Issue metadata
Sign in to add a comment
|
Heap-use-after-free in cc::SurfaceManager::Destroy |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5285147369013248 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61200001d198 Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::DestroyAll content::OffscreenCanvasSurfaceImpl::~OffscreenCanvasSurfaceImpl Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=400830:400850 Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95m1l5ao9Ka3onSo7RZPiXu653_a2vMlx7KzsNWSR0GAtdPAOQAVckgrKAKo4Lpq0WgwCllhrxsPobLmbdqQnmZz8y8vqgab1fRlC9ryPTEzsaV2zK248oEsU16mugPma5RYKhFKS3kRCXpRgXlv1X_8ATKtA?testcase_id=5285147369013248 <script> var canvas = document.createElement("canvas"); var offscreenCanvas = canvas.transferControlToOffscreen(); </script> Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 21 2016
,
Jun 21 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 21 2016
,
Jun 21 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cfe3e0ebde0e9448cb5964373a6938afe229f397 commit cfe3e0ebde0e9448cb5964373a6938afe229f397 Author: xlai <xlai@chromium.org> Date: Tue Jun 21 15:05:37 2016 Fix heap-use-after-free in cc::SurfaceManager::Destroy There is no need to call DestroyAll() on surface_factory_ inside OffscreenCanvasSurfaceImpl's destructor, because surface_factory_ is its unique pointer and SurfaceFactory's own destructor already contains DestroyAll(). TBR=piman@chromium.org BUG= 621849 Review-Url: https://codereview.chromium.org/2088793003 Cr-Commit-Position: refs/heads/master@{#400994} [modify] https://crrev.com/cfe3e0ebde0e9448cb5964373a6938afe229f397/content/browser/renderer_host/offscreen_canvas_surface_impl.cc
,
Jun 21 2016
Issue 621967 has been merged into this issue.
,
Jun 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5623793863360512 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x01307cef Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::DestroyAll content::OffscreenCanvasSurfaceImpl::~OffscreenCanvasSurfaceImpl Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96no_BkI0ulPmIlPEuYC6TbEQrfohdF9N3ha1h_SIXanVaxGDJhGo7T3spXuDhVitqhtzZt5BN2cs2oLEaPdqvwLU8K-q-lIYFrBTV9fFCPsUMPmfF4ta0XsZQVEeGQAj9C6L0gxntIj7aQRm0jlvbgDD8ylw?testcase_id=5623793863360512 Additional requirements: Requires Gestures Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6672334899642368 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61200001d318 Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::DestroyAll cc::SurfaceFactory::~SurfaceFactory Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=400830:400850 Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97fud3dtFqbWUgDFf7PFDWSqxQBQlbcOLIsEDIygXKxzNUGAfxZEZYKM2w85Jg57P5IbkvmWizveQA4iz7U5CivAQjgyilWg2z3GVJ03iYnZyR04u_VnCMfQ2Pg2gLvT77Cz_xorWkgMdAY8DkKmo0ToAKYeg?testcase_id=6672334899642368 <script> var canvas = document.createElement("canvas"); offscreenCanvas = canvas.transferControlToOffscreen(); </script> Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6392163713941504 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::DestroyAll content::OffscreenCanvasSurfaceImpl::~OffscreenCanvasSurfaceImpl Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=400830:400850 Minimized Testcase (7.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956nJ2ie5-TdejNapDIYqjn-uPX4PT1IKkm1QDt4qmLbR77bKvDaAJTWl5raddRTT7KHFR4hXnG-PW1TXGCDugoyR4rmhAwuk_mIw0cTX1YqCEBYHPPbeFvY9NjIftCrsqZC0kDGzt_UOrwAmCVOOtf9Spauw?testcase_id=6392163713941504 Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5782782009933824 Fuzzer: ochang_domfuzzer Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::DestroyAll cc::SurfaceFactory::~SurfaceFactory Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=400830:400850 Minimized Testcase (0.14 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv957RaFZ3kEiU57xmLd-YmNTU2Zy_24mFVUGuAUwVHGnINiNkTHRPwZSI7dhHb79XJeTlRTAL9njuYXDqW1qwo8cXrf3en4Ko4BbpoZCUmkDnd_fM9CY62qD4Z5iLjFdj2iJ9MYVaaM1oS0S_eNsmF8wfGVUDw?testcase_id=5782782009933824 <script id="dom-fuzz-51000001"> var canvas = document.createElement("canvas"); var offscreenCanvas = canvas.transferControlToOffscreen(); </script> Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 23 2016
,
Jun 23 2016
The problem lies in the destruction order between SurfaceFactory and SurfaceManager. I have some quick solutions to handle the situation and will try to land them tmr. If they don't work, I'll disable some browser-side actions first.
,
Jun 23 2016
M53 is branching soon and will be promoted to Beta in July.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
,
Jun 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9eb60ebf171a8fc0ba919d65c72661a13960f5b6 commit 9eb60ebf171a8fc0ba919d65c72661a13960f5b6 Author: xlai <xlai@chromium.org> Date: Thu Jun 23 19:37:17 2016 Fix destruction order between SurfaceManger and OffscreenCanvasSurfaceImpl In a whole chain of objects tear down during a page closure, SurfaceManager is unexpectedly marked to be deleted before OffscreenCanvasSurfaceImpl is torn down. But OffscreenCanvasSurfaceImpl's two members still rely on manager_ in their destructors. This CL makes sure that before OffscreenCanvasSurfaceImpl is torn down, it checks whether SurfaceManager is alive and informs its two members (SurfaceIdAllocator and SurfaceFactory) about this. TBR=jbauman@chromium.org BUG= 621849 CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel Review-Url: https://codereview.chromium.org/2087383002 Cr-Commit-Position: refs/heads/master@{#401685} [modify] https://crrev.com/9eb60ebf171a8fc0ba919d65c72661a13960f5b6/cc/surfaces/surface_factory.cc [modify] https://crrev.com/9eb60ebf171a8fc0ba919d65c72661a13960f5b6/cc/surfaces/surface_factory.h [modify] https://crrev.com/9eb60ebf171a8fc0ba919d65c72661a13960f5b6/cc/surfaces/surface_id_allocator.h [modify] https://crrev.com/9eb60ebf171a8fc0ba919d65c72661a13960f5b6/content/browser/compositor/surface_utils.cc [modify] https://crrev.com/9eb60ebf171a8fc0ba919d65c72661a13960f5b6/content/browser/renderer_host/offscreen_canvas_surface_impl.cc [modify] https://crrev.com/9eb60ebf171a8fc0ba919d65c72661a13960f5b6/content/browser/renderer_host/offscreen_canvas_surface_impl.h
,
Jun 24 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5623793863360512 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x01307cef Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::DestroyAll content::OffscreenCanvasSurfaceImpl::~OffscreenCanvasSurfaceImpl Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96no_BkI0ulPmIlPEuYC6TbEQrfohdF9N3ha1h_SIXanVaxGDJhGo7T3spXuDhVitqhtzZt5BN2cs2oLEaPdqvwLU8K-q-lIYFrBTV9fFCPsUMPmfF4ta0XsZQVEeGQAj9C6L0gxntIj7aQRm0jlvbgDD8ylw?testcase_id=5623793863360512 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 24 2016
ClusterFuzz has detected this issue as fixed in range 401651:401798. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5285147369013248 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61200001d198 Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::DestroyAll content::OffscreenCanvasSurfaceImpl::~OffscreenCanvasSurfaceImpl Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=400830:400850 Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=401651:401798 Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95m1l5ao9Ka3onSo7RZPiXu653_a2vMlx7KzsNWSR0GAtdPAOQAVckgrKAKo4Lpq0WgwCllhrxsPobLmbdqQnmZz8y8vqgab1fRlC9ryPTEzsaV2zK248oEsU16mugPma5RYKhFKS3kRCXpRgXlv1X_8ATKtA?testcase_id=5285147369013248 <script> var canvas = document.createElement("canvas"); var offscreenCanvas = canvas.transferControlToOffscreen(); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 24 2016
ClusterFuzz has detected this issue as fixed in range 401651:401798. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6392163713941504 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::DestroyAll content::OffscreenCanvasSurfaceImpl::~OffscreenCanvasSurfaceImpl Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=400830:400850 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=401651:401798 Minimized Testcase (7.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956nJ2ie5-TdejNapDIYqjn-uPX4PT1IKkm1QDt4qmLbR77bKvDaAJTWl5raddRTT7KHFR4hXnG-PW1TXGCDugoyR4rmhAwuk_mIw0cTX1YqCEBYHPPbeFvY9NjIftCrsqZC0kDGzt_UOrwAmCVOOtf9Spauw?testcase_id=6392163713941504 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 24 2016
ClusterFuzz has detected this issue as fixed in range 401651:401798. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6672334899642368 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61200001d318 Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::DestroyAll cc::SurfaceFactory::~SurfaceFactory Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=400830:400850 Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=401651:401798 Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97fud3dtFqbWUgDFf7PFDWSqxQBQlbcOLIsEDIygXKxzNUGAfxZEZYKM2w85Jg57P5IbkvmWizveQA4iz7U5CivAQjgyilWg2z3GVJ03iYnZyR04u_VnCMfQ2Pg2gLvT77Cz_xorWkgMdAY8DkKmo0ToAKYeg?testcase_id=6672334899642368 <script> var canvas = document.createElement("canvas"); offscreenCanvas = canvas.transferControlToOffscreen(); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 24 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5623793863360512 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x01307cef Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::DestroyAll content::OffscreenCanvasSurfaceImpl::~OffscreenCanvasSurfaceImpl Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96no_BkI0ulPmIlPEuYC6TbEQrfohdF9N3ha1h_SIXanVaxGDJhGo7T3spXuDhVitqhtzZt5BN2cs2oLEaPdqvwLU8K-q-lIYFrBTV9fFCPsUMPmfF4ta0XsZQVEeGQAj9C6L0gxntIj7aQRm0jlvbgDD8ylw?testcase_id=5623793863360512 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 24 2016
ClusterFuzz has detected this issue as fixed in range 401651:401798. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5782782009933824 Fuzzer: ochang_domfuzzer Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::DestroyAll cc::SurfaceFactory::~SurfaceFactory Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=400830:400850 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=401651:401798 Minimized Testcase (0.14 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv957RaFZ3kEiU57xmLd-YmNTU2Zy_24mFVUGuAUwVHGnINiNkTHRPwZSI7dhHb79XJeTlRTAL9njuYXDqW1qwo8cXrf3en4Ko4BbpoZCUmkDnd_fM9CY62qD4Z5iLjFdj2iJ9MYVaaM1oS0S_eNsmF8wfGVUDw?testcase_id=5782782009933824 <script id="dom-fuzz-51000001"> var canvas = document.createElement("canvas"); var offscreenCanvas = canvas.transferControlToOffscreen(); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 24 2016
ClusterFuzz has detected that in the revision range including my fix patch r401685, the heap-use-after-free error on Mac and the use-of-uninitialized-value error on Linux is fixed. Also, it can no longer produce the heap-use-after-free error on windows because the test is flaky. I will mark this issue as fixed then.
,
Jun 24 2016
,
Jun 25 2016
,
Jul 26 2016
Fix already in M53, removing ReleaseBlock-Beta.
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Jun 21 2016Owner: xlai@chromium.org