New issue
Advanced search Search tips

Issue 601089 link

Starred by 1 user
Status: Fixed
Owner:
lukasza@chromium.org
Closed: Apr 2016
Cc:
wfh@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Blocking:
issue 477150



Sign in to add a comment

Layout Tests harness hits UaF of BlinkTestRunner when run in --site-per-process mode

Project Member Reported by lukasza@chromium.org, Apr 6 2016 
Repro:

1. Build with the following gn args:

        dcheck_always_on = true
        is_asan = true
        is_component_build = true
        is_debug = false
        use_goma = true

2. Run the following test:

$ DISPLAY=:20 third_party/WebKit/Tools/Scripts/run-webkit-tests -t gn -v --additional-drt-flag=--site-per-process --no-retry-failures --additional-drt-flag=--no-sandbox http/tests/security/mixedContent/insecure-prefetch-in-main-frame.html

3. Observe the following UaF reported by ASAN:

STDERR: ==12950==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150002ce000 at pc 0x000001aad052 bp 0x7ffc353a57c0 sp 0x7ffc353a57b8
STDERR: READ of size 8 at 0x6150002ce000 thread T0 (content_shell)
STDERR:     #0 0x1aad051 in Run<IPC::MessageT<ShellViewHostMsg_TestFinished_Meta> *const &> ./out/gn/../../base/bind_internal.h:181:12
STDERR:     #1 0x1aad051 in MakeItSo<content::BlinkTestRunner *, IPC::MessageT<ShellViewHostMsg_TestFinished_Meta> *const &> ./out/gn/../../base/bind_internal.h:311:0
STDERR:     #2 0x1aad051 in Run ./out/gn/../../base/bind_internal.h:362:0
STDERR:     #3 0x7fd60c7a8cb1 in Run ./out/gn/../../base/callback.h:397:12
STDERR:     #4 0x7fd60c7a8cb1 in RunTask ./out/gn/../../base/debug/task_annotator.cc:51:0
STDERR:     #5 0x7fd5f8be434a in ProcessTaskFromWorkQueue ./out/gn/../../components/scheduler/base/task_queue_manager.cc:289:3
STDERR:     #6 0x7fd5f8be05f8 in DoWork ./out/gn/../../components/scheduler/base/task_queue_manager.cc:201:13
STDERR:     #7 0x7fd5f8be7674 in Run<const base::TimeTicks &, const bool &> ./out/gn/../../base/bind_internal.h:181:12
STDERR:     #8 0x7fd5f8be7674 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> ./out/gn/../../base/bind_internal.h:324:0
STDERR:     #9 0x7fd5f8be7674 in Run ./out/gn/../../base/bind_internal.h:362:0
STDERR:     #10 0x7fd60c7a8cb1 in Run ./out/gn/../../base/callback.h:397:12
STDERR:     #11 0x7fd60c7a8cb1 in RunTask ./out/gn/../../base/debug/task_annotator.cc:51:0
STDERR:     #12 0x7fd60c82efd3 in RunTask ./out/gn/../../base/message_loop/message_loop.cc:479:3
STDERR:     #13 0x7fd60c82fc15 in DeferOrRunPendingTask ./out/gn/../../base/message_loop/message_loop.cc:488:5
STDERR:     #14 0x7fd60c83056c in DoWork ./out/gn/../../base/message_loop/message_loop.cc:600:13
STDERR:     #15 0x7fd60c83667c in Run ./out/gn/../../base/message_loop/message_pump_default.cc:33:21
STDERR:     #16 0x7fd60c82e1b6 in RunHandler ./out/gn/../../base/message_loop/message_loop.cc:443:3
STDERR:     #17 0x7fd60c8b8e2a in Run ./out/gn/../../base/run_loop.cc:35:3
STDERR:     #18 0x7fd60c82b838 in Run ./out/gn/../../base/message_loop/message_loop.cc:295:3
STDERR:     #19 0x7fd6100e9c8d in RendererMain ./out/gn/../../content/renderer/renderer_main.cc:219:7
STDERR:     #20 0x7fd61051098e in RunZygote ./out/gn/../../content/app/content_main_runner.cc:305:14
STDERR:     #21 0x7fd610511b29 in RunNamedProcessTypeMain ./out/gn/../../content/app/content_main_runner.cc:388:12
STDERR:     #22 0x7fd61051363b in Run ./out/gn/../../content/app/content_main_runner.cc:741:12
STDERR:     #23 0x7fd61050fc6a in ContentMain ./out/gn/../../content/app/content_main.cc:19:15
STDERR:     #24 0x5b5ca2 in main ./out/gn/../../content/shell/app/shell_main.cc:48:10
STDERR:     #25 0x7fd5f3076ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287:0
STDERR: 
STDERR: 0x6150002ce000 is located 0 bytes inside of 480-byte region [0x6150002ce000,0x6150002ce1e0)
STDERR: freed by thread T0 (content_shell) here:
STDERR:     #0 0x5b410b in operator delete(void*) ??:?
STDERR:     #1 0x7fd610067444 in ~RenderViewImpl ./out/gn/../../content/renderer/render_view_impl.cc:840:3
STDERR:     #2 0x1b9fb83 in ~WebTestProxy ./out/gn/../../components/test_runner/web_test_proxy.h:209:28
STDERR:     #3 0x1b9fb83 in ~WebTestProxy ./out/gn/../../components/test_runner/web_test_proxy.h:209:0
STDERR:     #4 0x1b9fb83 in ~WebTestProxy ./out/gn/../../components/test_runner/web_test_proxy.h:209:0
STDERR:     #5 0x7fd6100d4fc1 in Release ./out/gn/../../base/memory/ref_counted.h:134:7
STDERR:     #6 0x7fd6100d4fc1 in Release ./out/gn/../../base/memory/ref_counted.h:419:0
STDERR:     #7 0x7fd6100d4fc1 in ~scoped_refptr ./out/gn/../../base/memory/ref_counted.h:304:0
STDERR:     #8 0x7fd6100d4fc1 in ~__tuple_leaf ./out/gn/../../buildtools/third_party/libc++/trunk/include/tuple:183:0
STDERR:     #9 0x7fd6100d4fc1 in ~tuple ./out/gn/../../buildtools/third_party/libc++/trunk/include/tuple:503:0
STDERR:     #10 0x7fd6100d4fc1 in ~BindState ./out/gn/../../base/bind_internal.h:438:0
STDERR:     #11 0x7fd6100d4fc1 in Destroy ./out/gn/../../base/bind_internal.h:441:0
STDERR:     #12 0x7fd5f8be45dd in ProcessTaskFromWorkQueue ./out/gn/../../components/scheduler/base/task_queue_manager.cc:304:3
STDERR:     #13 0x7fd5f8be05f8 in DoWork ./out/gn/../../components/scheduler/base/task_queue_manager.cc:201:13
STDERR:     #14 0x7fd5f8be7674 in Run<const base::TimeTicks &, const bool &> ./out/gn/../../base/bind_internal.h:181:12
STDERR:     #15 0x7fd5f8be7674 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> ./out/gn/../../base/bind_internal.h:324:0
STDERR:     #16 0x7fd5f8be7674 in Run ./out/gn/../../base/bind_internal.h:362:0
STDERR:     #17 0x7fd60c7a8cb1 in Run ./out/gn/../../base/callback.h:397:12
STDERR:     #18 0x7fd60c7a8cb1 in RunTask ./out/gn/../../base/debug/task_annotator.cc:51:0
STDERR:     #19 0x7fd60c82efd3 in RunTask ./out/gn/../../base/message_loop/message_loop.cc:479:3
STDERR:     #20 0x7fd60c82fc15 in DeferOrRunPendingTask ./out/gn/../../base/message_loop/message_loop.cc:488:5
STDERR:     #21 0x7fd60c83056c in DoWork ./out/gn/../../base/message_loop/message_loop.cc:600:13
STDERR:     #22 0x7fd60c83667c in Run ./out/gn/../../base/message_loop/message_pump_default.cc:33:21
STDERR:     #23 0x7fd60c82e1b6 in RunHandler ./out/gn/../../base/message_loop/message_loop.cc:443:3
STDERR:     #24 0x7fd60c8b8e2a in Run ./out/gn/../../base/run_loop.cc:35:3
STDERR:     #25 0x7fd60c82b838 in Run ./out/gn/../../base/message_loop/message_loop.cc:295:3
STDERR:     #26 0x7fd6100e9c8d in RendererMain ./out/gn/../../content/renderer/renderer_main.cc:219:7
STDERR:     #27 0x7fd61051098e in RunZygote ./out/gn/../../content/app/content_main_runner.cc:305:14
STDERR:     #28 0x7fd610511b29 in RunNamedProcessTypeMain ./out/gn/../../content/app/content_main_runner.cc:388:12
STDERR:     #29 0x7fd61051363b in Run ./out/gn/../../content/app/content_main_runner.cc:741:12
STDERR:     #30 0x7fd61050fc6a in ContentMain ./out/gn/../../content/app/content_main.cc:19:15
STDERR:     #31 0x5b5ca2 in main ./out/gn/../../content/shell/app/shell_main.cc:48:10
STDERR:     #32 0x7fd5f3076ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287:0
STDERR: 
STDERR: previously allocated by thread T0 (content_shell) here:
STDERR:     #0 0x5b3b4b in operator new(unsigned long) ??:?
STDERR:     #1 0x1a5489c in WebTestProxyCreated ./out/gn/../../content/shell/renderer/layout_test/layout_test_content_renderer_client.cc:54:34
STDERR:     #2 0x1b9c963 in Run ./out/gn/../../base/callback.h:397:12
STDERR:     #3 0x1b9c963 in CreateWebTestProxy ./out/gn/../../content/test/layouttest_support.cc:77:0
STDERR:     #4 0x7fd61006c9cc in Create ./out/gn/../../content/renderer/render_view_impl.cc:1122:19
STDERR:     #5 0x7fd61004e01f in DispatchToMethodImpl<content::RenderThreadImpl *, void (content::RenderThreadImpl::*)(const ViewMsg_New_Params &), ViewMsg_New_Params, 0> ./out/gn/../../base/tuple.h:166:3
STDERR:     #6 0x7fd61004e01f in DispatchToMethod<content::RenderThreadImpl *, void (content::RenderThreadImpl::*)(const ViewMsg_New_Params &), ViewMsg_New_Params> ./out/gn/../../base/tuple.h:173:0
STDERR:     #7 0x7fd61004e01f in DispatchToMethod<content::RenderThreadImpl, void (content::RenderThreadImpl::*)(const ViewMsg_New_Params &), void, std::__1::tuple<ViewMsg_New_Params> > ./out/gn/../../ipc/ipc_message_templates.h:26:0
STDERR:     #8 0x7fd61004e01f in Dispatch<content::RenderThreadImpl, content::RenderThreadImpl, void, void (content::RenderThreadImpl::*)(const ViewMsg_New_Params &)> ./out/gn/../../ipc/ipc_message_templates.h:121:0
STDERR:     #9 0x7fd61004bffb in OnControlMessageReceived ./out/gn/../../content/renderer/render_thread_impl.cc:1748:5
STDERR:     #10 0x7fd60df2f991 in OnMessageReceived ./out/gn/../../content/child/child_thread_impl.cc:636:10
STDERR:     #11 0x7fd611e86697 in OnDispatchMessage ./out/gn/../../ipc/ipc_channel_proxy.cc:282:3
STDERR:     #12 0x7fd60c7a8cb1 in Run ./out/gn/../../base/callback.h:397:12
STDERR:     #13 0x7fd60c7a8cb1 in RunTask ./out/gn/../../base/debug/task_annotator.cc:51:0
STDERR:     #14 0x7fd5f8be434a in ProcessTaskFromWorkQueue ./out/gn/../../components/scheduler/base/task_queue_manager.cc:289:3
STDERR:     #15 0x7fd5f8be05f8 in DoWork ./out/gn/../../components/scheduler/base/task_queue_manager.cc:201:13
STDERR:     #16 0x7fd5f8be7674 in Run<const base::TimeTicks &, const bool &> ./out/gn/../../base/bind_internal.h:181:12
STDERR:     #17 0x7fd5f8be7674 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> ./out/gn/../../base/bind_internal.h:324:0
STDERR:     #18 0x7fd5f8be7674 in Run ./out/gn/../../base/bind_internal.h:362:0
STDERR:     #19 0x7fd60c7a8cb1 in Run ./out/gn/../../base/callback.h:397:12
STDERR:     #20 0x7fd60c7a8cb1 in RunTask ./out/gn/../../base/debug/task_annotator.cc:51:0
STDERR:     #21 0x7fd60c82efd3 in RunTask ./out/gn/../../base/message_loop/message_loop.cc:479:3
STDERR:     #22 0x7fd60c82fc15 in DeferOrRunPendingTask ./out/gn/../../base/message_loop/message_loop.cc:488:5
STDERR:     #23 0x7fd60c83056c in DoWork ./out/gn/../../base/message_loop/message_loop.cc:600:13
STDERR:     #24 0x7fd60c83667c in Run ./out/gn/../../base/message_loop/message_pump_default.cc:33:21
STDERR:     #25 0x7fd60c82e1b6 in RunHandler ./out/gn/../../base/message_loop/message_loop.cc:443:3
STDERR:     #26 0x7fd60c8b8e2a in Run ./out/gn/../../base/run_loop.cc:35:3
STDERR:     #27 0x7fd60c82b838 in Run ./out/gn/../../base/message_loop/message_loop.cc:295:3
STDERR:     #28 0x7fd6100e9c8d in RendererMain ./out/gn/../../content/renderer/renderer_main.cc:219:7
STDERR:     #29 0x7fd61051098e in RunZygote ./out/gn/../../content/app/content_main_runner.cc:305:14
STDERR:     #30 0x7fd610511b29 in RunNamedProcessTypeMain ./out/gn/../../content/app/content_main_runner.cc:388:12
STDERR:     #31 0x7fd61051363b in Run ./out/gn/../../content/app/content_main_runner.cc:741:12
STDERR:     #32 0x7fd61050fc6a in ContentMain ./out/gn/../../content/app/content_main.cc:19:15
STDERR:     #33 0x5b5ca2 in main ./out/gn/../../content/shell/app/shell_main.cc:48:10
STDERR:     #34 0x7fd5f3076ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287:0

Comment 1 by lukasza@chromium.org, Apr 6 2016

Blocking: 477150

Comment 2 by lukasza@chromium.org, Apr 6 2016

Owner: lukasza@chromium.org
Status: Started (was: Untriaged)
Project Member

Comment 3 by bugdroid1@chromium.org, Apr 7 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/647f8addf5b416dfc0b1742e22c85d02ec2b8791

commit 647f8addf5b416dfc0b1742e22c85d02ec2b8791
Author: lukasza <lukasza@chromium.org>
Date: Thu Apr 07 14:46:13 2016

Fix UaF of BlinkTestRunner caused by incorrect base::Unretained.

BUG= 601089 

Review URL: https://codereview.chromium.org/1864313002

Cr-Commit-Position: refs/heads/master@{#385754}

[modify] https://crrev.com/647f8addf5b416dfc0b1742e22c85d02ec2b8791/content/shell/renderer/layout_test/blink_test_runner.cc

Comment 4 by lukasza@chromium.org, Apr 7 2016

Status: Fixed (was: Started)

Comment 5 by sshru...@google.com, May 18 2016

Labels: Test-Layout

Sign in to add a comment