New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 490492 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: heap-use-after-free in WebsiteSettingsInfoBarDelegate::Create

Reported by chromium...@gmail.com, May 21 2015

Issue description

VERSION
Chrome Version: 45.0.2407.0 canary (32 bits)
Operating System: Windows 7

REPRODUCTION CASE
(Watch the video)

============================================================================================================
==6472==ERROR: AddressSanitizer: heap-use-after-free on address 0x278d4540 at pc 0x11d08164 bp 0xdeadbeef sp 0x00aecc08
READ of size 4 at 0x278d4540 thread T0
    #0 0x11d08163 in WebsiteSettingsInfoBarDelegate::Create C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\website_settings\website_settings_infobar_delegate.cc:20
    #1 0x11b6dc60 in WebsiteSettings::OnUIClosing C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\website_settings\website_settings.cc:372
    #2 0x11751473 in WebsiteSettingsPopupView::OnWidgetDestroying C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\views\website_settings\website_settings_popup_view.
cc:383
    #3 0xf6d67c2 in views::Widget::OnNativeWidgetDestroying C:\b\build\slave\Win_ASan_Release\build\src\ui\views\widget\widget.cc:1108
    #4 0xf86f510 in views::DesktopWindowTreeHostWin::HandleDestroying C:\b\build\slave\Win_ASan_Release\build\src\ui\views\widget\desktop_aura\desktop_window_tree_host_win.cc:758
    #5 0xf8cfb81 in views::HWNDMessageHandler::OnDestroy C:\b\build\slave\Win_ASan_Release\build\src\ui\views\win\hwnd_message_handler.cc:1389
    #6 0xf8c4c47 in views::HWNDMessageHandler::_ProcessWindowMessage C:\b\build\slave\Win_ASan_Release\build\src\ui\views\win\hwnd_message_handler.h:390
    #7 0xf8c0f7a in views::HWNDMessageHandler::OnWndProc C:\b\build\slave\Win_ASan_Release\build\src\ui\views\win\hwnd_message_handler.cc:896
    #8 0x137d36af in gfx::WindowImpl::WndProc c:\b\build\slave\win_asan_release\build\src\ui\gfx\win\window_impl.cc:315
    #9 0x75f586ee in IsThreadDesktopComposited+0x11e (C:\Windows\system32\USER32.dll+0x186ee)
    #10 0x75f58875 in IsThreadDesktopComposited+0x2a5 (C:\Windows\system32\USER32.dll+0x18875)
    #11 0x75f570f3 in InflateRect+0x73 (C:\Windows\system32\USER32.dll+0x170f3)
    #12 0x75f5738e in DefWindowProcW+0x143 (C:\Windows\system32\USER32.dll+0x1738e)
    #13 0x7748642d in KiUserCallbackDispatcher+0x2d (C:\Windows\SYSTEM32\ntdll.dll+0x4642d)
    #14 0xc3760de in base::internal::Invoker<IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall WrenchToolbarButton::*)(void)>,void __cdec
l(WrenchToolbarButton *),base::internal::TypeList<base::WeakPtr<WrenchToolbarButton> > >,base::internal::TypeList<base::internal::UnwrapTraits<base::WeakPtr<WrenchToolbarButton> >
 >,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall WrenchToolbarButton::*)(void)>,base::internal::TypeList<base::WeakPtr<WrenchToolbarButton>
const &> >,void __cdecl(void)>::Run C:\b\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:176
    #15 0x7673cd0 in base::debug::TaskAnnotator::RunTask C:\b\build\slave\Win_ASan_Release\build\src\base\callback.h:396
    #16 0x750f4cb in base::MessageLoop::RunTask C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:444
    #17 0x7510a60 in base::MessageLoop::DoWork C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:454

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-use-after-free C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\website_settings\website_settings_infobar_delegate.cc:20 in WebsiteSet
tingsInfoBarDelegate::Create
Shadow bytes around the buggy address:
  0x34f1a850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34f1a860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34f1a870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34f1a880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34f1a890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x34f1a8a0: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
  0x34f1a8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34f1a8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34f1a8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34f1a8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34f1a8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6472==ABORTING
==6472==AddressSanitizer: while reporting a bug found another one. Ignoring.

 
PoC.html
234 bytes View Download
872131.mp4
603 KB Download
Labels: Pri-1 Cr-UI-Browser-Infobars Security_Severity-High OS-Windows
Owner: pkasting@chromium.org
Status: Assigned
Peter, can you please take a look or suggest an owner. We are in a security fixit this week, so any help is highly appreciated. The repro looks pretty simple and minimized. 
Cc: pkasting@chromium.org
Owner: markusheintz@chromium.org
Looks like Markus owns this UI?

It seems like the general problem here is that the website settings code shows an infobar when the popup closes if some of the permissions changed, but in this case the popup is closing because the whole browser is being torn down, and the infobar service no longer exists.

In turn this makes me wonder why the WebsiteSettings object is keeping an InfoBarService* to begin with, instead of simply looking up the appropriate WebContents and its appropriate InfoBarService when it needs to.  Presumably in the course of these lookups it would notice that one of both of these objects no longer exist.
Project Member

Comment 3 by ClusterFuzz, May 26 2015

Labels: Missing_Impact-1
Project Member

Comment 4 by ClusterFuzz, May 30 2015

Labels: -Missing_Impact-1 Missing_Impact-3
Project Member

Comment 5 by ClusterFuzz, Jun 3 2015

Labels: -Missing_Impact-3 Missing_Impact-4
Labels: -Missing_Impact-4 Security_Impact-Stable
Reproduced in r323865
Project Member

Comment 8 by ClusterFuzz, Jun 4 2015

Labels: M-43
Project Member

Comment 9 by ClusterFuzz, Jun 5 2015

Labels: Nag
markusheintz@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
Markus - can you please provide an update? (even if that update is no progress). I'd like to get a fix into M44 beta well before it gets close to stable promotion.
Markus, Could you please take a look at this issue. Please note that this is high severity security bug that needs to be fixed.

Project Member

Comment 12 by ClusterFuzz, Jun 19 2015

markusheintz@: Uh oh! This issue is still open and hasn't been updated in the last 28 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 13 by ClusterFuzz, Jul 3 2015

markusheintz@: Uh oh! This issue is still open and hasn't been updated in the last 42 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 14 by ClusterFuzz, Jul 10 2015

Labels: -M-43 M-44
Project Member

Comment 15 by ClusterFuzz, Jul 18 2015

markusheintz@: Uh oh! This issue is still open and hasn't been updated in the last 57 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 16 by ClusterFuzz, Jul 21 2015

Labels: Deadline-Exceeded
You have far exceeded the 60-day deadline for fixing this high severity security vulnerability.

We commit ourselves to this deadline and appreciate your utmost priority on this issue.

If you are unable to look into this soon, please find someone else to own this.

- Your friendly ClusterFuzz
Any updates on this bug?
Project Member

Comment 18 by ClusterFuzz, Aug 21 2015

Labels: -M-44 M-45
Project Member

Comment 19 by ClusterFuzz, Aug 24 2015

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5314858512285696

Uploader: palmer@chromium.org
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: 
Crash Address: 
Crash State:
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv954pHAW9BehAHuvMC4LqQpDv_rC0ltSZQU-rCyR_A-qpf1zOZA7y5ZTVSRODC86OFX-2ALK3rjehidigTJcrR8QEPNiZivuomrAYihCfrAoASEQY1_Y4oQEKRBS2gedM7yX7VQ-brK57kfwWuyOjte34vv4iQ


Additional requirements: Requires HTTP

Filer: palmer
Cc: markusheintz@chromium.org
Labels: OS-Mac
Owner: palmer@chromium.org
Disturbingly, I reproduced this on (non-ASAN) Mac OS X as well. Crash ID bafe090015365ce6 (97850ae0-1203-480a-8dfd-25d6b1798f2f)

The need for the user to allow pop-ups somewhat mitigates the severity of this, though, right?
Labels: -Nag WIP OS-Linux
Status: Started
Linux (ASAN), too. And non-ASAN Windows.

Also, there is a weird behavior in a non-crashing case: If you don't interact with a permission setting, but just leave the Origin Info Bubble up, when the google.com tab closes, the bubble stays up and shows over the previous tab (e.g. file:///.../poc.html). But it's still the OIB for google.com, and says so.

So, an OIB should be attached to its tab, or to its WebContents, and should be properly closed with the tab or WebContents goes away. But that doesn't seem to be happening. Investigating...
Cc: a...@chromium.org
Project Member

Comment 23 by bugdroid1@chromium.org, Aug 27 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f2cba0d13b3a6d76dedede66731e5ca253d3b2af

commit f2cba0d13b3a6d76dedede66731e5ca253d3b2af
Author: palmer <palmer@chromium.org>
Date: Thu Aug 27 23:15:06 2015

Fix UAF in Origin Info Bubble and permission settings UI.

In addition to fixing the UAF, will this also fix the problem of the bubble
showing over the previous tab (if the bubble is open when the tab it was opened
for closes).

BUG= 490492 
TBR=tedchoc

Review URL: https://codereview.chromium.org/1317443002

Cr-Commit-Position: refs/heads/master@{#346023}

[modify] http://crrev.com/f2cba0d13b3a6d76dedede66731e5ca253d3b2af/chrome/browser/ui/android/connection_info_popup_android.cc
[modify] http://crrev.com/f2cba0d13b3a6d76dedede66731e5ca253d3b2af/chrome/browser/ui/android/website_settings_popup_android.cc
[modify] http://crrev.com/f2cba0d13b3a6d76dedede66731e5ca253d3b2af/chrome/browser/ui/cocoa/website_settings/website_settings_bubble_controller.h
[modify] http://crrev.com/f2cba0d13b3a6d76dedede66731e5ca253d3b2af/chrome/browser/ui/cocoa/website_settings/website_settings_bubble_controller.mm
[modify] http://crrev.com/f2cba0d13b3a6d76dedede66731e5ca253d3b2af/chrome/browser/ui/cocoa/website_settings/website_settings_bubble_controller_unittest.mm
[modify] http://crrev.com/f2cba0d13b3a6d76dedede66731e5ca253d3b2af/chrome/browser/ui/views/website_settings/website_settings_popup_view.cc
[modify] http://crrev.com/f2cba0d13b3a6d76dedede66731e5ca253d3b2af/chrome/browser/ui/views/website_settings/website_settings_popup_view.h
[modify] http://crrev.com/f2cba0d13b3a6d76dedede66731e5ca253d3b2af/chrome/browser/ui/website_settings/website_settings.cc
[modify] http://crrev.com/f2cba0d13b3a6d76dedede66731e5ca253d3b2af/chrome/browser/ui/website_settings/website_settings.h
[modify] http://crrev.com/f2cba0d13b3a6d76dedede66731e5ca253d3b2af/chrome/browser/ui/website_settings/website_settings_ui.h
[modify] http://crrev.com/f2cba0d13b3a6d76dedede66731e5ca253d3b2af/chrome/browser/ui/website_settings/website_settings_unittest.cc

Status: Fixed
Project Member

Comment 25 by ClusterFuzz, Aug 28 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage M-46 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -WIP reward-topanel
Labels: -M-45 -Merge-Triage -M-46 M-47 Merge-NA Release-0-M47
FYI I'm working on the assumption that this will roll in off trunk due to it being a non-trivial UI change. If you want this in an M-46 patch and can vouch for it playing nicely with M46, please let me know so we can ship this to users more quickly (and remove Merge-NA and replace with Merge-Triage).

Marking as shipping with M-47.
Labels: -Security_Severity-High Security_Severity-Medium
Labels: -reward-topanel reward-1000 reward-unpaid CVE-2015-6780
Our reward panel awarded you $1000 for this report - congratulations!

Reward panel notes: Too much user interaction needed for a higher reward, although nice use after free in browser process. 

Thanks again for the report!
Project Member

Comment 30 by ClusterFuzz, Dec 4 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Project Member

Comment 33 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 34 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment