Issue metadata
Sign in to add a comment
|
Security: Heap-buffer-overflow in Blob
Reported by
chromium...@gmail.com,
Jun 11 2016
|
||||||||||||||||||||
Issue description
53.0.2764.0 (Official Build) canary (32-bit)
Windows 7
PoC:
new Blob([new ArrayBuffer(9), new Blob(["hello"]), new Uint8Array(1e6)])
=================================================================
==2764==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x0b490000 at pc 0x018db884 bp 0xdeadbeef sp 0x0a5fd4e0
#0 0x18db89c in __asan_memcpy+0x1dc (C:\Users\admin\Desktop\win32-release_asan-win32-release-398017\asan-win32-release-398017\chrome.exe+0x100b89c)
#1 0x1ceb7e68 in content::`anonymous namespace'::WriteMemory C:\b\build\slave\Win_ASan_Release\build\src\content\child\blob_storage\blob_consolidation.cc:2
3
#2 0x1ceb8832 in base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<bool (*)(void *, unsigned int *
, const char *, unsigned int)>,bool (void *, unsigned int *, const char *, unsigned int),void *&,unsigned int *>,0,bool (const char *, unsigned int)>::Run C:\b
\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:366
#3 0x1ceb794f in content::BlobConsolidation::VisitMemory C:\b\build\slave\Win_ASan_Release\build\src\content\child\blob_storage\blob_consolidation.cc:166
#4 0x1ceb7d15 in content::BlobConsolidation::ReadMemory C:\b\build\slave\Win_ASan_Release\build\src\content\child\blob_storage\blob_consolidation.cc:180
#5 0x1ce7ad9b in content::BlobTransportController::OnMemoryRequest C:\b\build\slave\Win_ASan_Release\build\src\content\child\blob_storage\blob_transport_co
ntroller.cc:228
#6 0x1ce14fc1 in content::BlobMessageFilter::OnRequestMemoryItem C:\b\build\slave\Win_ASan_Release\build\src\content\child\blob_storage\blob_message_filter
.cc:56
#7 0x1ce16459 in base::DispatchToMethodImpl C:\b\build\slave\Win_ASan_Release\build\src\base\tuple.h:126
#8 0x1ce149ad in IPC::MessageT<BlobStorageMsg_RequestMemoryItem_Meta,std::tuple<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::v
ector<storage::BlobItemBytesRequest,std::allocator<storage::BlobItemBytesRequest> >,std::vector<base::SharedMemoryHandle,std::allocator<base::SharedMemoryHandl
e> >,std::vector<base::SharedMemoryHandle,std::allocator<base::SharedMemoryHandle> > >,void>::Dispatch C:\b\build\slave\Win_ASan_Release\build\src\ipc\ipc_mess
age_templates.h:117
#9 0x1ce141df in content::BlobMessageFilter::OnMessageReceived C:\b\build\slave\Win_ASan_Release\build\src\content\child\blob_storage\blob_message_filter.c
c:37
#10 0x10137f2a in IPC::MessageFilterRouter::TryFilters C:\b\build\slave\Win_ASan_Release\build\src\ipc\message_filter_router.cc:87
#11 0x10128d52 in IPC::ChannelProxy::Context::TryFilters C:\b\build\slave\Win_ASan_Release\build\src\ipc\ipc_channel_proxy.cc:80
#12 0x10116770 in IPC::SyncChannel::SyncContext::OnMessageReceived C:\b\build\slave\Win_ASan_Release\build\src\ipc\ipc_sync_channel.cc:342
#13 0x1a62a2c6 in IPC::ChannelMojo::OnMessageReceived C:\b\build\slave\Win_ASan_Release\build\src\ipc\mojo\ipc_channel_mojo.cc:377
#14 0x1a636643 in IPC::internal::MessagePipeReader::Receive C:\b\build\slave\Win_ASan_Release\build\src\ipc\mojo\ipc_message_pipe_reader.cc:138
#15 0x1a63a61c in IPC::mojom::ChannelStub::Accept C:\b\build\slave\Win_ASan_Release\build\src\out\Release\gen\ipc\mojo\ipc.mojom.cc:606
#16 0x1a6464f5 in mojo::internal::InterfaceEndpointClient::HandleValidatedMessage C:\b\build\slave\Win_ASan_Release\build\src\mojo\public\cpp\bindings\lib\
interface_endpoint_client.cc:307
#17 0x1a63b392 in IPC::mojom::ChannelRequestValidator::Accept C:\b\build\slave\Win_ASan_Release\build\src\out\Release\gen\ipc\mojo\ipc.mojom.cc:635
#18 0x1a653d08 in mojo::internal::MultiplexRouter::ProcessIncomingMessage C:\b\build\slave\Win_ASan_Release\build\src\mojo\public\cpp\bindings\lib\multiple
x_router.cc:775
#19 0x1a652bd8 in mojo::internal::MultiplexRouter::Accept C:\b\build\slave\Win_ASan_Release\build\src\mojo\public\cpp\bindings\lib\multiplex_router.cc:494
#20 0x117c5b23 in mojo::internal::MessageHeaderValidator::Accept C:\b\build\slave\Win_ASan_Release\build\src\mojo\public\cpp\bindings\lib\message_header_va
lidator.cc:73
#21 0x117da2e3 in mojo::internal::Connector::ReadSingleMessage C:\b\build\slave\Win_ASan_Release\build\src\mojo\public\cpp\bindings\lib\connector.cc:271
#22 0x117daf62 in mojo::internal::Connector::OnWatcherHandleReady C:\b\build\slave\Win_ASan_Release\build\src\mojo\public\cpp\bindings\lib\connector.cc:208
#23 0x192820b7 in base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (net::URLRequestHttpJob::*)
(int) __attribute__((thiscall))>,void (net::URLRequestHttpJob *, int),base::internal::UnretainedWrapper<net::URLRequestHttpJob> >,0,void (int)>::Run C:\b\build
\slave\Win_ASan_Release\build\src\base\bind_internal.h:365
#24 0x117e8868 in mojo::Watcher::CallOnHandleReady C:\b\build\slave\Win_ASan_Release\build\src\mojo\public\cpp\system\watcher.cc:129
#25 0x1173c43a in mojo::edk::`anonymous namespace'::CallWatchCallback+0x3a (C:\Users\admin\Desktop\win32-release_asan-win32-release-398017\asan-win32-relea
se-398017\chrome_child.dll+0x11c6c43a)
#26 0x11743455 in base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (*)(void (*)(unsigned int
, unsigned int, MojoHandleSignalsState, unsigned int), unsigned int, unsigned int, const mojo::edk::HandleSignalsState &, unsigned int)>,void (void (*)(unsigne
d int, unsigned int, MojoHandleSignalsState, unsigned int), unsigned int, unsigned int, const mojo::edk::HandleSignalsState &, unsigned int),void (*&)(unsigned
int, unsigned int, MojoHandleSignalsState, unsigned int),unsigned int &>,0,void (unsigned int, const mojo::edk::HandleSignalsState &, unsigned int)>::Run C:\b
\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:366
#27 0x117a3a09 in mojo::edk::Watcher::MaybeInvokeCallback C:\b\build\slave\Win_ASan_Release\build\src\mojo\edk\system\watcher.cc:24
#28 0x1176b60b in mojo::edk::RequestContext::~RequestContext C:\b\build\slave\Win_ASan_Release\build\src\mojo\edk\system\request_context.cc:49
#29 0x1179d53f in mojo::edk::NodeChannel::OnChannelMessage+0x166f (C:\Users\admin\Desktop\win32-release_asan-win32-release-398017\asan-win32-release-398017
\chrome_child.dll+0x11ccd53f)
#30 0x117a2392 in mojo::edk::Channel::OnReadComplete C:\b\build\slave\Win_ASan_Release\build\src\mojo\edk\system\channel.cc:553
#31 0x117a7d67 in mojo::edk::`anonymous namespace'::ChannelWin::OnIOCompleted C:\b\build\slave\Win_ASan_Release\build\src\mojo\edk\system\channel_win.cc:21
0
#32 0x10059edf in base::MessagePumpForIO::WaitForIOCompletion C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_pump_win.cc:692
#33 0x1005932b in base::MessagePumpForIO::DoRunLoop C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_pump_win.cc:640
#34 0x100559dd in base::MessagePumpWin::Run C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_pump_win.cc:58
#35 0xff55f38 in base::MessageLoop::RunHandler C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:439
#36 0x1005b1c0 in base::RunLoop::Run+0x1e0 (C:\Users\admin\Desktop\win32-release_asan-win32-release-398017\asan-win32-release-398017\chrome_child.dll+0x105
8b1c0)
#37 0xff5501f in base::MessageLoop::Run C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:294
#38 0xff5e45a in base::Thread::Run C:\b\build\slave\Win_ASan_Release\build\src\base\threading\thread.cc:204
#39 0xff5e7cf in base::Thread::ThreadMain C:\b\build\slave\Win_ASan_Release\build\src\base\threading\thread.cc:256
#40 0xffb187d in base::`anonymous namespace'::ThreadFunc C:\b\build\slave\Win_ASan_Release\build\src\base\threading\platform_thread_win.cc:84
#41 0x18f141d in __asan::AsanThread::ThreadStart+0x8d (C:\Users\admin\Desktop\win32-release_asan-win32-release-398017\asan-win32-release-398017\chrome.exe+
0x102141d)
#42 0x18ed25d in __asan::PlatformTSDDtor+0x8d (C:\Users\admin\Desktop\win32-release_asan-win32-release-398017\asan-win32-release-398017\chrome.exe+0x101d25
d)
#43 0x778d3c44 in BaseThreadInitThunk+0x11 (C:\Windows\system32\kernel32.dll+0x77e33c44)
#44 0x77c037f4 in RtlInitializeExceptionChain+0xee (C:\Windows\SYSTEM32\ntdll.dll+0x77f237f4)
#45 0x77c037c7 in RtlInitializeExceptionChain+0xc1 (C:\Windows\SYSTEM32\ntdll.dll+0x77f237c7)
0x0b490000 is located 6144 bytes to the left of 151207-byte region [0x0b491800,0x0b4b66a7)
allocated by thread T0 here:
#0 0x18e0728 in malloc+0xb8 (C:\Users\admin\Desktop\win32-release_asan-win32-release-398017\asan-win32-release-398017\chrome.exe+0x1010728)
#1 0x1a7536e8 in WTF::StringImpl::createUninitialized C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\wtf\text\StringImpl.cpp:289
#2 0x1a78c141 in WTF::StringBuilder::allocateBuffer C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\wtf\text\StringBuilder.cpp:116
#3 0x1a78fbd5 in WTF::StringBuilder::shrinkToFit C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\wtf\text\StringBuilder.cpp:386
#4 0x1471b9b5 in blink::TextResource::decodedText C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\core\fetch\TextResource.cpp:44
#5 0x143efc7a in blink::ScriptResource::script C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\core\fetch\ScriptResource.cpp:89
#6 0x1544ad42 in blink::ScriptSourceCode::ScriptSourceCode C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\bindings\core\v8\ScriptSou
rceCode.cpp:30
#7 0x136038a4 in blink::PendingScript::getSource C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\core\dom\PendingScript.cpp:199
#8 0x1c6be887 in blink::ScriptLoader::execute C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\core\dom\ScriptLoader.cpp:450
#9 0x13473749 in blink::ScriptRunner::executeTask C:\b\build\slave\Win_ASan_Release\build\src\third_party\WebKit\Source\core\dom\ScriptRunner.cpp:227
#10 0x13479fc7 in WTF::PartBoundFunctionImpl<WTF::FunctionThreadAffinity::SameThreadAffinity,std::tuple<blink::WeakPersistentThisPointer<blink::ScriptRunne
r> &&>,WTF::FunctionWrapper<void (blink::ScriptRunner::*)() __attribute__((thiscall))>>::operator() C:\b\build\slave\Win_ASan_Release\build\src\third_party\Web
Kit\Source\wtf\Functional.h:338
#11 0x1ceea07e in scheduler::WebTaskRunnerImpl::runTask C:\b\build\slave\Win_ASan_Release\build\src\components\scheduler\child\web_task_runner_impl.cc:70
#12 0x10027271 in base::internal::RunnableAdapter<void (*)(std::unique_ptr<base::trace_event::MemoryDumpManager::ProcessMemoryDumpAsyncState,std::default_d
elete<base::trace_event::MemoryDumpManager::ProcessMemoryDumpAsyncState> >)>::Run C:\b\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:160
#13 0x1ceeae3d in base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (*)(std::unique_ptr<blink::
WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,void (std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunn
er::Task> >),base::internal::PassedWrapper<std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >,0,void ()>::Run C:\
b\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:365
#14 0x10053bf1 in base::debug::TaskAnnotator::RunTask C:\b\build\slave\Win_ASan_Release\build\src\base\debug\task_annotator.cc:49
#15 0x1cf14312 in scheduler::TaskQueueManager::ProcessTaskFromWorkQueue C:\b\build\slave\Win_ASan_Release\build\src\components\scheduler\base\task_queue_ma
nager.cc:289
#16 0x1cf0eaab in scheduler::TaskQueueManager::DoWork C:\b\build\slave\Win_ASan_Release\build\src\components\scheduler\base\task_queue_manager.cc:201
#17 0x1cf18c7f in base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void (scheduler::TaskQueueMa
nager::*)(base::TimeTicks, bool) __attribute__((thiscall))>,void (scheduler::TaskQueueManager *, base::TimeTicks, bool),base::WeakPtr<scheduler::TaskQueueManag
er>,base::TimeTicks,bool>,1,void ()>::Run C:\b\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:359
#18 0x10053bf1 in base::debug::TaskAnnotator::RunTask C:\b\build\slave\Win_ASan_Release\build\src\base\debug\task_annotator.cc:49
#19 0xff56bc2 in base::MessageLoop::RunTask C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:475
#20 0xff586ea in base::MessageLoop::DoWork C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:599
#21 0x1005ac04 in base::MessagePumpDefault::Run C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_pump_default.cc:33
#22 0xff55f38 in base::MessageLoop::RunHandler C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:439
#23 0x1005b1c0 in base::RunLoop::Run+0x1e0 (C:\Users\admin\Desktop\win32-release_asan-win32-release-398017\asan-win32-release-398017\chrome_child.dll+0x105
8b1c0)
#24 0xff5501f in base::MessageLoop::Run C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:294
#25 0x1664b357 in content::RendererMain C:\b\build\slave\Win_ASan_Release\build\src\content\renderer\renderer_main.cc:199
#26 0xfe4a270 in content::RunNamedProcessTypeMain C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main_runner.cc:420
#27 0xfe4c289 in content::ContentMainRunnerImpl::Run C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main_runner.cc:787
#28 0xfe49ab4 in content::ContentMain C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main.cc:20
#29 0xfad1122 in ChromeMain C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\chrome_main.cc:84
Thread T2 created by T0 here:
#0 0x18ed2f0 in __asan_wrap_CreateThread+0x60 (C:\Users\admin\Desktop\win32-release_asan-win32-release-398017\asan-win32-release-398017\chrome.exe+0x101d2f
0)
#1 0xffb1397 in base::`anonymous namespace'::CreateThreadInternal C:\b\build\slave\Win_ASan_Release\build\src\base\threading\platform_thread_win.cc:120
#2 0xffb12f3 in base::PlatformThread::CreateWithPriority C:\b\build\slave\Win_ASan_Release\build\src\base\threading\platform_thread_win.cc:197
#3 0xff5dd1f in base::Thread::StartWithOptions C:\b\build\slave\Win_ASan_Release\build\src\base\threading\thread.cc:118
#4 0x1632bb2a in content::ChildProcess::ChildProcess C:\b\build\slave\Win_ASan_Release\build\src\content\child\child_process.cc:57
#5 0x1632b8dc in content::ChildProcess::ChildProcess C:\b\build\slave\Win_ASan_Release\build\src\content\child\child_process.cc:37
#6 0x169460dc in content::RenderProcessImpl::RenderProcessImpl C:\b\build\slave\Win_ASan_Release\build\src\content\renderer\render_process_impl.cc:57
#7 0x1664b20a in content::RendererMain C:\b\build\slave\Win_ASan_Release\build\src\content\renderer\renderer_main.cc:178
#8 0xfe4a270 in content::RunNamedProcessTypeMain C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main_runner.cc:420
#9 0xfe4c289 in content::ContentMainRunnerImpl::Run C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main_runner.cc:787
#10 0xfe49ab4 in content::ContentMain C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main.cc:20
#11 0xfad1122 in ChromeMain C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\chrome_main.cc:84
#12 0xcda7e6 in MainDllLoader::Launch C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\main_dll_loader_win.cc:185
#13 0xcd25a6 in main C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\chrome_exe_main_win.cc:263
#14 0x18f7117 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:255
#15 0x778d3c44 in BaseThreadInitThunk+0x11 (C:\Windows\system32\kernel32.dll+0x77e33c44)
#16 0x77c037f4 in RtlInitializeExceptionChain+0xee (C:\Windows\SYSTEM32\ntdll.dll+0x77f237f4)
#17 0x77c037c7 in RtlInitializeExceptionChain+0xc1 (C:\Windows\SYSTEM32\ntdll.dll+0x77f237c7)
SUMMARY: AddressSanitizer: heap-buffer-overflow (C:\Users\admin\Desktop\win32-release_asan-win32-release-398017\asan-win32-release-398017\chrome.exe+0x100b89c)
in __asan_memcpy+0x1dc
Shadow bytes around the buggy address:
0x31691fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x31691fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x31691fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x31691fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x31691ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x31692000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x31692010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x31692020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x31692030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x31692040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x31692050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2764==ABORTING
,
Jun 13 2016
Thanks for the report. This was already reported.
,
Oct 2 2016
,
Dec 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 13 2016