New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 619217 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 0
Type: Bug



Sign in to add a comment

Blob ctor with large / diverse parts array kills the tab

Project Member Reported by rsturgell@google.com, Jun 10 2016

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36

Steps to reproduce the problem:
1. type this in the console (or stick in a web page):

new Blob([new ArrayBuffer(9), new Blob(["hi"]), new Uint8Array(1e6)])

What is the expected behavior?
create a Blob with the specified contents

What went wrong?
sad tab

Crashed report ID: cd9005ba00000000

How much crashed? Just one tab

Is it a problem with a plugin? No 

Did this work before? N/A 

Chrome version: 51.0.2704.84  Channel: stable
OS Version: 
Flash Version: Shockwave Flash 21.0 r0

Discovered this because Web Tracing Framework (http://google.github.io/tracing-framework/) is crashing when trying to save / view traces.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Jun 11 2016

Labels: Hotlist-Google

Comment 2 by dmu...@chromium.org, Jun 16 2016

Components: Blink>Storage
Owner: dmu...@chromium.org
Status: Assigned (was: Unconfirmed)
It looks like you're trying to allocated a million by
Looks like your message was cut off, not sure if there was a question there. Yes,the scenario includes a 1MB-ish buffer as one of the inputs.
Only the first 9 bytes of the shared memory buffer are mapped into view. The same buffer is used for two BlobItemBytesRequests. The first request is for 9 bytes so only the first 9 bytes are mapped. The second request tries to write 1Mbytes to the unmapped area beyond the first 9 bytes and crashes.


      case IPCBlobItemRequestStrategy::SHARED_MEMORY: {
        responses.push_back(BlobItemBytesResponse(request.request_number));
        DCHECK_LT(request.handle_index, memory_handles->size())
            << "Invalid handle index.";
        SharedMemory* memory = opened_memory[request.handle_index];
        if (!memory) {
          SharedMemoryHandle& handle = (*memory_handles)[request.handle_index];
          DCHECK(SharedMemory::IsHandleValid(handle));
          std::unique_ptr<SharedMemory> shared_memory(
              new SharedMemory(handle, false));

          if (!shared_memory->Map(request.size)) {
            // This would happen if the renderer process doesn't have enough
            // memory to map the shared memory, which is possible if we don't
            // have much memory. If this scenario happens often, we could delay
            // the response until we have enough memory.  For now we just fail.
            CHECK(false) << "Unable to map shared memory to send blob " << uuid
                         << ".";
            return;
          }
          memory = shared_memory.get();
          opened_memory[request.handle_index] = shared_memory.release();
        }
        CHECK(memory->memory()) << "Couldn't map memory for blob transfer.";
        ReadStatus status = consolidation->ReadMemory(
            request.renderer_item_index, request.renderer_item_offset,
            request.size,
            static_cast<char*>(memory->memory()) + request.handle_offset);
        DCHECK(status == ReadStatus::OK)
            << "Error reading from consolidated blob: "
            << static_cast<int>(status);
        break;
      }

We may want to merge the fix for this to stable?

Comment 5 by dmu...@chromium.org, Jun 21 2016

The reason the test didn't catch this is because we previously mapped the memory in the test so we could read from it later. Patch incoming.

Comment 6 by dmu...@chromium.org, Jun 21 2016

Labels: -Pri-2 Pri-0
Project Member

Comment 7 by bugdroid1@chromium.org, Jun 21 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8731540b822e48124e782a976ef5d44632757a29

commit 8731540b822e48124e782a976ef5d44632757a29
Author: dmurph <dmurph@chromium.org>
Date: Tue Jun 21 18:43:16 2016

[BlobAsync] Fixed shared memory mapping

The test was designed to catch this case, but because the memory was mapped before we sent it to the class, the incorrect call to Map was a no-op. Test has been fixed.

BUG= 619217 

Review-Url: https://codereview.chromium.org/2086033002
Cr-Commit-Position: refs/heads/master@{#401053}

[modify] https://crrev.com/8731540b822e48124e782a976ef5d44632757a29/content/child/blob_storage/blob_transport_controller.cc
[modify] https://crrev.com/8731540b822e48124e782a976ef5d44632757a29/content/child/blob_storage/blob_transport_controller_unittest.cc

Comment 8 by dmu...@chromium.org, Jun 22 2016

 Issue 619368  has been merged into this issue.

Comment 9 by dmu...@chromium.org, Jun 22 2016

Labels: Security_Severity-High Merge-Request-51 Merge-Request-52 Security_Impact-Stable Stability-Memory-AddressSanitizer Restrict-View-SecurityNotify

Comment 10 by tin...@google.com, Jun 22 2016

Labels: -Merge-Request-51 Merge-Review-51 Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M51), manual review required.

Comment 11 by tin...@google.com, Jun 22 2016

Labels: -Merge-Request-52 Merge-Approved-52 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M52 (branch: 2743)

Comment 12 by tin...@google.com, Jun 22 2016

Labels: -Merge-Request-51 Merge-Review-51 Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M51), manual review required.
Project Member

Comment 13 by bugdroid1@chromium.org, Jun 22 2016

Labels: -merge-approved-52 merge-merged-2743
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1763362b4662d9c8499b5725461da783659cacac

commit 1763362b4662d9c8499b5725461da783659cacac
Author: Daniel Murphy <dmurph@chromium.org>
Date: Wed Jun 22 20:30:21 2016

[BlobAsync] Fixed shared memory mapping

The test was designed to catch this case, but because the memory was mapped before we sent it to the class, the incorrect call to Map was a no-op. Test has been fixed.

BUG= 619217 

Review-Url: https://codereview.chromium.org/2086033002
Cr-Commit-Position: refs/heads/master@{#401053}
(cherry picked from commit 8731540b822e48124e782a976ef5d44632757a29)

Review URL: https://codereview.chromium.org/2094493002 .

Cr-Commit-Position: refs/branch-heads/2743@{#448}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[modify] https://crrev.com/1763362b4662d9c8499b5725461da783659cacac/content/child/blob_storage/blob_transport_controller.cc
[modify] https://crrev.com/1763362b4662d9c8499b5725461da783659cacac/content/child/blob_storage/blob_transport_controller_unittest.cc

Project Member

Comment 14 by ClusterFuzz, Jun 22 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Status: Assigned (was: Verified)
re-openning, as we need stable merge still
Project Member

Comment 16 by sheriffbot@chromium.org, Jun 26 2016

Pri-0 bugs are critical regressions or serious emergencies, and this bug has not been updated in three days. Could you please provide an update, or adjust the priority to a more appropriate level if applicable?

If a fix is in active development, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Hotlist-Merge-Approved
 Issue 623993  has been merged into this issue.
Cc: awhalley@chromium.org sshruthi@chromium.org
Labels: -Merge-Review-51 Merge-Approved-51
Approving merge to M51 branch 2704 based on comment #13 and #14. Please merge ASAP.

Project Member

Comment 20 by sheriffbot@chromium.org, Jul 4 2016

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by bugdroid1@chromium.org, Jul 6 2016

Labels: -merge-approved-51 merge-merged-2704
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3ad99e08f3122f5a5b2512b9acec4e981b3072d6

commit 3ad99e08f3122f5a5b2512b9acec4e981b3072d6
Author: Daniel Murphy <dmurph@chromium.org>
Date: Wed Jul 06 18:39:20 2016

[BlobAsync] Fixed shared memory mapping

The test was designed to catch this case, but because the memory was mapped before we sent it to the class, the incorrect call to Map was a no-op. Test has been fixed.

BUG= 619217 

Review-Url: https://codereview.chromium.org/2086033002
Cr-Commit-Position: refs/heads/master@{#401053}
(cherry picked from commit 8731540b822e48124e782a976ef5d44632757a29)

Review URL: https://codereview.chromium.org/2094493002 .

Cr-Commit-Position: refs/branch-heads/2743@{#448}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}
(cherry picked from commit 1763362b4662d9c8499b5725461da783659cacac)

Review URL: https://codereview.chromium.org/2125913003 .

Cr-Commit-Position: refs/branch-heads/2704@{#730}
Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251}

[modify] https://crrev.com/3ad99e08f3122f5a5b2512b9acec4e981b3072d6/content/child/blob_storage/blob_transport_controller.cc
[modify] https://crrev.com/3ad99e08f3122f5a5b2512b9acec4e981b3072d6/content/child/blob_storage/blob_transport_controller_unittest.cc

Status: Fixed (was: Assigned)
Labels: M-53 Release-0-M53
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 13 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment