Issue metadata
Sign in to add a comment
|
Security: Heap-use-after-free in `anonymous namespace'::CreateSSLBlockingPage
Reported by
chromium...@gmail.com,
May 13 2016
|
||||||||||||||||||||||||
Issue description
VERSION
Chrome Version: 52.0.2734.1 (Official Build) canary SyzyASan (32-bit)
Operating System: Windows 7
REPRODUCTION CASE
1. Open two tabs of chrome://interstitials/ssl?overridable=1&strict_enforcement=0
3. Close the second tab
4. Switch the first tab
5. Reload the page >> Crash!
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
==2660==ERROR: AddressSanitizer: heap-use-after-free on address 0x0333a880 at pc 0x0a858618 bp 0xdeadbeef sp 0x001ad410
READ of size 4 at 0x0333a880 thread T0
==2660==WARNING: Failed to use and restart external symbolizer!
#0 0xa858617 in `anonymous namespace'::CreateSSLBlockingPage C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\webui\interstitials\interstitial
_ui.cc:103
#1 0xa85610c in `anonymous namespace'::InterstitialHTMLSource::StartDataRequest C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\webui\interst
itials\interstitial_ui.cc:323
#2 0xbad3fe3 in content::URLDataManagerBackend::CallStartRequest C:\b\build\slave\Win_ASan_Release\build\src\content\browser\webui\url_data_manager_backend
.cc:723
#3 0xbae2367 in base::internal::RunnableAdapter<void (*)(scoped_refptr<content::URLDataSourceImpl>, const std::basic_string<char,std::char_traits<char>,std
::allocator<char> > &, int, int, int)>::Run C:\b\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:159
#4 0xbae2173 in base::internal::Invoker<base::IndexSequence<0,1,2,3,4>,base::internal::BindState<base::internal::RunnableAdapter<void (*)(scoped_refptr<con
tent::URLDataSourceImpl>, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &, int, int, int)>,void (scoped_refptr<content::URLDataSou
rceImpl>, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &, int, int, int),base::internal::RetainedRefWrapper<content::URLDataSourc
eImpl>,std::basic_string<char,std::char_traits<char>,std::allocator<char> > &,int &,int &,int &>,base::internal::InvokeHelper<0,void,base::internal::RunnableAd
apter<void (*)(scoped_refptr<content::URLDataSourceImpl>, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &, int, int, int)> >,void
()>::Run C:\b\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:373
#5 0x71c0485 in base::debug::TaskAnnotator::RunTask C:\b\build\slave\Win_ASan_Release\build\src\base\debug\task_annotator.cc:49
#6 0x702b2c0 in base::MessageLoop::RunTask C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:479
#7 0x702ca17 in base::MessageLoop::DoWork C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:598
#8 0x71c3823 in base::MessagePumpForUI::DoRunLoop C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_pump_win.cc:173
#9 0x71c25f6 in base::MessagePumpWin::Run C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_pump_win.cc:54
#10 0x702a64b in base::MessageLoop::RunHandler C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:443
#11 0x711b4b5 in base::RunLoop::Run+0x1c5 (C:\Users\admin\Desktop\asan-win32-release-389383\chrome.dll+0x334b4b5)
#12 0x5c64ef8 in ChromeBrowserMainParts::MainMessageLoopRun C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\chrome_browser_main.cc:1855
#13 0xb5fb37e in content::BrowserMainLoop::RunMainMessageLoopParts C:\b\build\slave\Win_ASan_Release\build\src\content\browser\browser_main_loop.cc:956
#14 0xb59dc1f in content::BrowserMainRunnerImpl::Run C:\b\build\slave\Win_ASan_Release\build\src\content\browser\browser_main_runner.cc:154
#15 0xb5681fa in content::BrowserMain C:\b\build\slave\Win_ASan_Release\build\src\content\browser\browser_main.cc:46
#16 0x6d3ac50 in content::RunNamedProcessTypeMain C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main_runner.cc:381
#17 0x6d3cb6d in content::ContentMainRunnerImpl::Run C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main_runner.cc:742
#18 0x6d3a804 in content::ContentMain C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main.cc:20
#19 0x5a0123e in ChromeMain C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\chrome_main.cc:84
#20 0xb9adf9 in MainDllLoader::Launch C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\main_dll_loader_win.cc:185
#21 0xb9276a in main C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\chrome_exe_main_win.cc:267
#22 0x174adb4 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:255
#23 0x75963c44 in BaseThreadInitThunk+0x11 (C:\Windows\system32\kernel32.dll+0x77e33c44)
#24 0x772b37f4 in RtlInitializeExceptionChain+0xee (C:\Windows\SYSTEM32\ntdll.dll+0x77f237f4)
#25 0x772b37c7 in RtlInitializeExceptionChain+0xc1 (C:\Windows\SYSTEM32\ntdll.dll+0x77f237c7)
0x0333a880 is located 0 bytes inside of 1272-byte region [0x0333a880,0x0333ad78)
freed by thread T0 here:
#0 0x1734584 in free+0xa4 (C:\Users\admin\Desktop\asan-win32-release-389383\chrome.exe+0xfa4584)
#1 0xb2f8936 in content::WebContentsImpl::~WebContentsImpl+0x16 (C:\Users\admin\Desktop\asan-win32-release-389383\chrome.dll+0x7528936)
#2 0xa6668ae in TabStripModel::InternalCloseTab C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\tabs\tab_strip_model.cc:1230
#3 0xa65aa23 in TabStripModel::InternalCloseTabs C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\tabs\tab_strip_model.cc:1205
#4 0xa65bcff in TabStripModel::CloseWebContentsAt C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\tabs\tab_strip_model.cc:519
#5 0xaeab25b in BrowserTabStripController::CloseTab C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\views\tabs\browser_tab_strip_controller.c
c:290
#6 0xae34cee in TabStrip::CloseTab C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\views\tabs\tab_strip.cc:1201
#7 0xb001805 in Tab::ButtonPressed C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\views\tabs\tab.cc:792
#8 0x6dfc3c8 in views::Button::NotifyClick C:\b\build\slave\Win_ASan_Release\build\src\ui\views\controls\button\button.cc:74
#9 0x6df72c2 in views::CustomButton::OnMouseReleased C:\b\build\slave\Win_ASan_Release\build\src\ui\views\controls\button\custom_button.cc:231
#10 0x6d72faf in views::View::ProcessMouseReleased C:\b\build\slave\Win_ASan_Release\build\src\ui\views\view.cc:2257
#11 0x8f3c0c4 in ui::EventDispatcher::ProcessEvent C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_dispatcher.cc:137
#12 0x8f3b931 in ui::EventDispatcherDelegate::DispatchEventToTarget C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_dispatcher.cc:86
#13 0x8f3b3f2 in ui::EventDispatcherDelegate::DispatchEvent C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_dispatcher.cc:58
#14 0x6dd198b in views::internal::RootView::OnMouseReleased C:\b\build\slave\Win_ASan_Release\build\src\ui\views\widget\root_view.cc:447
#15 0x6d5d25a in views::Widget::OnMouseEvent C:\b\build\slave\Win_ASan_Release\build\src\ui\views\widget\widget.cc:1199
#16 0x8f3c0c4 in ui::EventDispatcher::ProcessEvent C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_dispatcher.cc:137
#17 0x8f3b931 in ui::EventDispatcherDelegate::DispatchEventToTarget C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_dispatcher.cc:86
#18 0x8f3b3f2 in ui::EventDispatcherDelegate::DispatchEvent C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_dispatcher.cc:58
#19 0x8f3e12c in ui::EventProcessor::OnEventFromSource C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_processor.cc:35
#20 0x8f2a78e in ui::EventSource::SendEventToProcessor C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_source.cc:32
#21 0x6e27692 in views::DesktopWindowTreeHostWin::HandleMouseEvent C:\b\build\slave\Win_ASan_Release\build\src\ui\views\widget\desktop_aura\desktop_window_
tree_host_win.cc:829
#22 0x6e5b0a9 in views::HWNDMessageHandler::HandleMouseEventInternal C:\b\build\slave\Win_ASan_Release\build\src\ui\views\win\hwnd_message_handler.cc:2476
#23 0x6e512e1 in views::HWNDMessageHandler::_ProcessWindowMessage C:\b\build\slave\Win_ASan_Release\build\src\ui\views\win\hwnd_message_handler.h:319
#24 0x6e50c20 in views::HWNDMessageHandler::OnWndProc C:\b\build\slave\Win_ASan_Release\build\src\ui\views\win\hwnd_message_handler.cc:884
#25 0x8d2152e in gfx::WindowImpl::WndProc C:\b\build\slave\Win_ASan_Release\build\src\ui\gfx\win\window_impl.cc:302
#26 0x8d20100 in base::win::WrappedWindowProc C:\b\build\slave\Win_ASan_Release\build\src\base\win\wrapped_window_proc.h:76
#27 0x7585c4e6 in gapfnScSendMessage+0x1ce (C:\Windows\system32\USER32.dll+0x77d2c4e6)
#28 0x7585c5e6 in gapfnScSendMessage+0x2ce (C:\Windows\system32\USER32.dll+0x77d2c5e6)
#29 0x7585cc18 in gapfnScSendMessage+0x900 (C:\Windows\system32\USER32.dll+0x77d2cc18)
previously allocated by thread T0 here:
#0 0x1734658 in malloc+0xb8 (C:\Users\admin\Desktop\asan-win32-release-389383\chrome.exe+0xfa4658)
#1 0x12ec14bd in operator new f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:19
#2 0xb2a119e in content::WebContentsImpl::CreateWithOpener C:\b\build\slave\Win_ASan_Release\build\src\content\browser\web_contents\web_contents_impl.cc:51
3
#3 0xb2c6b2d in content::WebContentsImpl::Clone+0x22d (C:\Users\admin\Desktop\asan-win32-release-389383\chrome.dll+0x74f6b2d)
#4 0xa7c2b4b in chrome::DuplicateTabAt C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\browser_commands.cc:652
#5 0xa9f6bbe in chrome::BrowserTabStripModelDelegate::DuplicateContentsAt C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\browser_tab_strip_m
odel_delegate.cc:106
#6 0xa662f93 in TabStripModel::ExecuteContextMenuCommand C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\tabs\tab_strip_model.cc:924
#7 0xaeafa51 in BrowserTabStripController::TabContextMenuContents::ExecuteCommand C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\views\tabs\
browser_tab_strip_controller.cc:154
#8 0x820bdb3 in ui::SimpleMenuModel::ActivatedAt C:\b\build\slave\Win_ASan_Release\build\src\ui\base\models\simple_menu_model.cc:380
#9 0x6f0d5a0 in views::MenuModelAdapter::ExecuteCommand C:\b\build\slave\Win_ASan_Release\build\src\ui\views\controls\menu\menu_model_adapter.cc:154
#10 0x6e45851 in views::internal::MenuRunnerImpl::MenuDone C:\b\build\slave\Win_ASan_Release\build\src\ui\views\controls\menu\menu_runner_impl.cc:209
#11 0x6e4524a in views::internal::MenuRunnerImpl::RunMenuAt C:\b\build\slave\Win_ASan_Release\build\src\ui\views\controls\menu\menu_runner_impl.cc:153
#12 0x6e12c36 in views::MenuRunner::RunMenuAt C:\b\build\slave\Win_ASan_Release\build\src\ui\views\controls\menu\menu_runner.cc:59
#13 0xaeab6f9 in BrowserTabStripController::ShowContextMenuForTab C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\views\tabs\browser_tab_stri
p_controller.cc:304
#14 0xb001b07 in Tab::ShowContextMenuForView C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\views\tabs\tab.cc:804
#15 0x6d759bb in views::View::ShowContextMenu C:\b\build\slave\Win_ASan_Release\build\src\ui\views\view.cc:1271
#16 0x6d72f7a in views::View::ProcessMouseReleased C:\b\build\slave\Win_ASan_Release\build\src\ui\views\view.cc:2254
#17 0x8f3c0c4 in ui::EventDispatcher::ProcessEvent C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_dispatcher.cc:137
#18 0x8f3b931 in ui::EventDispatcherDelegate::DispatchEventToTarget C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_dispatcher.cc:86
#19 0x8f3b3f2 in ui::EventDispatcherDelegate::DispatchEvent C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_dispatcher.cc:58
#20 0x6dd198b in views::internal::RootView::OnMouseReleased C:\b\build\slave\Win_ASan_Release\build\src\ui\views\widget\root_view.cc:447
#21 0x6d5d25a in views::Widget::OnMouseEvent C:\b\build\slave\Win_ASan_Release\build\src\ui\views\widget\widget.cc:1199
#22 0x8f3c0c4 in ui::EventDispatcher::ProcessEvent C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_dispatcher.cc:137
#23 0x8f3b931 in ui::EventDispatcherDelegate::DispatchEventToTarget C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_dispatcher.cc:86
#24 0x8f3b3f2 in ui::EventDispatcherDelegate::DispatchEvent C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_dispatcher.cc:58
#25 0x8f3e12c in ui::EventProcessor::OnEventFromSource C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_processor.cc:35
#26 0x8f2a78e in ui::EventSource::SendEventToProcessor C:\b\build\slave\Win_ASan_Release\build\src\ui\events\event_source.cc:32
#27 0x6e27692 in views::DesktopWindowTreeHostWin::HandleMouseEvent C:\b\build\slave\Win_ASan_Release\build\src\ui\views\widget\desktop_aura\desktop_window_
tree_host_win.cc:829
#28 0x6e5b0a9 in views::HWNDMessageHandler::HandleMouseEventInternal C:\b\build\slave\Win_ASan_Release\build\src\ui\views\win\hwnd_message_handler.cc:2476
#29 0x6e512e1 in views::HWNDMessageHandler::_ProcessWindowMessage C:\b\build\slave\Win_ASan_Release\build\src\ui\views\win\hwnd_message_handler.h:319
SUMMARY: AddressSanitizer: heap-use-after-free C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\webui\interstitials\interstitial_ui.cc:103 in `ano
nymous namespace'::CreateSSLBlockingPage
Shadow bytes around the buggy address:
0x306674c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x306674d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x306674e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x306674f0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x30667500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x30667510:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x30667520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x30667530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x30667540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x30667550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x30667560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2660==ABORTING
=================================================================
,
May 13 2016
felt: I think you mentioned you found this issue a couple of days ago? In any case chrome://interstitials can't be opened by drive-by web, so there are no security implications here.
,
May 13 2016
Actually I vote for disabling this page on release builds, as it's only useful for debugging. estark, felt: Any thoughts?
,
May 13 2016
I use chrome://interstitials reasonably often in release builds, but I wouldn't throw a tantrum or anything if you want to disable it.
,
May 13 2016
Hmm, how about disabling it on official builds then? It's not listed on chrome://about/ so it's already an unloved page.
,
May 13 2016
Yeah, that seems pretty reasonable, since there are probably only about 4 people in the world who use it regularly.
,
May 13 2016
Marty, to your question about whether this can be triggered by normal interstitials: Shouldn't be possible for SSL (because of crbug.com/6697) but I'm checking it for other interstitials (Safebrowsing etc.).
,
May 13 2016
,
May 14 2016
,
May 16 2016
FWIW I use it all the time on official builds for screenshots and I also sometimes direct people to it when they ask to see what our interstitials look like. meacer@, yes this is the same bug I noticed the other day. Thanks for investigating.
,
May 17 2016
Okay let's keep it then. The bug seems to be limited to chrome://interstitials code, so I'm pretty sure it can't be triggered from anywhere else.
,
May 31 2016
+davidben@
,
Jun 10 2016
Due to very unusual user interaction, this is not a security vulnerability. Removing tags.
,
Jun 13 2016
,
Sep 6 2016
,
Oct 13 2016
,
Oct 13 2016
Issue 614681 has been merged into this issue.
,
Oct 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/861833fc6f49583b3fb052c6711c3733d1478a42 commit 861833fc6f49583b3fb052c6711c3733d1478a42 Author: meacer <meacer@chromium.org> Date: Thu Oct 13 22:15:27 2016 Fix crash caused by stale WebContents in chrome://interstitials InterstitialHTMLSource provides the data for this page using the wrong WebContents. This isn't a problem when the links are opened in the same tab. However, when a link is opened in a new tab, web_contents_ of IntersititalHTMLSource is assigned to the new tab. When the tab is destroyed, future data requests are made using the stale web_contents and cause a crash. Instead, simply use the WebContents provided in InterstitialHTMLSource::StartDataRequest. BUG= 611706 Review-Url: https://codereview.chromium.org/2417463007 Cr-Commit-Position: refs/heads/master@{#425185} [modify] https://crrev.com/861833fc6f49583b3fb052c6711c3733d1478a42/chrome/browser/ui/webui/interstitials/interstitial_ui.cc
,
Nov 18 2016
The immediate issue was fixed, but estark@ asked me to add a test, so I'm keeping this open for now.
,
Nov 22 2016
,
Dec 7 2016
,
Jan 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7b1ab28d89a2ff18515b3c699dfc02a15aae84ee commit 7b1ab28d89a2ff18515b3c699dfc02a15aae84ee Author: meacer <meacer@chromium.org> Date: Fri Jan 06 01:39:56 2017 Add test to check for crash caused by stale WebContents in chrome://interstitials BUG= 611706 Review-Url: https://codereview.chromium.org/2618573002 Cr-Commit-Position: refs/heads/master@{#441798} [modify] https://crrev.com/7b1ab28d89a2ff18515b3c699dfc02a15aae84ee/chrome/browser/ui/webui/interstitials/interstitial_ui.cc [modify] https://crrev.com/7b1ab28d89a2ff18515b3c699dfc02a15aae84ee/chrome/browser/ui/webui/interstitials/interstitial_ui_browsertest.cc
,
Jan 6 2017
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mbarbe...@chromium.org
, May 13 2016Labels: Security_Severity-Low Security_Impact-Stable reward-topanel
Owner: mea...@chromium.org
Status: Assigned (was: Unconfirmed)