New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 602812 link

Starred by 2 users
Status: Fixed
Owner:
mad@chromium.org
Last visit 16 days ago
Closed: Sep 2016
Cc:
chrisha@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Chrome_ASAN : Crash Report - [syzyasan_rtl.dll] GlobalErrorService::RemoveGlobalError

Project Member Reported by ligim...@chromium.org, Apr 12 2016 
This crash : go/crash/d05dcb4400000000, has been found by the last SyzyASAN Canary (51.0.2704.1) 

Bad access information:

Error Type: heap-buffer-overflow
Location: 0x494eb954
Access Mode: read
Access Size: 1
User Size : 12

Magic Stack
==========
Thread 0 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x672935e3 ] MAGIC SIGNATURE THREAD
0x672935e3	(syzyasan_rtl.dll -rtl_utils.cc:164 )	agent::asan::TestMemoryRange(agent::asan::Shadow *,unsigned char const *,unsigned int,agent::asan::AccessMode)
0x67298c97	(syzyasan_rtl.dll -crt_interceptors.cc:65 )	asan_memmove
0x0388070c	(chrome.dll -xutility:2256 )	std::_Copy_memmove<content::WebContentsImpl * *,content::WebContentsImpl * *>(content::WebContentsImpl * *,content::WebContentsImpl * *,content::WebContentsImpl * *)
0x034c72ba	(chrome.dll -vector:1489 )	std::vector<gfx::SysColorChangeListener *,std::allocator<gfx::SysColorChangeListener *> >::erase(std::_Vector_const_iterator<std::_Vector_val<std::_Simple_types<gfx::SysColorChangeListener *> > >)
0x03852c79	(chrome.dll -global_error_service.cc:32 )	GlobalErrorService::RemoveGlobalError(GlobalError *)
0x042e338b	(chrome.dll -srt_global_error_win.cc:163 )	safe_browsing::SRTGlobalError::BubbleViewAcceptButtonPressed(Browser *)
0x048d1d4a	(chrome.dll -global_error_bubble_view.cc:158 )	GlobalErrorBubbleView::Accept()
0x043ce0d3	(chrome.dll -dialog_client_view.cc:75 )	views::DialogClientView::AcceptWindow()
0x043ce17a	(chrome.dll -dialog_client_view.cc:260 )	views::DialogClientView::ButtonPressed(views::Button *,ui::Event const &)
0x03108ad7	(chrome.dll -button.cc:74 )	views::Button::NotifyClick(ui::Event const &)
0x031094f9	(chrome.dll -custom_button.cc:498 )	views::CustomButton::NotifyClick(ui::Event const &)
0x03109d57	(chrome.dll -custom_button.cc:214 )	views::CustomButton::OnMouseReleased(ui::MouseEvent const &)
0x030efc2a	(chrome.dll -view.cc:2258 )	views::View::ProcessMouseReleased(ui::MouseEvent const &)
0x030eee3b	(chrome.dll -view.cc:1030 )	views::View::OnMouseEvent(ui::MouseEvent *)
0x034b7c61	(chrome.dll -event_handler.cc:29 )	ui::EventHandler::OnEvent(ui::Event *)
0x034b85d2	(chrome.dll -event_dispatcher.cc:191 )	ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *)
0x034b8b48	(chrome.dll -event_dispatcher.cc:139 )	ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *)
0x034b8924	(chrome.dll -event_dispatcher.cc:86 )	ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *)
0x034b86bd	(chrome.dll -event_dispatcher.cc:58 )	ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *)
0x03111894	(chrome.dll -root_view.cc:446 )	views::internal::RootView::OnMouseReleased(ui::MouseEvent const &)
0x022cffff	(chrome.dll -vector:1696 )	std::vector<base::Value *,std::allocator<base::Value *> >::_Insert_n(std::_Vector_const_iterator<std::_Vector_val<std::_Simple_types<base::Value *> > >,unsigned int,base::Value * const &)
0x030fda9a	(chrome.dll -widget.cc:1189 )	views::Widget::OnMouseEvent(ui::MouseEvent *)
0x0312adf4	(chrome.dll -desktop_native_widget_aura.cc:1038 )	views::DesktopNativeWidgetAura::OnMouseEvent(ui::MouseEvent *)
0x034b7c61	(chrome.dll -event_handler.cc:29 )	ui::EventHandler::OnEvent(ui::Event *)
0x034b85d2	(chrome.dll -event_dispatcher.cc:191 )	ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *)
0x034b8b48	(chrome.dll -event_dispatcher.cc:139 )	ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *)
0x034b8924	(chrome.dll -event_dispatcher.cc:86 )	ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *)
0x034b86bd	(chrome.dll -event_dispatcher.cc:58 )	ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *)
0x034b8d51	(chrome.dll -event_processor.cc:35 )	ui::EventProcessor::OnEventFromSource(ui::Event *)
0x034b818c	(chrome.dll -event_source.cc:73 )	ui::EventSource::DeliverEventToProcessor(ui::Event *)
0x034b8270	(chrome.dll -event_source.cc:51 )	ui::EventSource::SendEventToProcessor(ui::Event *)
0x0311e217	(chrome.dll -desktop_window_tree_host_win.cc:816 )	views::DesktopWindowTreeHostWin::HandleScrollEvent(ui::ScrollEvent const &)
0x0312dc31	(chrome.dll -hwnd_message_handler.cc:2443 )	views::HWNDMessageHandler::HandleMouseEventInternal(unsigned int,unsigned int,long,bool)
0x031327e5	(chrome.dll -hwnd_message_handler.h:319 )	views::HWNDMessageHandler::_ProcessWindowMessage(HWND__ *,unsigned int,unsigned int,long,long &,unsigned long)
0x0313139c	(chrome.dll -hwnd_message_handler.cc:885 )	views::HWNDMessageHandler::OnWndProc(unsigned int,unsigned int,long)
0x034d76ea	(chrome.dll -window_impl.cc:302 )	gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long)
0x034d6e5a	(chrome.dll -wrapped_window_proc.h:76 )	base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long)>(HWND__ *,unsigned int,unsigned int,long)
0x763862f9	(user32.dll + 0x000162f9 )	InternalCallWinProc
0x76386d39	(user32.dll + 0x00016d39 )	UserCallWinProcCheckWow
0x763877c3	(user32.dll + 0x000177c3 )	DispatchMessageWorker
0x76387889	(user32.dll + 0x00017889 )	DispatchMessageW
0x0231c16b	(chrome.dll -message_pump_win.cc:367 )	base::MessagePumpForUI::ProcessMessageHelper(tagMSG const &)
0x0231bb3c	(chrome.dll -message_pump_win.cc:163 )	base::MessagePumpForUI::DoRunLoop()
0x0231b6fe	(chrome.dll -message_pump_win.cc:50 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x022ff877	(chrome.dll -run_loop.cc:35 )	base::RunLoop::Run()
0x02f6dfd7	(chrome.dll -chrome_browser_main.cc:1851 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x03956109	(chrome.dll -browser_main_loop.cc:945 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x03952547	(chrome.dll -browser_main_runner.cc:154 )	content::BrowserMainRunnerImpl::Run()
0x038f694b	(chrome.dll -browser_main.cc:45 )	content::BrowserMain(content::MainFunctionParams const &)
0x030ea186	(chrome.dll -content_main_runner.cc:380 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x030ea0da	(chrome.dll -content_main_runner.cc:741 )	content::ContentMainRunnerImpl::Run()
0x030e72e8	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x02f16c94	(chrome.dll -chrome_main.cc:84 )	ChromeMain
0x001500b6	(chrome.exe -main_dll_loader_win.cc:183 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0014f4ac	(chrome.exe -chrome_exe_main_win.cc:268 )	wWinMain
0x0017d930	(chrome.exe -exe_common.inl:255 )	__scrt_common_main_seh
0x760b33a9	(kernel32.dll + 0x000133a9 )	BaseThreadInitThunk
0x778b9ef1	(ntdll.dll + 0x00039ef1 )	__RtlUserThreadStart
0x778b9ec4	(ntdll.dll + 0x00039ec4 )	_RtlUserThreadStart

ASAN Allocation Stack Trace (TID: 3568)
===========================
0x67299d4e	(syzyasan_rtl.dll -block_heap_manager.cc:195 )	agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int)
0x6729d7d3	(syzyasan_rtl.dll -rtl_impl.cc:102 )	asan_HeapAlloc
0x0423a5bf	(chrome.dll -malloc_base.cpp:29 )	_malloc_base
0x0420d2b9	(chrome.dll -new_scalar.cpp:19 )	operator new(unsigned int)
0x02283ee8	(chrome.dll -xmemory0:83 )	std::_Allocate(unsigned int,unsigned int,bool)
0x03c65ff7	(chrome.dll -vector:1625 )	std::vector<battor::RawBattOrSample,std::allocator<battor::RawBattOrSample> >::_Reallocate(unsigned int)
0x03c660ea	(chrome.dll -vector:1654 )	std::vector<battor::RawBattOrSample,std::allocator<battor::RawBattOrSample> >::_Reserve(unsigned int)
0x048d0010	(chrome.dll -vector:1294 )	std::vector<LocationBarDecoration *,std::allocator<LocationBarDecoration *> >::push_back(LocationBarDecoration * const &)
0x03852937	(chrome.dll -global_error_service.cc:28 )	GlobalErrorService::AddGlobalError(GlobalError *)
0x042b36e1	(chrome.dll -srt_fetcher_win.cc:122 )	safe_browsing::`anonymous namespace'::DisplaySRTPrompt
0x042b3b8c	(chrome.dll -srt_fetcher_win.cc:297 )	safe_browsing::SRTFetcher::OnURLFetchComplete(net::URLFetcher const *)
0x033a1134	(chrome.dll -url_fetcher_core.cc:733 )	net::URLFetcherCore::InformDelegateFetchIsComplete()
0x033a13c2	(chrome.dll -url_fetcher_core.cc:727 )	net::URLFetcherCore::OnCompletedURLRequest(base::TimeDelta)
0x03a2f6fd	(chrome.dll -bind_internal.h:365 )	base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void ( content::AppCacheStorageImpl::DatabaseTask::*)(base::TimeTicks)>,void ,content::AppCacheStorageImpl::DatabaseTask * const,base::TimeTicks>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void ( content::AppCacheStorageImpl::DatabaseTask::*)(base::TimeTicks)> >,void >::Run(base::internal::BindStateBase *)
0x0231b568	(chrome.dll -task_annotator.cc:51 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x0229f43e	(chrome.dll -message_loop.cc:480 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x022a05a1	(chrome.dll -message_loop.cc:601 )	base::MessageLoop::DoWork()
0x0231bb87	(chrome.dll -message_pump_win.cc:168 )	base::MessagePumpForUI::DoRunLoop()
0x0231b6ff	(chrome.dll -message_pump_win.cc:52 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x022ff878	(chrome.dll -run_loop.cc:36 )	base::RunLoop::Run()
0x02f6dfd8	(chrome.dll -chrome_browser_main.cc:1853 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x0395610a	(chrome.dll -browser_main_loop.cc:947 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x038f694c	(chrome.dll -browser_main.cc:45 )	content::BrowserMain(content::MainFunctionParams const &)
0x030ea187	(chrome.dll -content_main_runner.cc:380 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x030ea0db	(chrome.dll -content_main_runner.cc:741 )	content::ContentMainRunnerImpl::Run()
0x030e72e9	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x02f16c95	(chrome.dll -chrome_main.cc:87 )	ChromeMain
0x001500b7	(chrome.exe -main_dll_loader_win.cc:184 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0014f4ad	(chrome.exe -chrome_exe_main_win.cc:269 )	wWinMain
0x0017d931	(chrome.exe -exe_common.inl:255 )	__scrt_common_main_seh
0x760b33aa	(kernel32.dll + 0x000133aa )	BaseThreadInitThunk
0x778b9ef2	(ntdll.dll + 0x00039ef2 )	__RtlUserThreadStart
0x778b9ec5	(ntdll.dll + 0x00039ec5 )	_RtlUserThreadStart

This crash is reported only in 51.0.2704.1, 1 instance so far.

Link to the builds which introduced the crash.

https://crash.corp.google.com/browse?q=special_protos.asan_report.is_actionable%3D1%20AND%20product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5Bsyzyasan_rtl.dll%5D%20GlobalErrorService%3A%3ARemoveGlobalError%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

Crashing in ASAN code, hence assigning to Chris.

Comment 1 by chrisha@chromium.org, Apr 13 2016

Cc: chrisha@chromium.org
Owner: mad@chromium.org
Crashes with a topmost frame in TestMemoryRange are pretty much always actually bugs in the client code. Backing up a frame this is in asan_memmove, which is our 'interceptor' of the standard memmove function. The actual offending Chrome code appears to be in GlobalErrorService::RemoveGlobalError.

Looking into this it looks like memmove is being called with a negative value for the number of bytes (0xfffffffc), which of course is interpreted as a huge value and will cause an overflow.

Looking more closely the vector currently contains 2 entries, but has space to store 3. The element to be removed isn't found (this find returns end), which points beyond the 3rd element (outside of the array). erase assumes a valid iterator between the first and the last element, but in this case 'find' is returning an element beyond the last element. The ensuing memmove thus calculates a negative number, and overflows.

The 3rd *already deleted* member of the array has the same value as the element we're looking for. This leads me to believe that RemoveGlobalError is being called twice with the same value.

Looks to be related to Software Removal Tool so assigning to mad@ for a further look.

Comment 2 by mad@chromium.org, Apr 13 2016

Status: Started (was: Assigned)
Yeah, there seems to be a case where the UI doesn't go away as the user accept the bubble, and then the user can also cancel it, which isn't an expected code path. I have a quick fix coming up soon.

Thanks!

Comment 5 by mad@chromium.org, Sep 2 2016

Status: Fixed (was: Started)

Sign in to add a comment