpaid CVE-2015-1255 reward-3000
Congrats - as mentioned in the release notes, $3000 for this report. We'll take care of payment in the next payment run.
Labels: -reward-unpaid reward-inprocess
We'll process this reward via our new payment process which should only take ~1-2 weeks.  
Project Member

Comment 21 by ClusterFuzz, Jul 17 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-inprocess
Processing via our e-payment system can take up to two weeks, but the reward should be on its way to you. Thanks again for your help!

(Note: sorry for the delay here - it turns out in the new payment system, these payments were waiting for a second approval from me).
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment